How does an active defense system benefit enterprise security?

I've been reading about active defense systems on private networks. What are they, and are they a good option for my enterprise?

Active defense systems on private networks use active deception techniques to identify and hinder attackers performing reconnaissance activities. A Linux distribution called the Active Defense Harbinger Distribution contains preconfigured active defense systems.

Artillery, an open source Python tool, is one example that is useful for active deception. This utility has honeypot functionality, monitors file systems, protects against denial-of-service attacks and provides threat intelligence feeds. Also, installing Artillery on existing servers will not disrupt the network.

The administrators of the tool can specify intrusion detection (IDS) rules to trigger an alert whenever the Artillery ports receive a connection. All connections to these ports (except for those on a whitelist) are considered malicious. A security information and event management (SIEM) system can be used to manage all the alerts.

But the Artillery active defense system is not enough. Several virtualized honeypots need to be spawned from a single management console. The Network Obfuscation and Virtualized Anti-Reconnaissance System (Nova) may be a good fit.

One nice feature about Nova is that it creates a haystack of unused IP addresses as a virtual host on the network. With honeypots up and running, the attacker must weed through the haystack nodes before reaching the targeted servers. When the attacker scans a port, Nova and its IDS rules will quarantine the haystack source address as suspicious.

Like Artillery, Nova can forward its logs to a SIEM to compare events from different systems in order to identify the attacker. As part of the identification process, IDS and Nova alerts in SIEM can be used to locate the attacker's IP address. The incident response team must then research events to find out how the attacker got in, what the attacker was doing and what other reconnaissance activities the attacker may have performed.

If your company's private network is consistently attacked, these are active defense system options the security team should consider.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)