Active Defense
Theory
The sister framework to Mitre Att&ck, Mitre Shield is the framework of mapping tools and techniques to the area of Active Defense. The U.S. Department of Defense defines active defense as “The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Within Mitre Shield, active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. The combination of these defenses allows an organization to not only counter current attacks but also to learn more about that adversary and better prepare for new attacks in the future.
Tools
Honeypots
Honeypots are a core part of Active Defense. Beyond thier incredible value for learning about attackers and their methods, they are an incredible utility for detection in security programs of any maturity level. One of the core concepts of Honeypots is the assumption that compromise will happen. By preparing a target so juicy, or a resource so infrequently used that access to it can be initiated by an unsuspecting attacker, you can catch actors in your network even if they are savy enough to sneak past all your other defenses.
Using Canary Honeypots for Detection - Applied Network Security Monitoring, pg.317
HoneyD - The OG Honeypot. Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.
MDH: Modern Honeypot Network - Easy to install and configure Honeypot service. Has config scripts for Snort, Cowrie, and Dionea.
Open Canary - One of the most popular and flexible honeypot applications available. OpenCanary is a daemon that runs canary services, which can trigger alerts when accessed. The alerts can be sent to syslog, emails or an opencanary-correlator.
Labrea - LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.
Attribution
Ever wonder who is attacking you? Not what IP they are proxying through, but who is really attacking you? Unmasking attackers and getting detailed intelligence on how your data is being accessed and used, allows you to take proactive steps to protect against the next round of attacks.
Cowrie - Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. In medium interaction mode (shell) it emulates a UNIX system in Python, in high interaction mode (proxy) it functions as an SSH and telnet proxy to observe attacker behavior to another system.
Decloak - Used to identify the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services.
HoneyBadger - Used to identify the physical location of a web user with a combination of geolocation techniques using a browser's share location feature, the visible WiFi networks, and the IP address.
Network Poisoner Detection
Network Poisoners like Responder can capture and respond to LLMNR, NBT-NS and MDNS traffic within your network for use in lateral movement and internal recon. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. It is possible to detect these by various means including sets of fake credentials that would only be captured by a network poisoner.
Respounder - Respounder sends LLMNR name resolution requests for made-up hostnames that do not exist. In a normal non-adversarial network we do not expect such names to resolve. However, a responder, if present in the network, will resolve such queries and therefore will be forced to reveal itself.
HoneyCreds - HoneyCreds network credential injection to detect responder and other network poisoners.
Resources and Collections
ADHD - Active Defense Harbinger Distribution - A project that has spawned from the work of Blackhills Infosec and Active Countermeasures, ADHD is a ubuntu based OS distribution that comes loaded with a slew of the best Active defense focused tools available. It is a free distribution that also has a ton of free learning content developed by Active Countermeasures. Check out their webcasts and the training at Wild West Hackin' Fest, for more details on how to make the most of these tools
Talos Active Defense Toolkit - Provides a central hub, through which Computer Network Defenders could operate seamlessly, simply, and powerfully, to deploy Active Defense tools on their networks.
Offensive Countermeasures: The Art of Active Defense - John Strand
BTFM: Honey Techniques - pg. 48
Last updated