Active Defenses?

Active defense, often mistakenly called hacking back, is a common topic thrown around the security space lately.  And I think there are a number of reasons for this.

Current security technologies are beginning to show significant strain.  It seems almost daily there is breach of another large company or government institution.  Many of these companies have significant budgets dedicated to information security personnel and technologies.   It seems as though the current defensive technologies, such as Intrusion Detection and Prevention systems (IDS/IPS), Anti-Virus (AV) and patching, are not slowing the current generation of advanced threats.  Furthermore, current attack technologies such as Metasploit and the Social Engineering toolkit (SET) make attacking so easy for penetration testers that current defenses are merely an afterthought for the attackers and testers. 

Attackers can encode their executables to bypass AV.  They can utilize the very tools we use to defend our sensitive data like SSL to bypass our outbound detection technologies.  They can even blend in and look just like standard users on a network once valid credentials are stolen.

What, then, is the solution?  It seems as though many feel the solution is investing in more AV and better IDS.  In information security we are doing the same thing over and over again and expecting different results.  We need to start being more creative.

Active Defense involves undermining the Observe Orient Decide Act (OODA) loop involved in attacking a network.  This methodology was originally developed for the Air Force as it related to fighter pilots.  However, it has permeated throughout the military since then.  The point is that whichever adversary can complete an OODA loop the fastest will win in a conflict.  Currently, in cyber-security the OODA loop is heavily in the attacker’s favor.  They have the ability to observe networks and orient themselves to the defensive technologies present before even launching a single packet.  This is because so many security architectures utilize the same types of defensive technologies.  However, with active defenses, the goal is to tip the OODA loop in the defender’s favor.

So Secure Ideas and Black Hills Information Security worked together to create the Active Defense Harbinger Distribution (ADHD).  The Active Defense Harbinger Distribution project is a live environment for active defenses. The purpose of this project is to tie as many of the current active defensive projects as possible together onto one common platform. Using a live environment provides security professionals the ability to boot the Active Defense Harbinger Distribution on any Intel-based system from a DVD or USB flash drive, or run the test environment within a virtual machine.  It also will finally provide the defenders with an environment where they can quickly implement unexpected defenses to a number of different attacks and recon tactics.

We are very happy to announce the first public release available at and are already working on building the next version.  This project is part of the Samurai family, joining SamuraiWTF, SamuraiSTFU and SamuraiMobiSec.

One Response to Active Defenses?

  1. I like the idea. Although I am concern that the name active defense is being confused with hacking back. As a community we have gone from passive virus scanning to active realtime quarantine. We have evolved from IDS to IPS. The list could go on. In this sense this is just an evolution of a couple of different technologies like honeypots and log management. It's exiting and I'm embracing it.

Leave a reply