ACD Capabilities - What's Your Cyber Health?

Being Active For Your Cyber Health

We all know that having an active lifestyle can promote good health in our physical world. The same is true for the cyber defense world. However, being active in the cyber defense world doesn’t mean working up a sweat on a treadmill next to your administrator console. Being active means getting off your virtual couch of static defenses and beefing up your cyber defenses to proactively disrupt and dismantle the cyber attacker’s kill chain. It means sharpening your senses through predictive cyber analytics to become anticipatory – to foresee and forestall your adversaries’ next moves. Just as being healthy requires awareness of what you eat, your cyber health relies on context-awareness – knowing who is on your network, why they are on your network, what they are doing when and where. Being context-aware also means knowing the state of your cyber health by monitoring the pulse of your security posture – is your immune system up-to-speed? Can you respond quickly to indicators of compromise? Are your vulnerabilities patched? Can your defenses adapt to block new attack methods? All of these elements contribute to active cyber defense and your cyber health.

Active cyber defenses (ACD) are built on top of good hygiene (continuous monitoring) and a balanced diet of multi-layer defenses. However, ACD-centric capabilities stretch beyond these basic healthy habits. There are six capability areas where active defenses can uniquely improve the overall cyber health of your enterprise.

1. Intel-based Defenses

This ACD capability area brings together a diverse set of actors – from cyber threat analysts and vulnerability researchers, to SOC and NOC operators and help desk support, to reverse engineering and forensics specialists. Each of these roles contribute to the production of actionable cyber intelligence and situational awareness regarding the security posture of the network environment. Ultimately, the purpose of this capability area is to:

deliver active cyber defenses that can mitigate the dynamic cyber threat through:

  • extraction and transformation of sensor data about vulnerabilities and intrusions,
  • fused with data from external cyber threat intelligence sources,
  • correlated to asset state data,
  • analyzed together in near real-time,
  • to produce actionable cyber intelligence,
  • to help understand anomalous behavior at endpoints and on the network,
  • to identify attacks when they occur,
  • to predict attacks (or the attacker’s next step) before they occur,
  • to identify defenses that need repair,
  • to bolster defenses to address dynamic threats,
  • to disrupt the attack chain.

Vendors of products and services that offer – threat intelligence data, vulnerability information and analytic tools such as fuzzing tools, malware detection and analysis tools, intrusion detection, intrusion prevention, firewalls, netflow analysis / pcap tools, SIEM tools, and other network enforcement or data loss prevention tools – are all key suppliers to active cyber defense for this capability area. Note that even though the focus of this capability area is on active network defenses, many of the same concepts for intel-based defenses also apply at the endpoint level. We capture those defenses in the Adaptive Endpoint capability area.

2. The Three Ds: Deception, Detection, & Delay

Deception-based capabilities have been around for some time, however, they are getting better in drawing out adversaries’ tactics, they have relatively low false positive rates, and are getting easier to implement and maintain. Although deception may seem like a passive defense, it actually is passive-active since it is designed to actively capture an attacker’s tactics, techniques, and procedures (TTPs) to inform active defenses. Deception is deployed in a variety of ways – from honeynets, honeypots and honey tokens or scripts, to malware detection tools which use deception methods to unmask the characteristics of  stealthy malware. Often, deception tools are also deployed in conjunction with active defense tools to block, deter, delay or otherwise mitigate any malware that has been detected.

Key roles involved in leveraging and understanding deception capabilities include cyber threat analysts, application architects, network administrators, malware detection tool vendors, and digital forensics specialists. It is important for personnel fulfilling each of these roles to have significant cyber intelligence insight into what an attacker’s goals or targets may be, and how the attack chain works. Being aware of the environment in which the deception will be deployed is equally important. From this knowledge, these personnel will be able to design and operate:

deception techniques, detective mechanisms, and delay (and/or mitigation) tactics at the network and endpoint levels to:

  • unmask and block stealthy malware,
  • deceive attackers into missteps,
  • profile attackers’ TTPs,
  • gain attribution information about an attacker,
  • hide valuable assets,
  • buy time to organize counter-responses,
  • deter and delay an attacker’s efforts,
  • disrupt an attacker’s kill chain,
  • forensically discover and examine the life cycle of a stealthy exploit.

Deception tactics are used by both attackers and defenders in the cat and mouse game of cyber attack and defend. This adversarial competition constantly escalates the sophistication required by the defender to break down the attacker’s deception and to find new methods to deceive an attacker into missteps that reveal their targets and tactics.

Targeted Incident Response

3. Intelligent Networks

Networks of the future will be virtual, agile and intelligent at the edge. These characteristics offer many opportunities for cyber defenses to operate proactively in the enterprise network, in the cloud network, or in mobile, distributed networks. New virtual defenses will drastically reduce the time and effort needed to detect, track, and contain attacks while also making it more difficult for attackers to recon their targets. With intelligent networks, the roles of the network administrator, system administrator, cloud provider and security administrator must be closely coordinated as responsibilities will begin to converge, especially at the network edge. Together these roles will create and manage:

virtualized network overlays and orchestrated environments that provide:

  • secure gateways and access points to the enterprise and cloud by wired and mobile users,
  • cyber maneuver and moving target defenses,
  • methods to self-organize the network into containment zones when an incident occurs,
  • ability to cloudburst to avoid deadly DDOS attacks,
  • dynamic content inspection and pattern matching through deep packet inspection,
  • virtual network security functions and service chaining capabilities to link customized security capabilities to specific virtual workloads, and which move with the workload when it migrates,
  • deep insight to the behavior of the network to find anomalous traffic and compromised devices through behavior-oriented netflow analysis and DNS/DHCP monitoring,
  • dynamic traffic engineering to route good traffic away from problems or bad traffic to honeynets and sinkholes.

Although intelligent networks most often may be found with cloud providers or where Software-Defined Networks (SDN) are deployed, there are also significant advances in mobile ad hoc networking (MANETs) and the Internet of Things (IoT) that incorporate intelligent networks and where active cyber defenses can play a crucial role.

4. Automated Orchestration

This capability area provides most of the automation of contextual decision-making and coordination activities for active cyber defenses. As such, it is highly integration-intensive and calls for open approaches to APIs, security policy management, and for data standards to be most effective. Like in the case of Intelligent Networks, it also a capability where the roles of architects and administrators for security, network, and systems will converge to achieve the objectives of expediting the handling of cyber-related events to quickly address pressing cyber threats. This means it is also an especially important capability for support of the Security Incident Response Team. Ultimately, the goal of this capability area is to provide orchestration tools that:

accelerate time to action by active cyber defenses by automating the workflows that:

  • expedite the management of cyber intelligence or other cyber event data,
  • to enable contextual decision-making,
  • while working in collaboration with other infrastructure controllers and orchestrators,
  • to provision appropriate resources,
  • to direct the rapid composition of appropriate courses of action of security control points,
  • to synchronize execution of defenses by adaptive endpoints and intelligent network components,
  • to ensure secure operation of enterprise components,
  • to minimize attack impacts and collateral effects,
  • to also effect recovery and reconstitution actions.

Key products and services for this capability area include SIEM tools, Network Access Control (NAC) tools, identity and access management (IdAM) tools, extract,-transform-load (ETL) tools, workflow tools, provisioning and remediation tools, and policy administration / decision / enforcement tools. The future for this capability area  is towards semi- to fully autonomous capabilities that provide self-healing, self-reporting, and self-protection.

5. Agile Cloud Security

The massive scalability and elasticity of cloud services, along with self-provisioning capabilities provide several unique advantages from an active cyber defense perspective. Foremost, these characteristics provide an agile platform for deploying defenses such as cyber maneuver and honey-based deception tactics. Additionally, cloud services such as infrastructure-as-a-service dynamically scales bandwidth allocation and server resources for the cloud. This service allows the cloud to operate during high traffic/demanding situations such as distributed denial of services attacks as resources are dynamically increased as they are needed. Cloud services can also provide the Big Data resources needed to handle the ever-increasing volume of cyber sensor and event data. The cloud platform can also benefit from inorganic active cyber defenses as well.

Several specialized roles are involved in the design and delivery of active defenses for the cloud. For example, cybersecurity data scientists are needed to leverage Big Data capabilities to mine for advanced persistent threats (APTs). Virtualization specialists are critical in orchestrating VM workloads and associated virtual  security protections. In summary,

cloud environments help to dynamically support and scale active cyber defenses through:

  • self-provisioning of computing and software resources,
  • big data analytics,
  • virtualized courses of action,
  • auto-scaling infrastructure elements,
  • software stack flexibility,
  • secure enclave / secure multi-tenancy support,
  • federated authentication through cloud-based, strong digital identity,
  • to enhance ACD mission resiliency and availability.

The growing number of Federal Risk and Authorization Management Program (FedRAMP) certified cloud service providers, including those certified to the moderate and high evaluations, provide a solid foundation for active cyber defenses.

6. Adaptive Endpoints

The form, function and connectivity of endpoints are undergoing dramatic change as mobility, cloud, BYOD, and the Internet of Things are replacing traditional client-server computing.  The enterprise security perimeter is also dissolving and reforming around the endpoint as it becomes a conduit for attackers to gain illicit access to back-end enterprise systems. These significant shifts necessitate corresponding changes in the ways that endpoints are secured. Security administrators must begin to leverage new adaptive capabilities that are beginning to emerge to protect endpoints from dynamic and stealthy threats, to secure sensitive data stored on the endpoints, and to protect against user errors as well. Some examples of these new active cyber defense capabilities include:

trusted, semi- and fully autonomous systems, and tailorable virtual “spaces” 

  • where controls and protections are automatically composed based on the contextual environment of: the endpoint, the content that resides there, external interfacing elements, and the availability of security elements
  • where least privilege access policies are adapted to ensure cohesive and consistent enforcement across the different layers and components of the endpoint,
  • where roots of trust are employed to enable trustworthy operations, storage, and reporting of endpoint state and identity despite working in the midst of other untrusted components,
  • where self-protecting data capabilities are provided,
  • where in-place threat detection and mitigation capabilities are provided,
  • where strong BYOI is supported and leveraged to enable a secure IoT and mobile environment.

These advanced endpoint active defense capabilities will also require balancing performance and ease-of-user requirements. to see widespread adoption.

As you can tell, ACD-based capabilities can be extremely powerful and affect a large part of the IT environment; therefore, strategies using ACD capabilities must be carefully evaluated. Tell us about your plans to leverage active cyber defenses.  Thanks for reading and be active for your cyber health.