Defend Forward: How AI and ML are Driving the Future of Security


NomiosExperts in cybersecurity and networking.

Tuesday, August 23, 2022

Defend Forward is a military cybersecurity concept that all organisations can learn from. AI and ML are driving this proactive approach, and taking the fight to the adversary.

Article 6 Minutes
Defend Forward: How AI and ML are Driving the Future of Security
  • Home
  • IT
  • Security
  • Defend Forward: How AI and ML are Driving the Future of Security

As a CISO or IT leader, you’ll have come across many cybersecurity concepts over the years. “Defend Forward” is another to add to your lexicon. However, this one is much more than just another techie buzzword. It comes from the US Department of Defence and is now being applied beyond the military and government sectors.

In this article, we’ll explore how you can adopt this strategic cybersecurity approach across your network infrastructure, and how artificial intelligence (AI) and machine learning (ML) has an important role to play in enabling Defend Forward strategies.

Keeping your business secure and connected

For insightful content that helps demystify and simplify our complex industry, follow us on LinkedIn

Follow ifp.ClickDetails"

What is Defend Forward?

“We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” Department of Defence Cyber Strategy 2018

The US Department of Defence Cyber Strategy, released in 2018, launched Defend Forward as a critical component of its layered cyber deterrence approach. The concept is to proactively disrupt or stop malicious cyber activity at its source, before it reaches its target.

This new approach was a direct response to nation-state sponsored cyberattacks, such as the interference in the 2016 US election, the 2017 WannaCry and NotPetya attacks, theft of cyber tools from the US National Security Agency (NSA) in 2017 and the data breaches at the US Office of Personnel Management and Equifax.

The previous version of the US DoD Cyber Strategy, from 2015, focused on event deterrence and only reacting when that failed. Because the outcome of the attacks above didn’t meet the criteria for a traditional military response, there was little scope for proactive action.

The 2018 version of the DoD Cyber Strategy changes that, taking the fight to the adversary and allowing the DoD to operate outside of its own networks.

In its military context, Defend Forward also targets attacks designed to steal corporate intellectual property, particularly sensitive information from organisations affiliated with the military.

What Defend Forward means for your business

“Taking the fight to the adversary” is an approach that many cybersecurity experts in the public and private sectors are now embracing. It doesn’t mean hacking back or using offensive methods deployed by the military, which would be illegal to you. Instead, it’s about acting proactively using threat intelligence and data analytics.

This is the mission of the recently formed independent Cyber Defenders Council. In response to the blurring of the lines between financially motivated and state-sponsored attacks, they argue that Defend Forward needs to be adopted by private-sector organisations. Proactively protecting your intellectual property against nation-state driven cyber espionage campaigns and cybercrime-driven ransomware attacks.

In a non-military context, Defend Forward means acting before a threat becomes a full-blown attack. The Cyber Defenders Council has adopted the following six principles of Defend Forward:

  1. Assume you’re at risk: All organisations are at risk of a cyberattack whether it’s a direct attack or via a backdoor such as through a partner or vendor’s platform.
  2. Understand the threat: To protect your people, data and network, you need to understand the reasons an attacker might have to compromise you, and what methods they might deploy.
  3. Collaborate across sectors: Tap into the threat intelligence community across different sectors to identify potential threats and vulnerabilities.
  4. Use intelligence to instil a bias for action: Use actionable threat intelligence to drive strategic and tactical security decisions day-to-day.
  5. Leverage large scale analytics and technology to the greatest extent possible: Artificial intelligence and machine learning can be deployed at scale for threat hunting, early detection and automated response.
  6. Assume you’re still at risk: Complacency is not an option in an evolving threat landscape.

How does AI and ML technology support Defend Forward strategies?

The Defend Forward approach requires access to threat intelligence - data - so you can identify potential threats and take action.

This data needs to come from your entire network infrastructure including endpoints, cloud computing, email, and other solutions.

The problem for many CISOs and IT leaders is knowing where to start. What threats are genuinely a risk to your organisation and therefore should be targeted, and what are just a distraction? There is so much data out there that is worthless if you can’t turn it into meaningful intelligence.

This is where AI and ML powered threat intelligence solutions can help you make sense of the data and take a proactive, Defend Forward, security approach.

AI-driven solutions should be in your armoury

Processing large volumes of data at scale for real-time decision making is impossible without advanced automation. Automation backed by AI and proven ML algorithms considerably expands the discovery and categorisation of threat data, and analyses it at machine speed to detect anomalous activity.

AI-driven cybersecurity solutions, like Extended Detection and Response (XDR), analyse your data from across your network infrastructure to spot known Indicators of Compromise (IOCs) and Indicators of Behaviour (IOBs).

As the name suggests, IOCs can identify when an attack is in play or has already occurred. IOBs support a more proactive Defend Forward approach because they can spot signs of malicious behaviour right at the start of an attack sequence.

AI and ML technology does this by learning benign behaviours, the legitimate actions you expect to see occurring on the network, and creates alerts when these behaviours deviate from the norm. Additionally, intelligence on how sequences of benign behaviours produce the right conditions for an attacker is analysed to identify often very subtle differences that can be a precursor to an attack.

Human intelligence and expertise are also needed to validate the data and appropriate response. Human intelligence can come from your own internal security team, but also the wider threat intelligence community. Principle three of the Cyber Defenders Council, “collaborate across sectors”, states that collaboration and intelligence sharing from industries, governments and cybersecurity experts is critical for identifying and proactively responding to threats.

Defend Forward with AI-driven XDR solutions

AI-driven XDR solutions that integrate with threat intelligence streams and correlate telemetry from across an organisation’s infrastructure can give you an advantage over the cybercriminal or nation-state actor. By leveraging AI and ML technologies, combined with human intelligence, you’ll be able to proactively spot and stop malicious activity at source and defend forward before it leads to a full-blown attack.

Further Reading


We design, secure and manage your digital infrastructure. Our enthusiastic and dedicated professionals develop innovative solutions for your security and network challenges. We deliver our best work by fusing extensive experience with analytical thinking and creative strength. In a world overrun with hype, our team offers a no-nonsense approach and practical advice. Our services, methods and communication are clear and agile. We believe strongly in solid partnerships as a condition for shared success. Enabling your business to accelerate and thrive.



Join the conversation...