Active Cyber Defense (ACD)
Active Cyber Defense (ACD) is a component of the Department of Defense’s (DoD) overall approach to defensive cyber operations. ACD is far more than just the enhancement of defensive cybersecurity capabilities for the DoD and the Intelligence Community. ACD-defined capabilities and processes can be employed to support federal, state, and local government agencies and organizations, defense contractors, critical infrastructure segments, and industry. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and defending against advanced cyber-attacks.
Enabling the Real-Time Defense of Critical Networks
Active Cyber Defense (ACD) is a component of the Department of Defense's (DoD) overall approach to defensive cyber operations.
Its elements complement preventative and regenerative cyber-defense efforts by synchronizing the real-time detection, analysis and mitigation of threats to critical networks and systems. The concept is applicable to the defense of all U.S. Government and critical infrastructure networks, not just those owned and operated by DoD. While ACD is active within the networks it protects, it is not offensive and its capabilities affect only the networks where they have been installed by network operators and owners.
Real-time detection and mitigation at every tier in every cyber environment require the seamless integration of cyber-defense services across program and network boundaries and the application of standards for messaging and Command and Control (C2). ACD elements complement preventative and regenerative cyber-defense efforts by synchronizing the real-time detection, analysis, and mitigation of threats to critical networks and systems.
The National Security Agency's (NSA's) Information Assurance Directorate (IAD) contributes to the attainment of this goal by designing, developing, testing and integrating defensive capabilities for the discovery, analysis, and mitigation of threats to strategically important networks and computing facilities.
Essential ACD Elements
The real-time detection and mitigation of threats at every tier in every cyber environment require the integration, synchronization, and automation of sensing, sense-making, decision-making, and acting capabilities by secure, automated orchestration and the development of messaging and C2 infrastructure standards. Many of these tools and capabilities are deployed today (e.g. Host-Based Security System sensors), others will be acquired (e.g. core streaming analytics), and some will require further development (e.g. big data/trending analytics).
Process and Partnership
IAD's commitment to sound, comprehensive design concepts and standards-based development will help ensure that government benefits by shared situational awareness, threat data, and response capabilities
By (1) integrating, synchronizing and automating sense, sense-making, decision-making, and acting capabilities and (2) Identifying or developing standards and specifications for interoperability, messaging, and control, NSA's IAD seeks to:
- Enable owners of nationally important systems/networks to implement defensive capabilities within their boundaries at cyber relevant speed
- Enable connected networks to efficiently exchange information, distribute threat and response data, and facilitate network owner management of cyber-defense activity in their networks
- Integrate and synchronize cyber-defense products and capabilities to maximize the value of current and planned Government cyber-defense implementations
IAD's partners are and will continue to be essential to the identification and articulation of requirements, the development of solution prototypes, the creation of reference implementations, and operational piloting. Their continuing participation in collaborative development and evaluation activities will ensure that interoperability specifications, messaging standards, and C2 regimes address their unique mission needs while providing state-of-the-art cyber-defense capabilities for the benefit of the entire community. IAD is currently partnering with Department of Homeland Security, Cybersecurity and Communications, and the Defense Information Systems Agency (DHS, CS&C, DISA), DoD elements and DOE to achieve this vision through the development of reference implementations and execution of operational pilots.
Frequently Asked Questions
Why do we need Active Cyber Defense?
From 2000-2014 global Internet usage increased 741%, up from 360 million to almost 3.5 billion people . The security and effective operation of the U.S. critical infrastructure rely on cyberspace industrial control systems and information technology that may be vulnerable to disruption or exploitation. DoD and the nation as a whole rely on a secure and dependable cyberspace that protects fundamental freedoms, privacy, and the free flow of information.
Our networks and data are subject to continuous cybersecurity attacks from a wide range of threats. Effective defense against these adversaries requires near real-time orchestration of thousands of end components and network systems, multiple organizational processes, and the selection, de-confliction, and execution of complex response actions within and across diverse domains. Today, such orchestration is primarily a manual, human-in-the-loop, process to correlate multiple inputs and direct an array of responses. This current process does not provide the speed, agility and control necessary to ensure operational mission success in the presence of sophisticated cyber threats. Through the introduction of ACD constructs, secure orchestration will provide an automated, human-in-the-loop capability to select, direct, and track responses to network and cybersecurity events.
What are the characteristics of Active Cyber Defense?
A comprehensive ACD solution would have characteristics that include the ability to operate with dialable levels of automated decision-making that enable the detection and mitigation of threats at cyber-relevant speed; it must be scalable to operate in any size enterprise, and work in an integrated manner with other network defense and hardening capabilities while creating and consuming shared situational awareness. Finally these capabilities must be available soon and be designed in a manner that allows them to be built and operated by both the private sector and USG.
What are the requirements for Active Cyber Defense?
The ACD Framework, depicted here, describes the set of five high-level conceptual capabilities necessary to perform ACD anywhere in cyberspace. A foundational messaging fabric must exist to enable real-time communications using standard protocols, interfaces and schema among the other four components. Then there must be sensors that report data on the current state of the network, sense-making analytics to understand current state, automated decision -making to decide how to react to current state information, and capabilities to act on those decisions to defend the network. Although not a unique part of the ACD framework, Shared Situational Awareness is a critical provider and consumer of actionable ACD information.
Why is Active Cyber Defense important?
ACD is far more than just the enhancement of defensive cybersecurity capabilities for the DoD and the Intelligence Community. ACD-defined capabilities and processes can be employed to support federal, state, and local government agencies and organizations, defense contractors, critical infrastructure segments, and industry. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enabling unity of effort in successfully detecting and defending against advanced cyber-attacks.
What's the best approach to developing ACD capabilities?
Today, even the best within-network cybersecurity is achieved by products/services that operate independently of each other (e.g., virus checkers, remote configuration management), do not benefit from full situational awareness (e.g., on threats and mitigations), and often rely on human-in-the-loop process.
The state of cybersecurity within networks can and should be advance by the development and use of commercially-produced, multi-sourced, standards-enabled solutions that can interact and share situational awareness.
What is NSA IAD's role in developing and deploying Active Cyber Defense?
IAD is currently focused on the development of architectures, reference implementations, correlated strategies for sensing, analytics, data management, decision making and mitigations, as well as standards that will enable the real-time defense of networks critical to the US Government through the integration, synchronization and automation of cybersecurity capabilities already deployed on those networks. IAD is also focusing on gap filling technologies such as Secure Orchestration and real-time C2 messaging.
Secure orchestration refers to the integration, synchronization and automation of ACD operations and encompasses elements of decision-making, acting and ACD Mission Management. C2 messaging enables the execution of secure orchestration in cyber-relevant time through the exchange of concise standard messages. Secure orchestration and C2 messaging will enable ACD to transition cyber defense operations from a manual human-in-the-loop process to one where most actions are either fully automated or support human-on-the-loop automated actions.
IAD is addressing these critical needs through the agile development of a range of ACD capabilities deployable across a diverse set of operational scenarios. This is being done in close partnership with other government departments and agencies and cybersecurity industry partners.
What will Active Cyber Defense do for my organization?
When deployed as a comprehensive integrated set of solutions across the interior and at the boundary of a network enterprise, ACD can provide mitigation of zero day attacks and enable hardening of allied networks against such attaks in cyber relevant time through a shared messaging fabric. Using the ACD Framework as a guide, enterprises can rapidly deploy ACD solutions and leverage cybersecurity capabilities already deployed on their networks. The automation inherent in an ACD solution also holds the promise of efficiencies and scalability that will lead to cost savings in network management.
Journal of Information Warfare, April 2014 Active Cyber Defense: A Vision for Real-Time Cyber Defense