Attackers have the advantage of time and initiative. They only need to be right once; defenders need to be right every time. The book flips this dynamic. By deploying active defenses, you force the attacker to be right every single step of the way . One mistake by the attacker (tripping a tripwire, touching a honeytoken) alerts the defense.
The book organizes offensive countermeasures into three primary categories designed to disrupt an attacker's progress: offensive countermeasures the art of active defense pdf
: Moving beyond simple detection to identify who is attacking and what their specific tactics are. This often involves using "beacons" or "honeytokens" that alert defenders when an attacker interacts with specific files. Attackers have the advantage of time and initiative
Redirecting malicious traffic to a controlled IP address. This prevents infected internal hosts from communicating with an external Command and Control (C2) server. 4. Attribution and Geolocation By deploying active defenses, you force the attacker
Because waiting for the EDR alert means you’ve already lost. Active Defense means you see them when they are still reconning . You waste their time. You burn their tools. You make your network too annoying to bother with.