Federal Government Cyber Security

Active Defense

Federal and Industry organizations have recognized the efficacy of Active Defense based on Cyber Deception as the threats become increasingly sophisticated. CISA is urging immediate deployment of Cyber Deception for Network Security in the latest “2022-2026 Strategic Technology Roadmap, Version 4”. NSA has published a detailed report on the effectiveness of cyber deception based on large red-team studies in the “The Next Wave” Vol 23, 2021.

In December 2022, President Biden signed into law the National Defense Authorization Act (NDAA) for Fiscal Year 2023, which mandates the deployment of Active Defense.

The term Active Defense is defined in the NDAA as:

“An action taken on an information system of an element of the intelligence community to increase the security of such system against an attacker, including the use of a deception technology or other purposeful feeding of false or misleading information to an attacker accessing such system or proportional action taken in response to an unlawful breach.”

Deception Technology is defined as:

“An isolated digital environment, system, or platform containing a replication of an active information system with realistic data flows to attract, mislead, and observe an attacker.”

The NDAA goes on to stress the need for further investigations into deception technology in order to discover how such proactive measures would enable heightened collaboration and security across the government and private sectors. By proactively engaging with the private sector to deploy deception technology techniques, military and defense agencies can mislead or deceive enemies so that they can better protect the nation and its interests.

When using Active Defense, organizations engage with incoming threats to better understand and counter them, rather than operating static security controls and hoping for the best. In practice, Active Defense requires a process that includes four ingredients:

High-fidelity detection:

It’s not enough to just detect an attack: It must happen immediately, no matter from what vector, and without spurious false positives and minor alerts that obscure the threat.

Engagement:

Once detected, Active Defense enables the responders to channel and contain the attack, without the adversary knowing about it.

Analysis:

Now contained, the attacker’s TTPs can safely be observed and understood, and their identity and motivations revealed. High value assets can be obfuscated from the attacker’s perspective.

Response:

With the full picture in hand, the defenders can decide how, when, and where to respond, as well as improve controls to defeat future attempts to use the same TTPs.

MITRE has come up with MITRE Engage, an Active Defense framework for adversary engagement operations to secure network interior based on deception.

Acalvio is a pioneer in Active Defense strategies, leveraging innovations in Distributed Deception, Artificial Intelligence, and Threat Analysis. Our ShadowPlex solution allows government entities to implement Active Defense at scale, across on-premises and cloud infrastructure.

Acalvio’s deception-based detection is superior to alternative approaches such as behavioral analytics because it is both more accurate (few false positives) and more efficient and easier to deploy. By adopting an Active Defense strategy, federal, state, and local governments can establish a scalable resistance to attacks of all types: ransomware, data theft, or service denial. They also can implement control activities consistent with the control objectives in NIST CSF, 800-160, and 800-171/172. With a low-operational footprint and integrations with key security architecture components, ShadowPlex is well-suited to supporting government efforts to detect and defeat all types of attackers, including nation states and criminal enterprises.

External Resources:

1. CISA 2022-2026 Strategic Technology Roadmap, Version 4
2. NSA “The Next Wave”, Vol 23 2021