Taking action: active defense and the path to cybersecurity success
The U.S. federal government possesses some of the strongest cybersecurity in the world with a GCI score of 100. This intense cybersecurity is no surprise, as th...
The U.S. federal government possesses some of the strongest cybersecurity in the world with a GCI score of 100. This intense cybersecurity is no surprise, as the federal government is tasked with protecting the nation’s most precious assets, like classified data and critical financial information and defending against the most malicious, well-funded and motivated attackers. This large scope of the critical assets to defend has made the federal government one of the biggest spenders on cybersecurity in the world, and as cyber threats continue to evolve, investment in cybersecurity will continue to grow. To combat persistent threats from cyber adversaries who are increasingly launching more sophisticated attacks that target both IT and operational technology environments, the federal government is adopting proactive cyber defense strategies at a rapid pace.
In the National Defense Authorization Act (NDAA) for 2023, cybersecurity is a central focus, which is a move indicative of the priorities of the federal government, and mandates the deployment of active defense. The 2023 NDAA highlights tactics, including active defense and deception, that military and defense agencies can use to defend against cyber attacks. The NDAA goes on to stress the need for further investigations into deception technology in order to discover how such proactive measures would enable heightened collaboration and security across the government and private sectors. Among those strategies identified as critical to move forward, there was a particular emphasis on proactive cybersecurity solutions like active defense.
What is active defense?
Active defense, rooted in deception technology, is the future of cybersecurity as mentioned in the NDAA, and is already being implemented across public and private sectors. Specifically, in Section 6320 of the NDAA labeled “Proactive Cybersecurity,” the bill states, “not later than one year after the date of the enactment of this act, the chief information officer of the Intelligence Community shall conduct a survey of each element of the intelligence community on the use by that element of proactive cybersecurity initiatives, continuous activity security testing, and active defense techniques.” This short timeline — within one year of the implementation of the bill — is indicative of the sense of urgency the government has when it comes to getting ahead of the barrage of cyberattacks, and the need for a more proactive approach to cybersecurity.
A successful cyberattack can be the result of one particularly skilled individual (or small group) with access to a computer, and the efforts of that one individual can leave a devastating impact. For instance, the SolarWinds attack was carried out by a small group of hackers, and impacted 18,000 SolarWinds customers, including the departments of State, Treasury and Health and Human Services. In an effort to make sure nothing like this ever happens again, enterprises and the federal government alike are pivoting their attention to proactive cybersecurity.
Active defense uses a myriad of techniques to create a unique defensive posture by learning from attacker behavior to anticipate their next moves. This is in comparison to more traditional measures that rely on reactionary strategies to cyberattackers already within the network doing damage, without knowing what they’ve done in the past or what they’re going to do next. Instead, active defense uses deception techniques to get ahead of attacks, and learns from attacker behavior to anticipate next moves. This is a strategy that has been long used to great effect in on-the-ground military operations, and is powerful whether this strategy is implemented on a physical battlefield or on a virtual one. One of the primary tide-turning impacts of active defense is the ability to gain adversarial intelligence, which could mean the difference between success and failure. As MITRE puts it, “you can learn not only how they got in, but what they did once they got there.”
Ultimately, deception levels the playing field. In the current world, the defender needs to be right 100% of the time while the attacker only needs to be right (or get lucky) once. When deception is implemented, however, the attacker has to be right 100% of the time in order to avoid being tripped up, resulting in a higher burden on the attacker rather than the “seeing what sticks” approach they might be used to. When effectively implemented, this strategy seeks to slow down and derail attackers so they ultimately give up and move on after a fruitless and time-consuming attack.
Why now?
Active defense has the immediate benefit of being able to be added to existing security stacks, and supports both cloud and on-premise environments, which is essential for the federal government, who cannot afford any downtime. Active defense doesn’t call for a full rebuilding of the security stack, which would be an impossibility. Rather, it can work with and for any existing stack, and can be implemented with no disruption to ongoing defense projects.
Active defense is also designed to stop cyberattackers in a way that also collects intelligence on their tactics, techniques and procedures, ultimately fortifying a defensive posture. By using deception technology, the defender can gather valuable insights into what assets the target was attempting to compromise and the attack path they leveraged to get there. This is the true impact of an active defense strategy: The defender comes away with more information about the attacker versus the other way around. This not only is informative from a purely technical standpoint, it also strengthens the overall defense posture in the present and future. Active defense doesn’t just strengthen that posture, it weakens future attacks by shifting the attacker’s reality. Now an attacker could potentially be trapped, and instead of being able to test attacks repeatedly until one works, each of those test attacks could be used for information gathering.
Active defense, found in the NDAA itself, is “An action taken on an information system of an element of the intelligence community to increase the security of such system against an attacker, including the use of a deception technology or other purposeful feeding of false or misleading information to an attacker accessing such system; or proportional action taken in response to an unlawful breach.”
With this in mind, cybersecurity communities across the world and particularly those serving the federal government should look forward to this proportional action, and be proud of the steps we’ve taken as a cybersecurity community in order to tilt the balance of power toward the defender.
Ram Varadarajan is CEO and co-founder of Acalvio Technologies.
Taking action: active defense and the path to cybersecurity success
The U.S. federal government possesses some of the strongest cybersecurity in the world with a GCI score of 100. This intense cybersecurity is no surprise, as th...
The U.S. federal government possesses some of the strongest cybersecurity in the world with a GCI score of 100. This intense cybersecurity is no surprise, as the federal government is tasked with protecting the nation’s most precious assets, like classified data and critical financial information and defending against the most malicious, well-funded and motivated attackers. This large scope of the critical assets to defend has made the federal government one of the biggest spenders on cybersecurity in the world, and as cyber threats continue to evolve, investment in cybersecurity will continue to grow. To combat persistent threats from cyber adversaries who are increasingly launching more sophisticated attacks that target both IT and operational technology environments, the federal government is adopting proactive cyber defense strategies at a rapid pace.
In the National Defense Authorization Act (NDAA) for 2023, cybersecurity is a central focus, which is a move indicative of the priorities of the federal government, and mandates the deployment of active defense. The 2023 NDAA highlights tactics, including active defense and deception, that military and defense agencies can use to defend against cyber attacks. The NDAA goes on to stress the need for further investigations into deception technology in order to discover how such proactive measures would enable heightened collaboration and security across the government and private sectors. Among those strategies identified as critical to move forward, there was a particular emphasis on proactive cybersecurity solutions like active defense.
What is active defense?
Active defense, rooted in deception technology, is the future of cybersecurity as mentioned in the NDAA, and is already being implemented across public and private sectors. Specifically, in Section 6320 of the NDAA labeled “Proactive Cybersecurity,” the bill states, “not later than one year after the date of the enactment of this act, the chief information officer of the Intelligence Community shall conduct a survey of each element of the intelligence community on the use by that element of proactive cybersecurity initiatives, continuous activity security testing, and active defense techniques.” This short timeline — within one year of the implementation of the bill — is indicative of the sense of urgency the government has when it comes to getting ahead of the barrage of cyberattacks, and the need for a more proactive approach to cybersecurity.
A successful cyberattack can be the result of one particularly skilled individual (or small group) with access to a computer, and the efforts of that one individual can leave a devastating impact. For instance, the SolarWinds attack was carried out by a small group of hackers, and impacted 18,000 SolarWinds customers, including the departments of State, Treasury and Health and Human Services. In an effort to make sure nothing like this ever happens again, enterprises and the federal government alike are pivoting their attention to proactive cybersecurity.
Join us May 6 at 1 p.m. EST for Federal News Network's Industry Exchange Data where we'll explore how you can employ data to modernize your agency. | Register today!
Active defense uses a myriad of techniques to create a unique defensive posture by learning from attacker behavior to anticipate their next moves. This is in comparison to more traditional measures that rely on reactionary strategies to cyberattackers already within the network doing damage, without knowing what they’ve done in the past or what they’re going to do next. Instead, active defense uses deception techniques to get ahead of attacks, and learns from attacker behavior to anticipate next moves. This is a strategy that has been long used to great effect in on-the-ground military operations, and is powerful whether this strategy is implemented on a physical battlefield or on a virtual one. One of the primary tide-turning impacts of active defense is the ability to gain adversarial intelligence, which could mean the difference between success and failure. As MITRE puts it, “you can learn not only how they got in, but what they did once they got there.”
Ultimately, deception levels the playing field. In the current world, the defender needs to be right 100% of the time while the attacker only needs to be right (or get lucky) once. When deception is implemented, however, the attacker has to be right 100% of the time in order to avoid being tripped up, resulting in a higher burden on the attacker rather than the “seeing what sticks” approach they might be used to. When effectively implemented, this strategy seeks to slow down and derail attackers so they ultimately give up and move on after a fruitless and time-consuming attack.
Why now?
Active defense has the immediate benefit of being able to be added to existing security stacks, and supports both cloud and on-premise environments, which is essential for the federal government, who cannot afford any downtime. Active defense doesn’t call for a full rebuilding of the security stack, which would be an impossibility. Rather, it can work with and for any existing stack, and can be implemented with no disruption to ongoing defense projects.
Active defense is also designed to stop cyberattackers in a way that also collects intelligence on their tactics, techniques and procedures, ultimately fortifying a defensive posture. By using deception technology, the defender can gather valuable insights into what assets the target was attempting to compromise and the attack path they leveraged to get there. This is the true impact of an active defense strategy: The defender comes away with more information about the attacker versus the other way around. This not only is informative from a purely technical standpoint, it also strengthens the overall defense posture in the present and future. Active defense doesn’t just strengthen that posture, it weakens future attacks by shifting the attacker’s reality. Now an attacker could potentially be trapped, and instead of being able to test attacks repeatedly until one works, each of those test attacks could be used for information gathering.
Active defense, found in the NDAA itself, is “An action taken on an information system of an element of the intelligence community to increase the security of such system against an attacker, including the use of a deception technology or other purposeful feeding of false or misleading information to an attacker accessing such system; or proportional action taken in response to an unlawful breach.”
With this in mind, cybersecurity communities across the world and particularly those serving the federal government should look forward to this proportional action, and be proud of the steps we’ve taken as a cybersecurity community in order to tilt the balance of power toward the defender.
Ram Varadarajan is CEO and co-founder of Acalvio Technologies.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Congress moves to reauthorize CISA’s cyber defense program
National Cybersecurity Strategy calls for significant change in critical infrastructure
Maximizing the defender’s advantage: Five steps cyber leaders can take today