Active Defense – Incident Response’s New Best Friend

On Sep 14, 2020, MITRE, the federally funded R&D organization perhaps best known for its popular ATT&CK framework, announced Shield – an Active Defense knowledge base developed to arm cybersecurity defenders with a framework for actively dealing with threats instead of passively reacting to them. As MITRE puts it, Shield has been “derived from over 10 years of adversary engagement experience. It spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders.”

As an industry armed with protecting networks and IT infrastructures, we have been overly reliant on passive defenses. Given the rapid pace of technology development, shortage of skilled cybersecurity professionals, and the vendor community’s ‘assume breach’ schtick, we have become accustomed to dealing with threats on our turf, on the adversary’s terms, instead of actively smoking out the threat. We’re always reacting after the fact. Which is why Shield couldn’t have arrived sooner.

Since then, I’ve had countless conversations with CISOs attempting to understand how Shield can inform their security posture and incident handlers/practitioners on what they can do today that might have an outsized impact on their ability to defend. I’ve also realized that there’s a fundamental conversation to be had about what ‘active defense’ in cybersecurity means, and why teams must adopt it as an integral part of their security program and best practices.

Over the last 10 years, I have been a part of multiple incident response projects. The story usually unfolds in a similar fashion – evidence of compromise is on the network. Jump to the ‘Cotton Eye Joe’ problem – where did it come from, where does it go. And of course, what did it damage.

Perhaps the most high-pressure scenarios are those where the threat is not just active but is actively moving around the network, say something like ransomware. Machine after machine is getting infected, and there is nothing you can do to stop it.

Consider this nightmare scenario for a moment. You work security for a business with 1000 employees. You don’t have an anti-virus (AV) installed (hypothetical). You have been infected by ransomware. You immediately take a call to purchase an AV, the budget gets freed up, and you go to procure it. But it takes days, even weeks if not months to procure it and push it out to every single workstation and server. Your AV has now future proof-ed you in some way, but the adversary has already finished her attack. You are recovering from the disaster in some form. Maybe you are restoring backups. Maybe you just paid up the ransom. The response was required in minutes and hours. That battle was lost.

The fallouts of such incidents can be brutal. There is intense pressure on security teams, and they carry heavy burdens. I have seen security folks stay up 96 hours at a stretch, trying to squeeze in a couple of minutes of sleep in offices amid thousands of messages, texts, and calls. I have seen top management in companies get involved and ask tough questions to which there are no good answers.

If you are involved in any security function in your organization, at any level, this should be relatable. To some, something like this might have happened recently. For some, it’s been a while. And if it hasn’t happened to you yet, chances are, it will happen at some point – sooner rather than later.

And then let’s talk money. It costs a lot of money. I’m talking serious cash. In the order of hundreds of thousands of dollars. All being spent in a matter of days. You are paying your vendors, service providers, advisors, and implementers. You are paying by the hour for everyone involved in the response, IT teams, security teams, and active directory teams. And then people wonder why cybersecurity is a $123 billion industry.

It gets chaotic.

In my experience, you can contain that chaos with an Active Defense mindset.

Active defense isn’t really a new concept. For example, the armed forces and police have active defense protocols. If intelligence picks up an impending threat, the machinery kicks in to reflect the seriousness of the threat. Intensified checking at posts, barricades across high-value locations and roads, enhanced protective measures for ministers and other high-value targets, orders to restrict the movement of people and goods, frequent patrolling – you get the drift.

Now notice this strategy for a moment. It includes a lot of tough calls because the threat has a material impact on the life of civilians. There’s a protocol in place. Also, notice that the strategy doesn’t involve waiting for the bad guy to move around as he pleases. It actively tries to smoke the threat out. The alternative is to play catch up. Always one step behind the threat. Ring any bells? Of course, it does because that’s exactly what we do in cybersecurity. 

What I’m getting to is that when you are in the midst of an incident, you have ways to try to smoke out the threat, make life difficult for the adversary, and minimize the impact of the breach. One that can be measured in days (if not hours), will not be as costly and will reign in panic.

It involves barricades, restriction of movement, enhanced patrolling, and of course, protecting the crown jewels.

Here’s how it might look like in a real-life ‘incident’:

• Block the movement of traffic between computers by enabling your pre-created firewall blocking policy.
• Shut down Internet access, either from specific segments or universally.
• Sinkhole traffic for suspicious connections.
• Initiate an on-going indicator check against crown jewels.
• Initiate backup of critical data and crown jewels.
• Spin up decoy systems and users.
• Lockdown usage of privileged accounts.
• Actively monitor the movement of administrative accounts and flag suspicious activity.

This is, of course, a non-exhaustive list but all of these can be really quick to do! The biggest impediment is usually taking the tough calls as this may temporarily and disrupt services. It also happens because of poor team communication across the board. It is because of this that we forgo a defensive advantage and chase the threat for days and months on end.

But hey, if you drill this out before things go wrong, you will already know and understand what the impact is going to be.

Think about it this way. You have an existing set of software defenses. That should make life difficult for the software tactics of the threat. Active defense is you putting additional software defenses to attack the human behind the threat.

This brings me back to why MITRE Shield couldn’t have come sooner. For the first time, defenders have a shared vocabulary and framework for what they can proactively do to defend their networks. It even maps out to MITRE ATT&CK, telling you exactly which defense can disrupt an attack tactic. I strongly urge you to check out Shield.

If you need help with understanding this more, we are running 30 mins workshops to deconstruct MITRE Shield and breakdown how you can get started with active defense. Feel free to sign up here.

We have also released our mapping to MITRE Shield. With Smokescreen, you can achieve 95% coverage of all the active defense techniques included in the framework. You can get the mapping from here. And if you want to see all of this in action, you can always ask for a demo.

I’m very excited about all the conversations that are happening around MITRE Shield. As we help our customers implement Shield and achieve more active defense coverage, I will be sharing what I learn. Feel free to hit me up on LinkedIn or Twitter.