IACD Research
As we grow the IACD framework, we also participate with academia to further the science. Here you will find links to our published articles.
Cybersecurity: From Months to Milliseconds
Abstract: Computer technology is the nexus of our critical infrastructures, yet it remains extremely vulnerable to cyberattacks. A proposed a healthy cyber ecosystem by automating many risk decisions and optimizing human oversight of security processes too complex or important for machines alone to solve.
Identifying Cyber Ecosystem Security Capabilities
Abstract: Strengthening the security and resilience of the cyber ecosystem requires reducing the number of vulnerabilities and the ability to automatically mitigate attack methodologies. This article draws from various research reports to categorize the underlying attack methodologies and summarizes current perspectives on the capabilities needed within the cyber ecosystem to strengthen its security and resilience, while protecting the privacy of the authorized users of the ecosystem.
Toward a Capability-Based Architecture for Cyberspace Defense
Abstract: This paper presents a high-level overview of the IACD reference architecture to inform, guide, and facilitate feedback from cyber service providers, network owners and operators, and product vendors on the capabilities and interfaces that can enable an agile, dynamically responsive, and resilient cyber infrastructure.
Active Cyber Defense: A Vision for Real-Time Cyber Defense
Abstract: Cyber operations consist of many functions spanning cyber management, cyber attack, cyber exploitation, and cyber defense, all including activities that are proactive, defensive, and regenerative in nature. A subset of cyber defense, Active Cyber Defense (ACD) focuses on the integration and automation of many services and mechanisms to execute response actions in cyber-relevant time. ACD is comprised of a set of logical functions to capture details from enterprise-level architecture to operational realization with the primary objective to become a living part of DoD cyber operations to help defend the nation from cyber-based adversaries.
Enabling Distributed Security in Cyberspace
Abstract: This paper explores a future – a “healthy cyber ecosystem” – where cyber devices collaborate in near‐real time in their own defense. In this future, cyber devices have innate capabilities that enable them to work together to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state.
Securing Automation with API Gateways
SOAR workflows routinely utilize Advanced Programming Interfaces (APIs) to interact with the various security tools required for cyber defense. Securing these calls to the API is critical. IACD has conducted research into how to utilize API gateways to enhance the security of making these calls and provides a whitepaper and video to help the community leverage this research.
Beyond Indicator Sharing: Augmenting Adversary Playbooks with Behavior Objects
To improve information sharing, the cyber defense community needs to move beyond indicator sharing focused on detections of individual attacks, towards the sharing of machine-readable descriptions of attacker behaviors that span multiple attacks, as described in the following video and whitepaper.
Demonstrating the Use of Openc2 and SOAR
SOAR enables orchestration and automation of cybersecurity operations, but those automated commands rely heavily upon proprietary API calls. OpenC2 provides a standard for communicating with multiple security devices without the need for proprietary commands. In this video and whitepaper, the IACD team demonstrates an experiment where we successfully utilize OpenC2 with SOAR.
Enriched BPMN Workflows
Business Process Model and Notation (BPMN) provides a standard for representing workflows. Sharing these workflows allows the community to share SOAR workflows without being tied to a specific vendor. In this video and whitepaper, we show how BPMN can be further enriched with OpenC2 so that the same workflow can quickly be translated to support multiple SOAR platforms.
Effects Based Courses of Action
In this video and whitepaper, IACD presents a technique for combining SOAR for machine speed action with Artificial Intelligence for machine speed decision making. This is done through defining "Effects Based Courses of Action" and training the AI to identify which effect will address various situations that then call the appropriate SOAR actions to achieve the effect within the situation at hand.
Assessing the potential value of Cyber threat intelligence Feeds
In this whitepaper, we provide an overview of things to consider when selecting Cyber Threat Intelligence (CTI) feeds for your organization. This paper provides guidelines on how you can best determine the types of CTI that are both relevant and usable to your organization.
Moving from Cyber Threat Intelligence (CTI) sharing to CTI mitigation at Scale
We need to change the way we think about the use of Cyber Threat Intelligence so that it can drastically improve the cybersecurity posture for all organizations. In this video, we present an analogy to help better convey where we see the future of CTI sharing going by comparing CTI sharing to the sharing of traffic and navigation data.