If you started working in cyber defence ten or so years ago, you probably used one of two approaches when dealing with would-be intruders: blocking or stealth.
Blocking was used to deal with something that was obviously bad, think firewall rules, blocking bad websites and antivirus. When that failed, defenders would collect data from their networks and devices as stealthily as possible and investigate anything suspicious, while trying not to alert any intruder. It was spy versus spy, with each side trying to get to a stage where they could act decisively, without being seen by the other side.
Proactive cyber defence (at least the way we define it at Liarbird) does use these approaches when it makes sense, but it also introduces a third option: Interacting with the intruder, automatically, in many places at once, day-in day-out.
Why? Determined attackers are usually ‘blocked’ dozens or hundreds of times before they are successful. They scan for opportunities and try the cheap and easy things first. As they continue to be blocked, they start to take more risks, becoming more focused and using infrastructure, tools and techniques that aren’t on any lists of ‘known bad stuff’. Now they are less likely to be blocked, but it becomes far more costly for them if they are discovered.
For the defender, one of the shortcomings of traditional approaches is that it is very hard to join the dots together. You see some scanning activity on a firewall, some failed remote log-in attempts on one of your cloud services, some users blocked while attempting to access a known bad website, then…nothing. Maybe those things were related, maybe not. Maybe the attacker has given up, maybe not. And none of the information you have gathered about the attacker so far is likely to help you find them if they have transitioned to stealth.
When you interact with the intruder, the approach is more like a police negotiator, you keep them on the phone, learning everything you can about them and their intentions, while influencing, containing and slowing them down. At the same time, the rest of the system is responding directly to the threat. Now, if you imagine that you have an army of machines and software trained to deal with suspicious events in this way, and they are part of a broader system that launches escalating responses to these threats in real time, you have a proactive cyber defence system.
Interacting with the intruder is a core tactic in our proactive defence strategy, but there are many closely-related tactics and techniques. These range from cyber deception (presenting attackers with fake opportunities or obstacles) to gaiting criteria (e.g. how you ensure you don’t waste your resources on undetermined attackers, who would have gone away after being blocked). If you want to read more, our proactive cyber defence approach combines concepts from MITRE ATT&CK, MITRE Engage and actionable threat-informed defence techniques.