PiChris - Fotolia

How does an active defense system benefit enterprise security?

Active defense systems work as deception techniques on private networks, but are they good for enterprise use? Expert Judith Myerson discusses some options.

I've been reading about active defense systems on private networks. What are they, and are they a good option for my enterprise?

Active defense systems on private networks use active deception techniques to identify and hinder attackers performing reconnaissance activities. A Linux distribution called the Active Defense Harbinger Distribution contains preconfigured active defense systems.

Artillery, an open source Python tool, is one example that is useful for active deception. This utility has honeypot functionality, monitors file systems, protects against denial-of-service attacks and provides threat intelligence feeds. Also, installing Artillery on existing servers will not disrupt the network.

The administrators of the tool can specify intrusion detection (IDS) rules to trigger an alert whenever the Artillery ports receive a connection. All connections to these ports (except for those on a whitelist) are considered malicious. A security information and event management (SIEM) system can be used to manage all the alerts.

But the Artillery active defense system is not enough. Several virtualized honeypots need to be spawned from a single management console. The Network Obfuscation and Virtualized Anti-Reconnaissance System (Nova) may be a good fit.

One nice feature about Nova is that it creates a haystack of unused IP addresses as a virtual host on the network. With honeypots up and running, the attacker must weed through the haystack nodes before reaching the targeted servers. When the attacker scans a port, Nova and its IDS rules will quarantine the haystack source address as suspicious.

Like Artillery, Nova can forward its logs to a SIEM to compare events from different systems in order to identify the attacker. As part of the identification process, IDS and Nova alerts in SIEM can be used to locate the attacker's IP address. The incident response team must then research events to find out how the attacker got in, what the attacker was doing and what other reconnaissance activities the attacker may have performed.

If your company's private network is consistently attacked, these are active defense system options the security team should consider.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Here's what you need to know about SIEM as a service before deployment

Learn how to use honeypots on networks to track an attacker's activity

Find out the best way to deploy Linux for internet of things devices

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing