A security cliché
There are many security things and tasks that we want to perform but we are out of budget many times and we think that everything will be alright. There are millions of people out there with even weaker networks and why would a hacker will even target my network?! And I agree with you on the fact that there are some sophisticated technologies which are hard to implement or even harder keep them running whether it's because of financial or operational hurdles.
So, in those situations what should we do? There is one solution: free tools which are available on open source or for anyone to use. There will be some limitations but in th beginning those tools will be really helpful to use and protect your network against hackers. Those tools are great for tight budgets and even recommended for active defense strategy.
If all you want is active defense then I can understand that it's a bit tough to get financial or even executive supports on that and these following tools are really useful to demonstrate values to your superiors for network security.
What is Active Defense BTW?
The Department of Defense defines active defense as: "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy."
As you might have heard that this term is originated from the defense world. It refers to the techniques which denies any strategic resources to all adversaries. At the end, it becomes more challenging for those adversaries to keep their campaigns on.
In the world of cyber security, the final goal is one: Make those adversaries’ campaigns tougher and tougher by not allowing them the main resources. By the way the active defense isn’t quite as popular as other security tools because regulatory mandates don't ask for it.
Active defense is useful because of the time-constrained nature of an hacker's campaign. There are multiple time frames within the hacker's campaigns. For example the time between when you discover that there is a security vulnerability and when you actually fix it. One more example is te time between when the hacker enters into the network or system and by the time you find out who is the hacker.
Any idea on how to catch them while they are on your networks or systems?
SLOW DOWN THE HACKERS. Whatever you can do to slow those hackers down so that they will need more time to execute their plans and if you have slowed them down then you will more likely to catch them before they get everything done.
Here are few ways to slow down the hackers so that they would require more time and energy.
Feed the hackers bad intelligence or false intel.
Waste their reconnaissance resources.
Trick them into revealing their identity (which law enforcement can use to find them).
Strategy 1: Decoys
Decoys are used to distract hackers from their real targets. People who have spent enough time in cyber security are familiar with strategy or tools like honeypots or honey-nets. Honeypots or honey-nets devices or sets of devices which are made to look like “juicy targets” for the hackers. It's one kind of trap to fool them. They might think that they have found a great security breach but actually they become prays of our trap. There are many open source tools available but choose the one which suits your requirements best.
1. OpenCanary is a really easy to use tool. You just need to create a profile for what you want the tool to look like for e.g., a Linux or Windows server or a database server. It will send alerts when someone tries to connect or even actually connects to it. There are 3 levels : low-interaction, medium-interaction or high-interaction honeypots. They refer to how much interaction you want the honeypot to maintain with the hacker before they realize that it’s a decoy.
2. WebTrap lets you replicate an internal web resource for example an intranet.
3. HoneyPy is one more tool with Low- or we can say medium-interaction. It is helpful to listen to your network requests and sends you an alert you when someone connects.
4. Lyrebird is high-interaction tool. It is capable to hold an attacker’s attention for a long period of time and that will give you plenty of time to figure out who the hacker is and also you can observe their behavior and / or waste their time.
Strategy 2: Attribution
This is the second strategy which involves tools that are designed to trick the hackers into revealing their identity and / or location and / or any information that can be helpful to mitigation activities. This strategy sometimes requires interaction with the hacker. And for that reason, we need to be careful while using these kinds of tools that we don't break any laws like the hackers do. There are many tools available which you can use lawfully and unlawfully, it's a fine line between those 2 choices and you need to decide which one you should go for. Go for the tools which are in compliance with the law.
1. Honeypot system is a good tool for attribution and it has built-in attribution capability features.
2. Another tool HoneyBadger has geolocation features which can determine the location of the hacker.
3. Browser Exploitation Framework (BeEF) collects data within hacker's browser by gathering useful information from different services of hacker's web browser.
Strategy 3: Sinks and Traps
This is the technic to waste hacker's time. Hacker can get lost in your trap instead of realizing his or her own objectives.
1. Spidertrap or Weblabyrinth both tools generate “mazes” of fake web content. The hackers dives into it and wastes time. When the hacker tries to scan it, it takes a lots of time even if hacker has automated tools to scan.
2. Nova is one more helpful tool which can create a “haystack” of hosts. It can even create an entire networks. Those networks or hosts appear to be part of your own network environment when the hacker tries to look into it. It takes hours and days for the hacker to find out your actual network form the fake network.