Active defense: Going on the offensive against cyber criminals
With the UK government reporting that nearly 40 percent of UK businesses were hit by cyber attacks last year, keeping on top of cyber security has become a mission critical need.
Of those UK businesses and charities that were impacted, 83 percent identified phishing as being the most common attack vector. The government is urging these organizations to strengthen against phishing attacks such as business email compromise as they continue to grow in volume and frequency.
But when it comes to boosting cyber resilience, many organizations continue to be reliant on largely passive defense measures.
Building on passive cyber security protection
While passive defense measures such as spam filters, anti-virus systems, intrusion prevention and firewalls are all vital first line of defense layers that can help reduce the probability of a breach, they shouldn’t be the only line of defense.
The problem is that the pursuit of a passive defense strategy leaves organizations with very little insight about the threat actors or their attack approach. This leaves attackers free to try again, and again, as they constantly refine their technique and successfully achieve infiltration.
With threats becoming more advanced, sophisticated and ever more prevalent, organizations need to reduce the likelihood of future attacks by gathering intelligence that enables them to fight back and ultimately cut threat actors off from the resources they’re using to execute an attack. In other words, taking proactive steps that go beyond simply passively monitoring and responding to attacks.
In contrast to passive defense approaches, active defense techniques involve gathering intelligence that will reduce or prevent future attacks. That includes gaining granular insights on the attack methods being used by scammers: their key objectives and targets, how they monetize their attacks and the payment methods, and even identifying the bank accounts they’re using to collect their ill-gotten gains.
There are lots of active defense approaches that today’s organizations can deploy. For example, monitoring systems that instantly block further network connections the moment an intrusion is detected. Or taking steps to gather intelligence about a source of intrusion and then using these insights to neutralize or shut down an attacking system so it can’t be used by malicious actors.
Using actionable threat intelligence to stay one step ahead
From an active defense perspective, being able to take advantage of comprehensive operational and strategic intelligence on external threats is of great benefit to the company. At the same time, highlighting risk factors and the attack patterns of known criminal groups, together with technical insights on how attacks are being executed, is a must have for countering specific exploits and vulnerabilities. Armed with this know-how, companies are better equipped to proactively defend themselves against known and highly targeted threats.
Security teams are then able to identify and prioritize security risks and evaluate their current cyber security posture, using this intelligence to mitigate and remediate against specific threat types before they cause damage. Similarly, today’s security analysts can also take advantage of automated tools that can accurately assess suspicious emails, identifying and suspending look-alike domains and automatically removing malicious emails before these get delivered to users.
Understanding what represents a threat right now and what its impact could be is vital for organizations looking to tailor their cyber defense in real-time and take action to neutralize potential security threats before these have an adverse impact. But this is just one aspect of the active defense arsenal.
Hacking the hacker: battling adversaries head-on
Hackers use infrastructure provided by others to undertake their activities. To perpetrate attacks they need to use domains, an IP address and web hosting along with redirects. The aim of the game when pursuing an active defense approach is to take down this infrastructure by cutting criminals off from the resources they are using illicitly.
Organizations looking to go on the offensive can deploy active defense approaches to gather operational intelligence on everything from the email and web hosting services to the IP addresses that their attackers are using. By tracking back the compromised systems used to perpetrate an intrusion, and find the origin of an attack, organizations can work with others to disarm cyber criminals.
For example, sharing this intelligence with hosting providers and organizations whose websites have been hacked means they can take targeted action to shut down email accounts and APIs or reset admin security. These measures will effectively restrict access to the critical infrastructure hackers are dependent upon to ply their trade.
Putting active defense into action
Initiating an active defense strategy that enables organizations to detect and shut down phishing sites, blocklist hostnames or build up in-depth know-how on the technical execution of attacks can seem like a daunting task. Collating and sharing threat intelligence on everything from identifying the most-targeted employees to unveiling the origins of an attack requires specialist expertise and resources that can be challenging to operationalise.
Specialist active cyber security providers can help organizations bolster their defenses by providing real-time intelligence that pinpoints key risk factors. Alongside insights on indicators of compromise (IOCs) that keep staff informed of new threats as these occur, organizations can take advantage of defense optimization recommendations for specific exploits and vulnerabilities that strengthen their incident response and minimize the likelihood of threats resurfacing.
Some providers can help organizations employ more aggressive yet ethical active defense measures to combat hacking. For example, creating fake email addresses, browser cookies or executable files that are designed to lure in attackers and monitor their activities. Using this so-called 'honeypot' technique, organizations will access detailed insights on how attackers gained unauthorized access to corporate systems and were able to exploit network weaknesses. They can also take advantage of powerful takedown APIs, browser blockers and kill switches to stop cyber criminals in their tracks.
By investing in proactive detection methods and services, organizations can remediate faster, proactively defend themselves against known and highly targeted threats and compromise the ability of threat actors to pursue their illicit activities. What’s more, because threat actors typically attack numerous targets using the same infrastructure, each loss of that infrastructure can disrupt multiple ongoing fraud campaigns.
John Wilson is Senior Fellow, Threat Research at Fortra, the new name for HelpSystems.