Here are some informative links regarding a range of Active Cyber Defense topics. Let us know if you have a few relevant links of your own that you would like to share.
Reports, Papers & Information Centers
Microsoft Malware Protection Center –
A variety of information on malware and protections.
Active Cyber Defense – A Framework for Policy Makers –
February 2013 by Irving Lachow
The Future of Information Security is Context-Aware and Adaptive –
May 2010 by Neil MacDonald Gartner Research
Framework and Principles for Active Cyber Defense –
December 2013 by Dorothy Denning
Active Defense Strategy for Cyber –
July 2012 by MITRE Corporation
Integrated Adaptive Cyber Defense (IACD) –
A strategy and framework to adopt an extensible, adaptive, commercial off-the-shelf (COTS)-based approach to cybersecurity operations. IACD increases the speed and scale of cyber defenses by leveraging automation to enhance the effectiveness of human defenders, moving them outside the response loop into a response planning and approval role “on the loop” of cyber defense. This effort is sponsored by the Department of Homeland Security (DHS) and the National Security Agency (NSA) in collaboration with the Johns Hopkins University Applied Physics Laboratory (JHU/APL). Through jointly sponsored research (in collaboration with the private sector), IACD defines a framework—including reference architectures, draft specifications for interoperability, use cases, and implementation examples—to adopt this extensible, adaptive approach to cybersecurity operations.
Proactive Defense for Evolving Cyber Threats –
November 2012 by Richard Colbaugh and Kristin Glass
The Offensive Approach to Cyber Security in Government and Private Industry –
July 2013 The InfoSec Institute / Pierluigi Paganini
Active Cyber Defense within the Concept of NATO’s Protection of Critical Infrastructures –
2014 by Serkan Yağlı, Selçuk Dal
Optimizing Active Cyber Defense –
Date? Wenlian Lu, Shouhuai Xu,, and Xinlei Yi
Active Cyber Defense: A Vision for Real-time Cyber Defense –
April 2014 – Michael Herring and Keith Willett
Cyber Crime Conference 2014 –
Several presentations on adaptive security, digital forensics, and automated remediation.
The ICS-ISAC is a non-profit Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security. At the ICS-ISAC facility operators, integrators, vendors, researchers and the communities they support work together to share the means and methods necessary to maintain safe and stable societies. The Center creates means for the sharing of knowledge through Human-to-Human (H2H) and Machine-to-Machine (M2M) methods.
Risk Management Framework (RMF) Knowledge Service (KS) –
DoD’s official site for enterprise RMF policy and implementation guidelines
Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1 , 2017 –
Advanced Control System Tactics, Techniques, and Procedures (TTPs) USCYBERCOM developed the Advanced Control System Tactics, Techniques, and Procedures (TTPs) that provide detailed step-by-step guidance to respond to a cyber attack. The starting point is to develop the Fully Mission-Capable (FMC) Baseline which consists of documentation that characterizes the control system such as the Topology diagram, Enclave entry points, User accounts, Server/workstation documentation, and Network documentation. The Recovery Jump-Kit contains the tools the control systems team and IT team will need to restore a system to its last FMC state during Mitigation and Recovery. Knowing what the Recovery point should be is the key to ensuring all known remnants of an attack have been removed from all components of the control system. In addition to containing the operating software for all devices, the Jump-Kit it also contains the software hashes of the devices on the network and the firmware and software updates for all system devices and checksums and hashes are in conformance with vendor specifications, and all hardware and software are configured in accordance with operational requirements. During Recovery, the Jump-Kit is utilized to reimage the firmware/software operating on the affected devices.
UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept 2016 –
The UFC provides planning, design, construction, sustainment, restoration, and modernization criteria, and applies to the Military Departments, the Defense Agencies, and the DoD Field Activities. Historically, control systems have not included these cybersecurity requirements, so the addition of these cybersecurity requirements will increase both cost and security. The increase in cost will be lower than the increase in cost of applying these requirements after design.
Information Technology-Information Sharing and Analysis Center (IT-ISAC) is a non-profit, limited liability corporation formed by members within the Information Technology sector as a unique and specialized forum for managing risks to their corporations and the IT infrastructure. Members participate in national and homeland security efforts to strengthen the IT infrastructure through cyber information sharing and analysis.
FS-ISAC, or the Financial Services Information Sharing and Analysis Center, is the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned non profit entity.
Black Hat 2014 –
There are several papers found at this site that deal with active cyber defense. Explore.
International Workshop on Adaptive Security & Privacy Management for the Internet of Things (ASPI 2013) –
This workshop site has several papers dealing with adaptive security and the Internet of Things.
Projects and Tools
NSA Project Site for Active Cyber Defense
Real-time detection and mitigation at every tier in every cyber environment require the seamless integration of cyber-defense services across program and network boundaries and the application of standards for messaging and Command and Control (C2). ACD elements complement preventative and regenerative cyber-defense efforts by synchronizing the real-time detection, analysis, and mitigation of threats to critical networks and systems. The National Security Agency’s (NSA’s) Information Assurance Directorate (IAD) contributes to the attainment of this goal by designing, developing, testing and integrating defensive capabilities for the discovery, analysis, and mitigation of threats to strategically important networks and computing facilities.
NSA IAD Guidance on Industrial Control Systems Security – each subpage offers a PDF document:
ASSET – Adaptive Security for Smart Internet of Things in eHealth –
The primary goal of the ASSET project is to research and develop risk-based adaptive security methods and mechanisms for IoT in eHealth using game theory and context-awareness that increase security to an appropriate level. The security methods and mechanisms will adapt to dynamic changing conditions of IoT, including usability, threats, and diversity/heterogeneity
IETF Security Automation and Continuous Monitoring –
This working group will first address enterprise use cases pertaining to the assessment of endpoint posture (using the definitions of Endpoint and Posture from RFC 5209).
MLSec Project –
MLSec is a project that aims to apply machine learning to assist in information security monitoring and incident detection. The vision is to create algorithms that automatically prioritize and classify potential events and attacks as something that could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.
STIX – Structured Threat Information eXpression and Structured Data Exchange Format Implementations
These standards aim to extend indicator sharing to enable the management and exchange of significantly more expressive sets of indicators as well as other full-spectrum cyber threat information.
Based on the MIT Open Source License, threatTRANSFORM was created out of the need for streamlining the creation of STIX datasets. Everything from analyzing complex information to sifting through machine data, the threatTRANSFORM application provides a powerful templating engine.
The OpenIOC Project –
OpenIOC is an open framework for sharing threat information.
IETF IODEF –
The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents.
Cuckoo is the leading open source automated malware analysis system based on a community effort.
Annubis is a service to analyze malware.
Cloud Security Alliance Software Defined Perimeter –
The Software Defined Perimeter (SDP) is a proposed security framework under development that can be deployed to protect application infrastructure from network-based attacks. The SDP will incorporate security standards from organizations such as NIST and OASIS as well as security concepts from organizations such as the U.S. Department of Defense into an integrated framework.
The Honeynet Project –
The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.
Telehash is an encrypted private mesh network project.
RAMPART™ (Risk Assessment Method – Property Analysis and Ranking Tool), developed by Sandia National Laboratories and currently owned by NeoSafety as a screening-level software program to determine the risk to a building by natural hazards, crime, and terrorism
Department of Energy Pacific Northwest National Lab (PNNL) –
Pacific Northwest National Laboratory (PNNL) has developed a framework for decentralized coordination based on the eusocial behaviors seen in ant colonies. The eusocial organization in the ant colony provides a highly adaptive common defense that achieves emergent behavior via stygmergic communication. We have applied these ant behaviors to cyber security in our Ant-Based Cyber Defense where humans and various software agents share the responsibilities of securing an infrastructure comprised of enclaves that belong to member organizations.
National Coordination Office for Networking and Information Technology Research and Development (NITRD) –
Information about research programs by the federal government focused on adaptive security and active cyber defense.
George Mason University – Research Projects –
George Mason University is involved in a variety of funded research dealing with active cyber defense including Moving Target Defenses.
Dartmouth College ISTS –
ISTS supports a number of projects looking at the adaptive security of networks and systems, hardware and software.
Purdue CERIAS –
CERIAS supports a range of adaptive security-related research projects including Autonomous Agents-Based Mobile-Cloud Computing
Microsoft Verifiable Computing –
Verifiable Computation, which enables a computationally weak client to “outsource” the computation of an arbitrary function F on various dynamically-chosen inputs x_1,…,x_k to one or more workers. The workers return the result of the function evaluation, e.g., y_i=F(x_i), as well as a proof that the computation of F was carried out correctly on the given value x_i. The primary constraint is that the verification of the proof should require substantially less computational effort than computing F(x_i) from scratch.
IARPA – STONESOUP –
STONESOUP develops software analysis, confinement, and diversification techniques so that non-experts can transform questionable software into more secure versions without changing the behavior of the programs.
DARPA – Mission Oriented Resilient Clouds –
The Mission-oriented Resilient Clouds (MRC) program aims to address some of these security challenges by developing technologies to detect, diagnose and respond to attacks in the cloud; effectively building a ‘community health system’ for the cloud. MRC also seeks technologies to enable cloud applications and infrastructure to continue functioning while under attack.
DARPA – Clean Slate Design of Resilient, Adaptive Secure Hosts (CRASH) –
The Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program will pursue innovative research into the design of new computer systems that are highly resistant to cyber-attack, can adapt after a successful attack to continue rendering useful services, learn from previous attacks how to guard against and cope with future attacks, and can repair themselves after attacks have succeeded.
DARPA – Active Cyber Defense –
DARPA’s Active Cyber Defense (ACD) program is designed to help reverse the existing imbalance by providing cyber defenders a “home field” advantage: the ability to perform defensive operations that involve direct engagement with sophisticated adversaries in DoD-controlled cyberspace. Created in December 2012, the program seeks to develop a collection of synchronized, real-time capabilities to discover, define, analyze and mitigate cyber threats and vulnerabilities.
Center for Configuration Analytics and Automation –
The goal of the Center for Configurations Analytics and Automation (CCAA) is to build the critical mass of inter-disciplinary academic researchers and industry partners for addressing the current and future challenges of configuration analytics and automation to improve service assurability, security and resiliency of enterprise IT systems, cloud/SDN data centers, and cyber-physical systems by applying innovative analytics and automation.
Smart Information Flow Technologies – SIFT –
Research aimed at adaptive security.