Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does an active defense system benefit enterprise security?

Active defense systems work as deception techniques on private networks, but are they good for enterprise use? Expert Judith Myerson discusses some options.

I've been reading about active defense systems on private networks. What are they, and are they a good option for...

my enterprise?

Active defense systems on private networks use active deception techniques to identify and hinder attackers performing reconnaissance activities. A Linux distribution called the Active Defense Harbinger Distribution contains preconfigured active defense systems.

Artillery, an open source Python tool, is one example that is useful for active deception. This utility has honeypot functionality, monitors file systems, protects against denial-of-service attacks and provides threat intelligence feeds. Also, installing Artillery on existing servers will not disrupt the network.

The administrators of the tool can specify intrusion detection (IDS) rules to trigger an alert whenever the Artillery ports receive a connection. All connections to these ports (except for those on a whitelist) are considered malicious. A security information and event management (SIEM) system can be used to manage all the alerts.

But the Artillery active defense system is not enough. Several virtualized honeypots need to be spawned from a single management console. The Network Obfuscation and Virtualized Anti-Reconnaissance System (Nova) may be a good fit.

One nice feature about Nova is that it creates a haystack of unused IP addresses as a virtual host on the network. With honeypots up and running, the attacker must weed through the haystack nodes before reaching the targeted servers. When the attacker scans a port, Nova and its IDS rules will quarantine the haystack source address as suspicious.

Like Artillery, Nova can forward its logs to a SIEM to compare events from different systems in order to identify the attacker. As part of the identification process, IDS and Nova alerts in SIEM can be used to locate the attacker's IP address. The incident response team must then research events to find out how the attacker got in, what the attacker was doing and what other reconnaissance activities the attacker may have performed.

If your company's private network is consistently attacked, these are active defense system options the security team should consider.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Here's what you need to know about SIEM as a service before deployment

Learn how to use honeypots on networks to track an attacker's activity

Find out the best way to deploy Linux for internet of things devices

This was last published in April 2017

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your stance on an active defense system on a private network?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close