Active cyber defence tips the scales back in favour of the enterprise

John Powell & Alex Dolan

Principal Consultant | Senior Security Consultant


Too often cyber attackers seem to have the upper hand. But we now have a new approach to an old technique that can reduce the time taken to detect a cyber breach. With the right skills your organisation can turn this visibility into intelligence and with the right maturity, the intelligence into improving defences.

Cybersecurity Ventures1 estimate cybercrime will be a US$6 trillion hit to the global economy in 2021. Here at home, the ASX 100 Cyber Health check2, a survey of how Australia’s largest publicly listed companies view and manage their exposure to information security, found just 43% of boards are confident their company is properly secured against cyber attacks, while almost two-thirds say attempts at malicious cyber activity against their companies have increased over the last year.

The money, time and energy to run first-class enterprise digital security is always far greater than the costs to those opportunists who use scripted exploits and phishing schemes to cheat their way into our systems. With the pandemic and the resulting shift to the digital world to live, work and play not only adding to organisational stresses but also feeding new Coronavirus related phishing and malware attacks, it’s clear the more we rely on technology, the more we need to be proactive in our cybersecurity posture so we’re not just waiting to be a cyber-crime victim.

As long-time cybersecurity professionals, we’re particularly excited to see a new approach to an old security technique that was once resource intensive and didn’t see a lot of action. Advances in server technologies have lowered the threshold to entering the world of cyber deception where we can consume the cyber criminals most precious resource, time, while we monitor their actions.

The effectiveness of these new active cyber defence techniques could also be leveraged for greater good across the Australian cyber security community, but this would rely on an effective framework for threat information sharing.

Active and Passive Defence

It’s important to understand where active cyber defence differs from passive cyber defence and how it stops short of being offensive.

Passive defence includes the protective measures that we are familiar with. Anti-virus, firewalls and proxy systems. This also includes penetration testing for assurance and new zero-trust networking concepts, as these are direct protective measures.

Although passive defences involve continuous effort to ensure they are well maintained at all times, following the Essential Eight3 continues to be the best advice for Australian organisations to deal with the majority of cyber threats.

Active defence is where we engage with the cyber criminals through the use of deception technologies. Honeypots and decoys detect and monitor their activity in real-time.

Active defence is not a replacement for strong passive defence. In fact, maturing passive defence should always be prioritised over active defence. For organisations that have a mature approach to cyber security and are looking for a way to gather intelligence that can be fed back into the design of these passive security systems, active cyber defence is the next step.

Active techniques offer a diversion tactic that makes the cyber-criminal think they’re on to something of value. But it will take them a lot of time and effort before they realise they’ve hit a decoy.

Offence is the domain of the Australian Signals Directorate (ASD), the Australian Security Intelligence Organisation (ASIO) and the Australian Defence Force (ADF). It is illegal for other entities to undertake such a strategy.

What are the 'new' active defence strategies?

Old honeypot techniques required security teams to build and maintain individual decoy systems. It was time and resource intensive and distracted some of the security analysts from developing and maintaining protective security measures. With automation, virtualisation and machine learning now at our disposal, a new breed of honeypot has become viable.

Honeypot automation means it takes far less effort to launch an active strategy, while the quality of the honeypots has made it very difficult for cyber-criminals to notice they’ve been misled. A scan of the network will provide information on the type of honeypots that will look realistic and not out of place, and with virtualisation they can be setup to appear almost anywhere on the network.

If you want to setup a completely separate environment that cyber criminals might take an interest in then honey pots can be deployed amongst another element of the active cyber defence landscape, synthetic systems. They look like the real thing, except they’re not. Just another fake and another waste of time for the cyber criminals.

For a cyber-criminal to notice they’ve been fooled, they need to slow down and look carefully. But slowing down is what costs them time and effort, which reduces their black market return on investment.

Monitoring cyber criminals in these virtualised fake systems can also help us to learn valuable lessons on techniques and tools, and how they are maliciously applied against an environment that has been modelled on your existing environment. With the right sharing framework, this intelligence can be shared with other cyber security practitioners.

The last step along the active cyber defence path is to use this intelligence to build better defences. This step requires all of the passive defence measures and the previous active defence measures to be in place, along with the maturity and skill to convert this intelligence into continuous improvement.

It is also important to see that this active defence footing can work well alongside the latest zero-trust and Secure Access Service Edge (SASE) secure networking techniques and technologies. Human error remains a great risk to corporate security, and in an active defence system we can lay out ‘breadcrumbs’ on user devices. Should a cyber-criminal breach a user device through phishing or other means, their investigations should lead them toward a honeypot rather than toward your crown jewels. Additionally, the ‘breadcrumbs’ deployed on these user devices can be used as triggers by a Security Operations Centre (SOC). Any access attempt using known fake credentials will indicate where an attacker has a foothold within the environment.

Stronger together

Active defence does not replace passive defence but is an extension for those with the process maturity and the skill to utilise the benefits that active defence brings to the table. In fact, applying active defence technology without having strong passive defence in place may provide you with visibility of crimes as they occur, but not necessarily improve your ability to stop it.

The key takeaways are that strong passive defence and mature security governance form the foundation for active defence and the skill to understand the activity of the criminal can turn the output of your active defence into actionable intelligence.

For an organisation that is looking to head down the path of active defence, a pilot study is simple. A small number of honeypots can be placed around your network or in a synthetic environment that is built to look like your network. Activity within these honeypots will give you some solid insights into how the cyber-criminals work and what their objectives are.

We’re excited to see the resurgence of the humble honeypot and look forward to an increased adoption of this technology and capability to disrupt cyber-criminal activity. We’re also keen to see better sharing of threat information to provide community benefit above and beyond organisational benefit.

Make a real difference Speak to an expert


1 Australian Securities and Investments Commission (ASIC), 2018, “Cyber resilience”, 17 December
2 Australian Securities Exchange (ASX), 2017, “ASX 100 Cyber Health Check Report”, April
3 Australian Government, 2020, “Essential Eight,” June