Active Cyber Defense (ACD)

Active Cyber Defense (ACD) is a component of the Department of Defense’s (DoD) overall approach to defensive cyber operations. ACD is far more than just the enhancement of defensive cybersecurity capabilities for the DoD and the Intelligence Community. ACD-defined capabilities and processes can be employed to support federal, state, and local government agencies and organizations, defense contractors, critical infrastructure segments, and industry. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and defending against advanced cyber-attacks.

Enabling the  Real-Time Defense of Critical Networks

Active Cyber Defense (ACD) is a component of the  Department of Defense's (DoD) overall approach to defensive cyber operations.

Its elements complement preventative and regenerative  cyber-defense efforts by synchronizing the real-time detection, analysis and  mitigation of threats to critical networks and systems.  The concept is applicable to the defense of  all U.S. Government and critical infrastructure networks, not just those owned  and operated by DoD.  While ACD is active within the networks it protects,  it is not offensive and its capabilities affect only the networks where they  have been installed by network operators and owners.

Real-time detection and mitigation at every tier in every  cyber environment require the seamless integration of cyber-defense services  across program and network boundaries and the application of standards for  messaging and Command and Control (C2).  ACD elements complement preventative and  regenerative cyber-defense efforts by synchronizing the real-time detection,  analysis, and mitigation of threats to critical networks and systems.

The National Security Agency's (NSA's) Information  Assurance Directorate (IAD) contributes to the attainment of this goal by  designing, developing, testing and integrating defensive capabilities for the  discovery, analysis, and mitigation of threats to strategically important  networks and computing facilities.

Essential ACD  Elements

The real-time detection and mitigation of threats at  every tier in every cyber environment require the integration, synchronization,  and automation of sensing, sense-making, decision-making, and acting  capabilities by secure, automated orchestration and the development of  messaging and C2 infrastructure standards.  Many of these tools and capabilities are deployed today (e.g. Host-Based  Security System sensors), others will be acquired (e.g. core streaming  analytics), and some will require further development (e.g. big data/trending  analytics).

Process and  Partnership

IAD's commitment to sound, comprehensive design concepts  and standards-based development will help ensure that government benefits by  shared situational awareness, threat data, and response capabilities

By (1) integrating, synchronizing and automating sense,  sense-making, decision-making, and acting capabilities and (2) Identifying or  developing standards and specifications for interoperability, messaging, and  control, NSA's IAD seeks to:

  • Enable owners of nationally important  systems/networks to implement defensive capabilities within their boundaries at  cyber relevant speed
  • Enable connected networks to efficiently  exchange information, distribute threat and response data, and facilitate  network owner management of cyber-defense activity in their networks
  • Integrate and synchronize cyber-defense products  and capabilities to maximize the value of current and planned Government  cyber-defense implementations

IAD's partners are and will continue to be essential to  the identification and articulation of requirements, the development of  solution prototypes, the creation of reference implementations, and operational  piloting.  Their continuing participation  in collaborative development and evaluation activities will ensure that  interoperability specifications, messaging standards, and C2 regimes address  their unique mission needs while providing state-of-the-art cyber-defense  capabilities for the benefit of the entire community.  IAD is currently partnering with Department  of Homeland Security, Cybersecurity and Communications, and the Defense  Information Systems Agency (DHS, CS&C, DISA), DoD elements and DOE to  achieve this vision through the development of reference implementations and  execution of operational pilots.

Frequently Asked  Questions

Why do we need Active Cyber Defense?

From 2000-2014 global Internet usage increased 741%, up  from 360 million to almost 3.5 billion people .  The security and effective operation of the  U.S. critical infrastructure rely on cyberspace industrial control systems and  information technology that may be vulnerable to disruption or exploitation.  DoD and the nation as a whole rely on a  secure and dependable cyberspace that protects fundamental freedoms, privacy,  and the free flow of information.

Our networks and data are subject to continuous  cybersecurity attacks from a wide range of threats.  Effective defense against these adversaries  requires near real-time orchestration of thousands of end components and  network systems, multiple organizational processes, and the selection,  de-confliction, and execution of complex response actions within and across  diverse domains.  Today, such  orchestration is primarily a manual, human-in-the-loop, process to correlate  multiple inputs and direct an array of responses.  This current process does not provide the  speed, agility and control necessary to ensure operational mission success in  the presence of sophisticated cyber threats.  Through the introduction of ACD constructs, secure orchestration will  provide an automated, human-in-the-loop capability to select, direct, and track  responses to network and cybersecurity events.

What are the characteristics of Active Cyber  Defense?

A comprehensive ACD solution would have characteristics  that include the ability to operate with dialable levels of automated decision-making that enable the detection and  mitigation of threats at cyber-relevant speed; it must be scalable to operate  in any size enterprise, and work in an integrated manner with other network  defense and hardening capabilities while creating and consuming shared  situational awareness.  Finally these  capabilities must be available soon and be designed in a manner that allows  them to be built and operated by both the private sector and USG.

What are the requirements for Active Cyber  Defense?

The ACD Framework, depicted here, describes the set of  five high-level conceptual capabilities necessary to perform ACD anywhere in cyberspace.  A foundational messaging  fabric must exist to enable real-time communications using standard protocols,  interfaces and schema among the other four components.  Then there must be sensors that report data  on the current state of the network, sense-making analytics to understand  current state, automated decision -making to decide how to react to current  state information, and capabilities to act on those decisions to defend the  network.  Although not a unique part of  the ACD framework, Shared Situational Awareness is a critical provider and  consumer of actionable ACD information.

Why is Active Cyber Defense important?

ACD is far more than just the enhancement of defensive  cybersecurity capabilities for the DoD and the Intelligence Community.  ACD-defined capabilities and processes can be  employed to support federal, state, and local government agencies and  organizations, defense contractors, critical infrastructure segments, and  industry.  The ability to rapidly and  automatically share and understand threat information and analysis, cyber  activity alerts, and response action is critical to enabling unity of effort in  successfully detecting and defending against advanced cyber-attacks.

What's the best approach to developing ACD  capabilities?

Today, even the best within-network cybersecurity is  achieved by products/services that operate independently of each other (e.g.,  virus checkers, remote configuration management), do not benefit from full  situational awareness (e.g., on threats and mitigations), and often rely on  human-in-the-loop process.

The state of cybersecurity within networks can and should  be advance by the development and use of commercially-produced, multi-sourced,  standards-enabled solutions that can interact and share situational awareness.

What is NSA IAD's role in developing and deploying  Active Cyber Defense?

IAD is currently focused on the development of  architectures, reference implementations, correlated strategies for sensing,  analytics, data management, decision making and mitigations, as well as standards that will enable the real-time defense of networks critical to the US  Government through the integration, synchronization and automation of  cybersecurity capabilities already deployed on those networks.  IAD is also focusing on gap filling  technologies such as Secure Orchestration and real-time C2 messaging.

Secure orchestration refers to the integration,  synchronization and automation of ACD operations and encompasses elements of  decision-making, acting and ACD Mission Management.  C2 messaging enables the execution of secure  orchestration in cyber-relevant time through the exchange of concise standard messages.  Secure orchestration and C2 messaging will  enable ACD to transition cyber defense operations from a manual  human-in-the-loop process to one where most actions are either fully automated  or support human-on-the-loop automated actions.

IAD is addressing these critical needs through the agile  development of a range of ACD capabilities deployable across a diverse set of  operational scenarios.  This is being  done in close partnership with other government departments and agencies and  cybersecurity industry partners.

What will Active Cyber Defense do for my  organization?

When deployed as a comprehensive integrated set of  solutions across the interior and at the boundary of a network enterprise, ACD  can provide mitigation of zero day attacks and enable hardening of allied  networks against such attaks in cyber relevant time through a shared messaging  fabric.  Using the ACD Framework as a  guide, enterprises can rapidly deploy ACD solutions and leverage cybersecurity  capabilities already deployed on their networks.  The automation inherent in an ACD solution  also holds the promise of efficiencies and scalability that will lead to cost  savings in network management.

Journal of Information Warfare, April 2014 Active  Cyber Defense: A Vision for Real-Time Cyber Defense 

Last Reviewed: 04 August 2015