Active cyber defense (ACD) is the concept of proactively opposing an attack in computers and networks. There are a series of tactics that can be applied in order to mitigate risk or detect adversaries inside the network.
Security operations team focuses on reactive detection mainly based on signatures. In this scenario advanced attackers normally have to accomplish 2 objectives: evade signature detection and blend with normal traffic – user behaviour.
The defender in order to accomplish his objective and detect the adversaries he has to detect anomalous activities or deviations from the network baseline.
A typical list of anomalous activities include,
- Traffic by time
- Traffic by geographic area
- Device to device behaviour
- Date movement
- File compression
- Host level activity such as processes, autoruns, kernel drivers and accounts.
Disrupting Cyber staging
Adversaries often pivot within the network attacked. This is a host from where they extend their foothold and launch all sort of sorties against other assets within the network. Very often the attacker will establish his “camp” one or two hops from a location on the network where data exfiltration is feasible. This has the the purpose to reduce the noise in the network.
Cyber Clear and Hold
Clear and hold is a counter insurgency strategy employed to prevent enemies from re-occupying territory from which they have been ejected by defenders. Following the holding stage it is usually characterized by regular patrols, surveillance and the improvement of defenses. This is the equivalent of maintaining a high level of scrutiny on hosts that have been previously inspected for anomalous activity.
Cyber Recon by fire
Recon by fire is a tactic used by ground forces to “check” areas for enemy forces without exposing themselves to attacks. Troops fire into areas of cover and structures to force the adversary to return fire and reveal themselves. In the same way cyber recon by fire allows defenders to hunt for malicious activity by making changes to the network that could draw out an intruder.
Credential “Crazy Ivan”
Adversaries who have reached an advanced stage of the kill chain, after having persisted in the network and escalated privileges, are unlikely to engage in malicious activity. Their access is very likely to rest on the use of legitimate account credentials that they stole or illegitimate accounts that they created. Randomly resetting a large amount of account credentials will deprive the adversary of this access. This is a very disruptive tactic however it can reveal a lot of information about your adversary as it will try to gain persistence again.
Modern malware emits a regular “beacon” to a command and control infrastructure. This beaconing is used to notify the attack that he still have access to the network and also to control and send commands to the malware. Changes in network connectivity will force the malware to adjust to changes so they can maintain persistence for communicating with their c2c infrastructure.
This is only a short enumeration of potential tactics aimed at disrupting the adversary footprint inside the network. For further information you can check the following document which helped me in writing this article. Also, in future articles I will go through the process of active hunting, to understand which are the indicators to look for when hunting adversaries in the network or “Search and Destroy” strategy.