Attivo Networks Blogs

Active Defense 101

Detecting MITM attackers

By: Carolyn Crandall, Chief Deception Officer/CMO

From Sun Tzu to George Washington, some of the greatest military strategists in history have lived by the philosophy that “the best defense is a good offense,” and the proverb also rings true when it comes to IT security. At Attivo, we see “good offense” as an active defense. In cybersecurity, active defense is a critical part of a solid security strategy – no matter the industry or size of the company. To better understand what exactly active defense is, how it works, and how organizations can benefit from it, check out our active defense playbook:

What is active defense?

The World Economic Forum defines “Active Defense” as a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. Attivo takes this a step further and believe that the most effective Active Defense incorporates offensive countermeasures that can be applied within cybersecurity to outmaneuver an adversary and increase their cost of attack.

What does active defense do?

Within cybersecurity, these actions are designed to slow down, derail, and build proactive defenses against the enemy so they cannot advance or fulfill their attack. The concept is based on increasing the probability of an attacker making a mistake and revealing their presence within the network. It also raises the risk of the cyber-adversary as they waste time in a misleading environment, falling prey to ambiguity or blocks that force them to start over or find an easier target altogether.

How does active defense work?

An Active Defense strategy changes the asymmetry of an attack, giving defenders the upper hand against attackers. This approach, driven by deception technology, is designed to detect a threat actor early in their activity by obfuscating the attack surface with realistic device decoys, attractive bait, and breadcrumbs for misdirecting the attack. The deception environment tricks the attacker or malware into engaging and leads them to believe they are escalating their attack, when in fact, they are wasting their time and actually providing threat, adversary, and in some cases, counterintelligence to the defender. The forensic information gathered can then be applied to prevention, isolation and threat hunting defenses to stop a live attack, find forensic artifacts, and prevent the attack from resurfacing. For a full Active Defense, the activities don’t stop at detection, but provide equal value in attack analysis, forensic reporting, and automationsto expedite incident response.

Who uses active defense?

The topic of “who uses active defense” was recently a focus at the World Economic Forum, where the Department of Homeland Security identified Active Defense as a top priority for security industrial infrastructure systems. That said, an Active Defense is not limited to only military applications or protecting energy or other critical industrial control systems. Deception for an Active Defense can be an instrumental resource within any organization’s security control stack for the benefit of early detection, changing the asymmetry of the attack, and improving overall incident response.

Why is active defense important?

It is essential to have both defensive and offensive strategies. An Active Defense adds the offense-driven actions so that organizations can proactively detect and derail attacks early and gather the threat intelligence required to understand the attack and prevent a similar recurrence. Sometimes Active Defense means striking back at an attacker, but this should be reserved for military and law enforcement that have the resources and authority to confirm attribution and take appropriate action.

Learn more about why solely implementing prevention-based security solutions are no longer a reliable line of defense against today’s sophisticated cyber attackers, and how the Attivo ThreatDefend™ Deception and Response Platform takes a comprehensive active defense approach here.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

three × 1 =

Ready to find out what’s lurking in your network?

Scroll to Top