ACD establishes highly vulnerable servers on the client’s network to attract attacks away from critical information locations. Human Cyber defenders and the ACD platform will be alerted when an active attack is taking place on the client network. The system will then respond automatically, and the analysts can review to understand what has happened, what the nature of the attack was and the source of the attack.
Honeypot servers can be set up across different countries, attack vectors and specific vulnerabilities. The information from attacks across this broad range of honeypots will greatly increase the accuracy of attribution of attacks.
The honeypot/vulnerable servers are set in such a way as to require an attack to breach the honeypot in an active manner. For example, attempt to login to the server with a default password, scanning the server for specific vulnerabilities, attempt to upload malicious code, etc. There are a range of tripwire levels that can be set within the vulnerable/honeypot server. At a level predetermined by the client or cyber team, the ACD platform will be notified and actively defend against the specifically attacked vectors.
The active nature of the breach that occurs means that counter-attack either through automatic response to through human intervention including law enforcement can then take place.
Methods used to defend against the attack can be some of the following;
• Collection of IP/attribution information for analysis
• Collection of modus operandi of an attacker
• Report attacker IP to relevant government bodies such as RIPE, ICANN, Nominet, abuse accounts of ISP
• Feed collected evidence to the national cyber entity, NSCS for example
• Post information about the attack in a white paper exposing attacker and methods
• Launch virtual machines to stress test the attackers’ internet connection
• VPN piercing methods
• Pass collected evidence to a cyber response team
• Increase defence measure on the attacked system, improve firewall rules, reduce IP connections, etc
• Place enticing files on the honeypot server with malware, call-home software to enable a counter attack
• Add IP/IP-range to firewall rules for a set period of time, deny all connections
• All active measures in the above platform would need to be approved by the nation-state or law enforcement body