I've been reading about active defense systems on private networks. What are they, and are they a good option for...
Active defense systems on private networks use active deception techniques to identify and hinder attackers performing reconnaissance activities. A Linux distribution called the Active Defense Harbinger Distribution contains preconfigured active defense systems.
Artillery, an open source Python tool, is one example that is useful for active deception. This utility has honeypot functionality, monitors file systems, protects against denial-of-service attacks and provides threat intelligence feeds. Also, installing Artillery on existing servers will not disrupt the network.
The administrators of the tool can specify intrusion detection (IDS) rules to trigger an alert whenever the Artillery ports receive a connection. All connections to these ports (except for those on a whitelist) are considered malicious. A security information and event management (SIEM) system can be used to manage all the alerts.
But the Artillery active defense system is not enough. Several virtualized honeypots need to be spawned from a single management console. The Network Obfuscation and Virtualized Anti-Reconnaissance System (Nova) may be a good fit.
One nice feature about Nova is that it creates a haystack of unused IP addresses as a virtual host on the network. With honeypots up and running, the attacker must weed through the haystack nodes before reaching the targeted servers. When the attacker scans a port, Nova and its IDS rules will quarantine the haystack source address as suspicious.
Like Artillery, Nova can forward its logs to a SIEM to compare events from different systems in order to identify the attacker. As part of the identification process, IDS and Nova alerts in SIEM can be used to locate the attacker's IP address. The incident response team must then research events to find out how the attacker got in, what the attacker was doing and what other reconnaissance activities the attacker may have performed.
If your company's private network is consistently attacked, these are active defense system options the security team should consider.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Here's what you need to know about SIEM as a service before deployment
Learn how to use honeypots on networks to track an attacker's activity
Find out the best way to deploy Linux for internet of things devices
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Judith Myerson
VPN vulnerabilities in products from popular vendors were recently found to enable serious threats. Discover how detrimental these threats are and ... Continue Reading
The Department of Homeland Security warned of a vulnerability affecting WAGO PFC200 logic devices. Discover how this flaw enables threat actors with ... Continue Reading
Zyklon malware targets three previously patched Microsoft Office vulnerabilities. Learn how attackers can access passwords and cryptocurrency wallet ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.