Open Source Tools for Active Defense Security

A security truism: There will always be things we want to do, but we just can’t get the budget for them. Some strategies can be harder in this regard than others, including those that are technically sophisticated, less mainstream or more complicated to operationalize.

So, what can we do when this happens? One option is to employ free or open source tools in limited deployment. This choice can help demonstrate value and work as a proof point for future budget conversations — and can even work for a strategy like active defense.

If your goal is active defense, it may be more challenging to gain budgetary resources and executive support. This barrier makes open source options particularly useful because these tools can help you demonstrate value and shore up support.

What Is Active Defense?

This term originates from the defense world and refers to techniques that deny positions or strategic resources to adversaries, which then makes their campaigns more challenging to conduct. In the cybersecurity world, the goal is the same: Make the adversaries’ campaigns harder by denying them key resources. Active defense isn’t quite as mainstream as other security tools, such as anti-malware scanning tools, because much of the guidance (e.g., taxonomies of controls, regulatory mandates, etc.) doesn’t require them.

One reason active defense is particularly useful in a cybersecurity context is the time-constrained nature of an attacker’s campaign. There are multiple windows of time within these campaigns, including the time between discovery of a security vulnerability and when you fix it; when the attacker gains entry and when you discover he or she is there; and when the attacker is found and when he or she is caught, blocked or otherwise disabled.

Anything you can do to slow down attackers (or increase the amount of time and effort they need to invest) makes it more likely that you’ll discover them before they’re successful.

Active Defense Strategies and Open Source Tools

There are ways to increase the time and energy required on the part of the attacker: You can feed the attacker bad intelligence or false intel. You can waste his or her reconnaissance resources. You can trick the adversary into revealing his or her identity (which you or law enforcement can use later). Here are some of the most effective active defense strategies, as well as some free or open source tools you can test to see if this approach is compatible with your environment.

Active Defense Strategy 1: Decoys

Decoys can be used to distract attackers from real targets. Most security practitioners are familiar with honeypots or honeynets, which are sets of devices that look like “juicy targets” from an attacker’s point of view — but are actually just traps designed to tip you off. There are lots of great open source options that can do this, but your selection will ultimately depend on your environment and what you want to get out of it.

OpenCanary is a straightforward tool, both conceptually and in implementation: You set a profile (i.e., a personality) for what you want it to look like (e.g., a Linux or Windows server, a database server, etc.), and it sends alerts when someone connects to it. You can select from low-, medium- or high-interaction honeypots. These levels refer to how much interaction the honeypot can maintain with an attacker before he or she realizes it’s a decoy.

Depending on what type of device you want to simulate, there are many choices for each. WebTrap lets you simulate an internal web resource (e.g., an intranet or other page). Low- or medium-interaction tools like HoneyPy can be used to listen for requests and alert you when someone connects. High-interaction tools like Lyrebird can hold an attacker’s attention for a period — so you can figure out who the attacker is, observe his or her behavior or waste his or her time.

Active Defense Strategy 2: Attribution

The second strategy involves tools that are designed to trick an attacker into divulging his or her identity or location — or any other information that can be used to assist in law enforcement and other mitigation activities. It’s important to note that attribution sometimes requires interaction with the attacker. Therefore, it needs to be done carefully to ensure you’re not breaking the very same laws as your attacker.

Many of the tools we will explore moving forward can be used in both lawful and unlawful ways. The fine line between the two will depend on your usage and context. Therefore, you must ensure that planned usage is in accordance with the law. How can you tell? A solid strategy is to run the specifics past your legal team to get clarity and confirmation.

One tool that can assist with attribution is honeypot systems that have built-in attribution capability features. A tool like HoneyBadger, which has geolocation features to determine where an attacker is located, is a good example. This is particularly useful in combination with documents that are a beacon when opened, such as when integrated with a tool like Molehunt.

Alternatively, a tool like the Browser Exploitation Framework (BeEF) can assist in data collection within an attacker’s browser by gathering information from the remote party from within his or her web browser. BeEF provides quite a bit of functionality and is often used in penetration testing to gain a beachhead for internal attacks. (Carefully review the caveat about lawful versus unlawful usage here.)

Active Defense Strategy 3: Sinks and Traps

You can trap attacker activity to get them to waste time instead of realizing his or her campaign’s objectives. Tools like Spidertrap or Weblabyrinth generate “mazes” of bogus web content to waste time when an attacker crawls it or uses automated tools to scan it.

Meanwhile, tools like Nova can create a “haystack” of hosts (or, in fact, entire networks) that appear to be part of your environment from an attacker’s point of view. An attacker can get lost within this, potentially spending hours or days attempting to sort the “wheat” (your actual production network) from the “chaff” (the bogus virtual hosts).

The bottom line: Open source options can be a great way to experiment with some of these approaches if you’re not already doing them. Fortunately, there are a number of excellent options to choose from to help you get started.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Share this Article:
Ed Moyle

General Manager & Chief Content Officer at Prelude Institute

Ed Moyle is currently General Manager & Chief Content Officer at Prelude Institute. Prior to joining Prelude, Ed was Director of Thought Leadership and Research for ISACA and a founding partner of the analyst firm Security Curve. In his 20+ years in information security, Ed has held numerous positions including: Senior Security Strategist for Savvis (now CenturyLink), Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of "Cryptographic Libraries for Developers" and a frequent contributor to the Information Security industry as author, public speaker, and analyst.