I've been reading about active defense systems on private networks. What are they, and are they a good option for...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Active defense systems on private networks use active deception techniques to identify and hinder attackers performing reconnaissance activities. A Linux distribution called the Active Defense Harbinger Distribution contains preconfigured active defense systems.
Artillery, an open source Python tool, is one example that is useful for active deception. This utility has honeypot functionality, monitors file systems, protects against denial-of-service attacks and provides threat intelligence feeds. Also, installing Artillery on existing servers will not disrupt the network.
The administrators of the tool can specify intrusion detection (IDS) rules to trigger an alert whenever the Artillery ports receive a connection. All connections to these ports (except for those on a whitelist) are considered malicious. A security information and event management (SIEM) system can be used to manage all the alerts.
But the Artillery active defense system is not enough. Several virtualized honeypots need to be spawned from a single management console. The Network Obfuscation and Virtualized Anti-Reconnaissance System (Nova) may be a good fit.
One nice feature about Nova is that it creates a haystack of unused IP addresses as a virtual host on the network. With honeypots up and running, the attacker must weed through the haystack nodes before reaching the targeted servers. When the attacker scans a port, Nova and its IDS rules will quarantine the haystack source address as suspicious.
Like Artillery, Nova can forward its logs to a SIEM to compare events from different systems in order to identify the attacker. As part of the identification process, IDS and Nova alerts in SIEM can be used to locate the attacker's IP address. The incident response team must then research events to find out how the attacker got in, what the attacker was doing and what other reconnaissance activities the attacker may have performed.
If your company's private network is consistently attacked, these are active defense system options the security team should consider.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Here's what you need to know about SIEM as a service before deployment
Learn how to use honeypots on networks to track an attacker's activity
Find out the best way to deploy Linux for internet of things devices
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Judith Myerson
A DocuSign phishing email with a link to a malicious Word document recently targeted the company's users. Expert Judith Myerson outlines six ways to ...continue reading
A vulnerability in Intel AMT enables attackers to gain remote access to PCs and devices. Expert Judith Myerson explains how the attack works and what...continue reading
A Google Chrome flaw enables attackers to automatically download Windows credentials to their SMB sever. Expert Judith Myerson explains how that ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.