Active Defense

Theory

​Mitre Shield ​

The sister framework to Mitre Att&ck, Mitre Shield is the framework of mapping tools and techniques to the area of Active Defense. The U.S. Department of Defense defines active defense as β€œThe employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Within Mitre Shield, active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.

Tools

Honeypots

Honeypots are a core part of Active Defense. Beyond thier incredible value for learning about attackers and their methods, they are an incredible utility for detection in security programs of any maturity level. One of the core concepts of Honeypots is the assumption that compromise will happen. By preparing a target so juicy, or a resource so infrequently used that access to it can be initiated by an unsuspecting attacker, you can catch actors in your network even if they are savy enough to sneak past all your other defenses.
Honeyports - Honeyports are a great way to dynamically blacklist attacking systems. You can create a simple script that dynamically blacklist attackers when they establish full connections to certain ports, or perform simple alerting.
Honey-Assets - Files, Objects, Accounts, or other resources that would normally not be touches by any legitimate user or process, that are set to perform a specific action when accessed.
Resources

Attribution

Ever wonder who is attacking you? Not what IP they are proxying through, but who is really attacking you? Unmasking attackers and getting detailed intelligence on how your data is being accessed and used, allows you to take proactive steps to protect against the next round of attacks.

Network Poisoner Detection

Network Poisoners like Responder can capture and respond to LLMNR, NBT-NS and MDNS traffic within your network for use in lateral movement and internal recon. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. It is possible to detect these by various means including sets of fake credentials that would only be captured by a network poisoner.
  • ​Respounder - Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
  • ​HoneyCreds - HoneyCreds network credential injection to detect responder and other network poisoners.

Resources and Collections