Feeling Some Vertigo in The Cloud?
Time for a Barrel Roll.

Things are a bit different up in the cloud. Uncertainty can set in. Storms can hit without warning causing the best of controls and monitoring radar to go haywire, and soon enough you could be in a stall out, not knowing up from down. What’s scarier is that even the most advanced fighter jets are vulnerable to electromagnetic effects from storms which could lead to a free fall from that dark and stormy cloud with a very sudden impact.

What then, is our best bet to weather the storm? Today’s cyber storm cloud, of course, is not made of torrents of rain, but of cyber attacks boring through like lightning. With big clouds comes the opportunity for big breaches, and millions in damage due to a strike from these lightening attacks.

For the answer to our question, I turn to a timeless quote from Dusty Miller, USAF: “Man’s flight through life is sustained by the power of his knowledge.” The trouble is, we live in a dark age of doubt. Trusted, actionable information to power our knowledge bases is much harder to establish and protect, due to changes in technology, smart and nimble enemies, and complexities in navigating our direction.

No, our flight in the clouds can now only be guided with a strategy that can see beyond the grey horizon, predicting the storm clouds that are ahead. We must invest in a new and more agile squadron of adaptive security capabilities designed to fight advanced cyber threats:  using stealth and maneuver to avoid attacks, seeking out and disrupting attacks before they cause damage, vigilantly surveilling the environment for indicators of changes to the cyber climate, and being on constant guard for zero day surprise lightening attacks. Waiting to see if a storm will arrive or pass safely overhead is no longer an option. It’s time to train our top guns to not only defend swiftly, but also recon and maneuver, camouflage activities, and adapt defenses to the terrain and threats that we face. It’s time for active cyber defense.

The Superhero: ACD Gives Your Cybersecurity Wings

Active cyber defense (ACD), also known as adaptive security, is a rapidly emerging branch of cyber security that integrates and enhances several cyber intelligence, cyber protection, and cyber analytics technologies to proactively and predictively combat cyber attacks and protect data assets. Within the evolutionary line of cybersecurity species, ACD’s dynamic and proactive approach charges ahead of its closest ancestor, defense-in-depth, (which was  limited by its static and reactive nature) and steps out of the jungle, upright and spear in hand. ACD enables a fuller situational context, which allows for greater precision and speed in cyber responses. ACD makes extensive use of automated courses of action, leveraging the resiliency of intelligent networks and the agility that virtualization offers to disrupt the attacker’s kill chain.  Through the innovative combinations of intel-based defenses, “three D” implementations, intelligent networks, automated orchestrations, agile cloud security, and adaptive endpoints, ACD adopters gain greater versatility and a wealth of benefits.

Among those benefits are fewer surprise attacks, fewer compromises, the ability to restrict the spread of attackers’ penetrations into your networks, and the ability to reduce your exposure to attack.  ACD holds significant promise as a deterrent since it raises the work factor required on behalf of the attacker, who often will look somewhere else for easier targets to attack.

The Unique Benefits of ACD:
Proactive, Adaptive, Predictive

Consider the following situations:

1. A woman takes a vitamin, stretches, and goes for an early morning jog before eating a hearty breakfast and going to work.
2. A company’s HR department actively screens resumes, fields complaints, establishes educational programs, and runs a social committee.
3. A politician at a networking function is briefed by his staffer with the key information nuggets that he needs to convince a fellow politician named Charlie to support his bill, while also reminding him that Charlie has a crazy eye – “Make sure to look in his left eye, that’s the good one, remember left is right, right is wrong.”

At first glance, these situations may seem to have nothing in common. But actually, each of the examples above shows the benefits of being proactive. The woman who got a healthy start to her day feels energized and is more productive at work. The HR department not only mitigates potential problems with angry employees by fielding complaints and keeping resumes on file, but also keeps them happy by improving skills with education and cultivating a sense of positive morale with the social committee. And the politician? Well, he probably ended up looking in the wrong eye anyway.

What makes ACD so powerful, is that, more than any other approach to cybersecurity, its approach is very proactive. Think of ACD as the jiu jitsu of cybersecurity. In jiu jitsu, the opponent’s attacks are used against them, and defensive counters seamlessly turn into offensive maneuvers. Throw a punch, and you’ll be thrown. ACD techniques not only counter and defend from cyber attacks, but also use deceptive moves to set up the threat and anticipate any future moves. This metaphor also highlights two other benefits of ACD: Its stance allows it to be fast on its feet and adaptive, while its utilization of analytics allows it to think ahead and be predictive.

Why We Need ACD: Villains in the Shadows, Needles in the Haystack

But is that enough? Will active cyber defense live up to the challenges of today’s cyber storm? Or will thousands of Red Baron cyber villains shoot it down?

Over my last 20 years in the space, I have seen dozens of new approaches for cybersecurity rise and fall, ultimately unable to meet the challenges of protecting valued assets. The common pitfall, if there is one, is that the bad guys have tended to prove more malleable and nimble. Other factors come into play as well, such as bureaucracy and complacency, misunderstanding and miscommunication. Possibly the angle of the sun and the Coriolis effect. Also, if the darn thing is plugged in.

So far, cyber attackers have been successful in rapidly adapting to the changes in the defense perimeter as cloud adoption, mobility, inter-enterprise web services, and the expansion of the internet have decimated the notion of an enterprise DMZ. The demilitarized zone has been rendered almost useless since there’s no confidence that it’s fulfilling its protective duties. The bouncers are confused. It matters less and less whether you’re wearing the right color wristband, carrying a valid ID, or whether your name’s on the list for tonight or not. Everybody’s going in through the backdoor anyhow.

Furthermore, technological changes in the computing and business environments have made it a more challenging game of cat and mouse to find anything, let alone pinpoint a needle in a haystack. In general, attack surfaces have widened. Cyber sensors, while pumping out lots of data, are blinded by the advanced stealthy tactics of cyber adversaries.  Plus, cyber threat players are incentivized by increasingly rich rewards of a sophisticated underground economy of exploits, stolen credentials and intellectual property, and other ill-gotten gains.

Traditional cyber protections do not fare well in this new dynamic environment, like knives brought to a gun fight. So the upgraded designs to cyber defenses logically must focus on security approaches that are proactive, distributed, and responsive in order to quickly detect, prevent, mitigate, and recover from attacks.

But how?

Inside the Cockpit: How ACD Works

Glad you asked.

ACD builds upon current cybersecurity best practices, such as multi-perimeter security, defense-in-depth, and continuous monitoring, but advances a few steps further. It converts underlying security infrastructure from a static, fixed, and reactive model to a dynamic, agile and proactive one. Active cyber defenses aggregate and process raw cyber intelligence, sensor data, and asset state information through a cybersecurity analytics engine.  Cyber command and control (C2) systems constantly mine the output for actionable and insightful intel that can help predict attacks and pinpoint defensive weaknesses. The cyber C2 system orchestrates a highly automated workflow (which is essentially a big “OODA” loop) that can change responses on the fly to address the specific threat. This adaptive security model can more closely monitor, detect, and counter the adversary’s tactics in real-time, resulting in a more fluid alignment to an enterprise’s mission assurance goals.

The OODA Loop workflow, while a bit more complicated than Lather-Rinse-Repeat, is still a simple spiral process, with feedback informing and improving the next iteration. It bares similarities to Feel-Think-Do, the everyday decision-making process for shopping.

1. Observe: Threat intelligence data is collected and coordinated in a way that produces scalable and rapid situational awareness to better predict attacks. Sensor events are monitored, captured, and correlated to pinpoint critical security problems. Attackers’ Tactics, Techniques, and Procedures (TTPs) are captured.
2. Orient: Real-time diagnostics are applied to the intelligence to classify, contextualize, and prioritize cyber events, and analytics aid the evaluation of the defensive posture and possible attack consequences.
3. Decide: Adaptive and integrated responses are identified for efficient incident mitigation, speedy vulnerability patches, and effective damage containment while still aligning to mission performance goals. Then the decided course of action (COA) is prioritized, sequenced, and published to control points.
4. Act: Finally, the mitigation and response services are orchestrated and executed across control and policy enforcement points, and attack and endpoint state information are shared.

An active cyber defense system leverages and fine-tunes the OODA Loop towards 3 main advantages that ultimately tighten security and bolster results:

1. Shorter incident response time. The severity of impact from a cybersecurity incident is typically minimized if there is less time elapsed from the breach to detection, and from that to a  mitigation response. Active cyber defenses improve incident responsiveness through better quality, more precise decision-making based on context-enriched incident data, along with the time savings gained by accelerating the OODA loop through the automated orchestration of incident response workflows, redirection of flows, and platform reconfigurations.

2. Earlier and more effective cyber kill chain disruption. This reduces the likelihood of successful breaches, or at a minimum, delays the attacker long enough for positive detection and proactive responses. ACD offers a range of kill chain disruption methods, among them

• threat-sharing forums and security intelligence sources that yield early warnings,
• predictive analytics that hone in on possible attack vectors and targets,
• the deployment of cyber maneuver,
• the operation of adaptive endpoint controls,
• and the usage of deception tactics also help to disrupt the attacker kill chain while ferreting out attackers’ TTPs.

3. Convenience and efficiency with a more self-directing system. Ultimately, the desired outcome from ACD is a semi-autonomic security system that separates out the complexity of the underlying infrastructure and reduces manual intervention in the incident response process. This reduction is especially significant at the configuration level, and is enabled across domains in an enterprise/cloud/hybrid cloud environment.

Who Will Win?

So, will the ACD squadron outlast and outsmart the cyber nemesis to dominate the cyber skies? Or will they crash and burn?

You’ll be able to answer that for yourself by following the battle here on this blog. This blog is dedicated to all players in the active cyber defense space, whether cyber defense companies, cyber security professionals, or… secret governments in white vans.

• I’ll cover everything from active cyber defense technologies, to current research, industry events and trends, the latest products, success stories and failures, implementation techniques, problems and solutions, hypotheticals and even suggested scenarios and questions. (That’s right, I want your input.)
• I’ll speak specifically to each of the 6 main capability areas, and how you can leverage active cyber defense in your neck of the woods.
• And finally, I’ll uncover what I’ve learned in my experience over the last 20+ years or so, and make recommendations and informed guesstimates of what the next 20 may reveal. (But heck if I’m not retired by then.)

The future of cybersecurity is shrouded in uncertainty. But I will tell you 3 things that are for certain:

1. The cyber security game has changed, in that what is being defended has no perimeter, no foul line, it’s a broader field, and the players in the field can no longer keep up with the players at bat.
2. What used to be enough is not enough, and law of escalation will continue to drive the game until somebody’s got their palm on top of the bat.
3. And if we don’t try to adapt, we’ll be buried six feet under the pitcher’s mound before we realize that we’ve struck out.

When it comes to ensuring the future of cybersecurity, we can’t afford to miss the flight. In my opinion, with cyber C2 systems for its engines, intelligent networks as its wings, ground control providing detailed forecasts and intelligence about our adversaries, and the right pilots, the flight of cybersecurity will be sustained by the adoption and integration of active cyber defense.

(Except by then it’ll probably be a drone, so maybe scratch those pilots.)

Thanks for reading and keep adapting.

Coming Up…

I’ll break it down more for you and get into the nitty gritty of the 6 specific capability areas of active cyber defense:

1. Intel-based Defenses
2. The Three Ds (Detection, Deception & Delay)
3. Intelligent Networks
4. Automated Orchestration
5. Agile Cloud Security
6. Adaptive Endpoints

What Are Your Thoughts?

Feel free to join the conversation in the comments below, follow, or check back every week or so for the latest updates in active cyber defense. To find out how you can get even more involved, feel free to contact me here.