Skip to main content
Join Trailblazers for Dreamforce 2024 in San Francisco or on Salesforce+ from September 17-19. Register now

Implement Active Defense Strategies

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe active defense frameworks.
  • Explain ways to implement active defense strategies in the energy sector.

Active Defense Frameworks

MITRE Engage 

Today’s attackers use advanced techniques such as “living off the land”--the use of legitimate tools and programs already present on a targeted system instead of installing additional malicious software—to bypass endpoint defenses. For instance, if an attacker gains access to a Windows machine, the attacker can use the Windows Command Prompt or PowerShell console to execute commands that allow them to gather information about the system, escalate privileges, and perform other malicious activities without downloading any external software.  

MITRE Engage is an active defense framework for planning and executing threat emulation activities, which involves simulating realistic cyberattacks to identify vulnerabilities and weaknesses in an organization’s security infrastructure. Additionally, the MITRE platform provides intelligence-driven insights to help teams create more effective risk mitigation strategies through a four-phase approach. 

  1. Assess: Evaluate their security status by conducting vulnerability assessments and threat modeling.
  2. Prioritize: Prioritize their remediation efforts based on data-driven insights.
  3. Develop: Enhance their defensive capabilities by exposing vulnerabilities and evaluating adversary techniques.
  4. Mitigate: Use intelligence-based insights to help organizations create more effective risk mitigation strategies, enabling them to respond quickly to emerging threats and reduce the impact of cyberattacks.

Below is an example of a matrix of engagement actions that can help defenders implement strategies against adversaries.The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is referenced to provide the tactic/technique used by the adversary during the cyberattack.

Adversary Goal

MITRE Engage Goal

MITRE Engage Approach

 MITRE Engage Activity

MITRE ATT&CK Technique

Active Defense Strategy 

To move laterally to other systems.

To negatively impact the adversary’s operations.

DISRUPT

Impair an adversary’s ability to conduct their operation as intended.

NETWORK MANIPULATION 

Make changes to network properties and functions to achieve a desired effect.

LATERAL TOOL TRANSFER

Adversaries transfer files between systems in a compromised environment. They also copy files from one system to another to install their tools or other files during their operation.

Make it harder for adversaries to achieve their goals by forcing them to change their tactics or stopping them completely (for example, limiting the ports and network requests allowed). 

Active Cyber Defense Cycle (ACDC)

The active cyber defense cycle (ACDC) is another active cyber defense framework designed to help organizations protect their networks from cyber threats. Its four phases work together to maintain security, contributing to the safety and reliability of operations. The four phases are:

  1. Reconnaissance: Gathering intelligence and information about potential threats and attackers, such as their tactics, techniques, and procedures (TTPs).
  2. Active defense: Actively defending against attacks by implementing measures such as intrusion detection and prevention systems, threat hunting, and incident response plans.
  3. Counteraction: Taking steps to disrupt or thwart an attacker's activities, such as blocking their access or disrupting their communication channels.
  4. Intelligence gathering: Analyzing and learning from the attack to improve future defenses, such as identifying new attack patterns or vulnerabilities and implementing countermeasures.

Consistent use of this framework helps security personnel develop over time and avoid looking at defense as a series of single encounters with an adversary, but rather as a prolonged process where growth and innovation can take place. This cycle ensures that security personnel of various talents are contributing to the same strategy and are working together. Ultimately, this framework ties into the organization’s business goals.

The ACDC and MITRE Engage can work together to help organizations improve their cybersecurity posture by proactively identifying vulnerabilities and weaknesses in their networks and responding to potential threats to the business.

Active Defense in the Energy Sector

Security practices and principles for enterprise IT vs OT/ICS environments are not identical, even though there may be some overlap. These environments differ in terms of their systems, technologies, missions, risk surfaces, attack vectors, impacts, and approaches to incident response.

The active defense strategies listed below can empower security personnel in the energy sector to monitor their organization’s infrastructure, identify threats, and neutralize them before they impact operations. 

Six-stage process describing how the adversary gains unauthorized access to a target network and moves laterally to gain more access within the network.

Active Defense Tool/Strategy

How Can It Be Used by Security Teams in the Energy Sector

HoneyHoneypots, honeynets, and sandboxes

Mimic a target, attract cyberattacks, and Lure attackers away from critical systems and toward less-important parts of the network, while also collecting information about the attacker’s tactics and techniques. (However, OT/ICS honeypots need to be carefully configured to avoid affecting the actual operations of the system.) 

AI-powered solutions

Quickly identify abnormal traffic patterns, unauthorized access attempts, or suspicious behavior to automatically generate threat intelligence reports and alerts for hard-to-secure OT assets.

Threat monitoring systems

Analyze data from a wide variety of sources, including ICS sensors, controllers, and other devices to quickly detect anomalies and threats. 

Beacons

Detect unauthorized devices and communications in OT networks while also monitoring physical processes and systems. This can involve using sensors to collect data from elevators, lighting, HVAC, temperature, pressure, or other physical variables, or structures attached to a building. 

Botnet takedowns

Work with law enforcement and other organizations to take down botnets that may be used for cyberattacks. By disrupting the infrastructure used by attackers, security teams can reduce the risk of future attacks.

Sanctions

Deter attackers and hold them accountable for their actions. By imposing economic and other penalties on countries and organizations that engage in cyberattacks, the energy sector can send a strong message that such behavior will not be tolerated. 

This approach can be particularly useful in preventing foreign state-sponsored attacks or attacks from cybercriminal groups that operate in specific regions. 

Sanctions can also be used to restrict the importation of potentially compromised hardware or software from certain countries.

Active defense is a proactive approach to cybersecurity that does not replace traditional cybersecurity but rather adds a set of tactics that make it harder for attackers to succeed in accomplishing their goals. To achieve resilience, the energy sector must have robust cyber defense strategies in place that help to minimize the impact of cyberattacks, ensure the continued operation of critical infrastructure, and protect the safety and well-being of the public.

Sum It Up

In this module, you’ve been introduced to active cyber defense in the energy sector. You’ve learned how to define passive and active defense, and how to apply active defense strategies in OT/ICS environments.

Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Career Path on Trailhead.

Resources