Cyber Threat Intelligence Report

Insights on governance, risk and compliance @go\gqgmÔf\ l`][jaeafYdk before they commit the cybercrime? A close look at cyber threat intelligence

Contents Introduction 1 What does “cyber threat intelligence” mean? 3 What can CTI do for you? How industry is leveraging CTI 6 The case for operationalizing CTI 10 The future of cyber threat intelligence 14

Introduction Cyber threat intelligence: bringing clarity or adding confusion? Lhe mYrcet offerk mYfy \iffereft \ekcrihtiofk of cyber threYt ifteddi_efce ;LA!$ Yf\ moktdy theke comhrike of \iffereft tyhek of ifformYtiof fee\k thYt Yre fot fecekkYridy Ydi_fe\ to Yfy hYrticmdYr or_YfirYtiof or if\mktry& 9t itk heYrt$ Yfy kort of threYt ifteddi_efce ik kimhdy Ykkekke\ ifformYtiof$ Yf\ cYf ofdy be mf\erktoo\ if the coftept oithif ohich it ik creYte\ Yf\ the hrohoke\ hmrhoke of itk mke& Lhe hmrhoke ik mkmYddy to ifcreYke YoYrefekk of \eÔfe\ kitmYtiofk Yf\ efnirofmeftk Yf\ to Yi\ if \ecikiof% 36% mYcif_$ Yt either Yf oherYtiofYd$ tYcticYd or ktrYte_ic dened& of ?ISS 2016 respondents say it is Therefore, it is necessary for organizations to understand how threat intelligence can increase unlikely they would be able to detect a sophisticated attack your understanding of relevant situations, and which decisions it can contribute to. Without this thinking and framing of purpose, organizations will not know which questions to ask of all the available information whether internally or epternally sourced! to reÕne the collection of information and help direct the analysis, nor how to incorporate the intelligence in decision-making processes. For cybersecurity, much of this thinking and prioritization is incorporated into systems that are programmed to collect and monitor information, but the human analysis component remains crucial. In general, organizations do not yet fully understand what to ask of CTI, or how to understand the different “levels.” For more operational roles, e.g., those associated with a security operations center (SOC), CTI will be very technical and closely related to vulnerability information; while to the CEO, “cyber threat intelligence” may equate exclusively to headlines or reports they receive on various cyber events, which may not help them understand how they could be relevant to their organization. From EY’s point of view, this lack of understanding and/or the limited application currently associated with CTI means that many organizations are missing out on one of the most powerful opportunities of the digital age — the chance to get ahead of the cyber criminal. A robust CTI program can shed light on a multitude of strategic business concerns and risks, while providing highly technical actions, countermeasures, and metrics to the cybersecurity program at large. It can potentially provide answers to questions like: Results shown in this report are What are the most signiÕcant threats facing our organization? based on Õndings from EY’s ?lobal • Information Security Survey 2015 — What assets are (potentially) being targeted, and by whom? • How can our organization protect against these cyber threats? • How can our organization use intelligence to augment and improve our security and • business operations? By building a CTI program, organizations are able to simultaneously mature existing cybersecurity processes and develop overarching insight into their speciÕc threat landscape. @oo \o yom Ôf\ the crimifYdk before they commit the cybercrime? — A close look at cyber threat intelligence | 1

Cyber Threat Intelligence Report - Page 4

What does “cyber threat intelligence” mean? ;LA ik Yf Y\nYfce\ hrocekk thYt efYbdek the or_YfirYtiof to _Yther nYdmYbde ifki_htk bYke\ of the YfYdykik of cofteptmYd Yf\ kitmYtiofYd rikck Yf\ cYf be tYidore\ to the or_YfirYtiofËk kheciÔc threYt dYf\kcYhe$ itk if\mktry Yf\ mYrcetk& The process manages the collection, analysis, integration and production of previously disjointed information for the purpose of extracting holistic, evidence-based insights 36% regarding an organization’s unique threat landscape. This intelligence can make a signiÕcant of GISS respondents do not have a difference to the organization’s ability to anticipate breaches before they occur, and its threat intelligence program ability to respond quickly, decisively and effectively to conÕrmed breaches — proactively maneuvering defense mechanisms into place, prior to and during the attack. CTI focuses on identifying and analyzing the motivations, methods, capabilities and tools of adversaries who may seek to target an organization by pairing external analysis with data that was once segmented within the enterprise. While some organizations may choose to deÕne CTI as solely a component or input driven service, it is important to note that a process based intelligence life cycle within an operational framework is required to deliver actionable results. Accordingly, a holistic CTI program consisting of processes for collecting, producing and disseminating tactical and strategic intelligence, continually augmented with timely situational awareness updates (also known as “current intelligence”), is required. This helps explain who the relevant adversary is, how and why they may be attacking the organization, what actions they could take following the initial compromise, where they may reside within the organization, and how to detect or respond to an attack. EY’s approach to cyber threat intelligence s e c ur Tactical intelligence Strategic intelligence Current intelligence o Intelligence reporting portals Indicator repositories • Social media analysis l and s • • e a Threat intelligence platform Indicator feeds and communities • Deep/dark web analysis z • • Visualization tools Analysis platforms • Open source (OSINT) analysis • • echnic Open source (OSINT) analysis T • ollect and analy Security Threat metrics and trending analysis Business Early warning operations support alignment Attack campaigns 1) C • Social media Indicator collection Research, reporting and assessments Risk assessments • • • Geopolitical events Kill chain analysis Prioritization • unctions • • F Threat modeling Emerging capabilities Hunting support Decision support • • • EY’s cybersecurity capabilities EY’s business resources External e Information at Security Incident Vulnerability Attack and Active High value Business Industry Regional sharing gr monitoring response management penetration Defense asset SMRs SMRs SMRs partners and e protection industry innovation 2) Int alliances @oo \o yom Ôf\ the crimifYdk before they commit the cybercrime? — A close look at cyber threat intelligence | 3

What does “cyber threat intelligence” mean? Ohat can CTI do for you? Organizations may already be investing in various intelligence feeds and reports, but many are still Õnd themselves asking: “what can cyber threat intelligence do for me?” The breadth and diversity of EY’s answer is often surprising: Cyber threat intelligence is more than data and technology Ç it is analyst expertise$ • reÔned methodologies$ and process%drinen integration 78% The breadth and diversity of CTI value is not realized when investment is exclusively in of GISS respondents do not use a data and technology such as threat intelligence feeds or intelligence platforms. CTI must standardized cyber threat intelligence be integrated into security and business processes, tailored to the organization’s unique sharing solution challenges, and supported by trained analysts who use rigorous methodology. Cyber threat intelligence paints the bigger picture for cey decision%macers and • places security operators ahead of the cyber attaccer As the technology ecosystem continues to deliver a stream of disruptive innovations that have positive implications for both organizations and individuals, the cyber criminal is relentlessly discovering new techniques for attacking anything, ranging from medical devices to motor vehicles that can be connected to the internet (see Faced with this expanding global attack surface, organizations can be overwhelmed by the amount of noise related to cyber attacks and the potential impacts those attacks may have for their business. Even when an organization possesses security data that could be used to inform decision makers, information is often spread across the business in such a way that establishing a single, business-centric view of the organization’s unique threat landscape appears out of reach. With cybersecurity at the top of the agenda in many boardrooms, EY believes that organizations require access to bespoke strategic insights that will inform leaders of the most salient threats facing their organization. CTI delivers these insights by integrating previously siloed security data from across the enterprise with external context to provide a holistic perspective of the organization’s threat landscape. This integrated approach strengthens the organization’s security posture by empowering stakeholders with an informed perspective on how cyber threats are relevant to their areas of responsibility. Additionally, CTI can empower a proactive approach by introducing a robust operational framework to counter adversaries that includes the proper governance structure and security operations maturity. Cyber threat intelligence is the enabler to more proactine security approaches • Simply reacting to a cyber adversary’s actions against your organization is certainly not an ideal security posture. EY’s believes that taking an Active Defense approach will enhance the organization’s current cybersecurity and focus operations on preventing the enterprise’s most likely adversaries from achieving their speciÕc objectives (theft, fraud, market manipulation, etc.) This focus is realized from insight generated by an integrated Cybersecurity Transformation program combined with analytical CTI. 4 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

Active Defense The “active” part of Active Defense is realized by the execution of deliberately planned sets of defensive operations that are known as “missions.” The use of the term “mission” conveys the fact that the operational process proceeds with a signiÕcant amount of analytical rigor and discipline in order to achieve maximum effectiveness in accomplishing the organization’s security goals. Missions are planned in response to speciÕc threat intelligence in the unique context of the defended organization. Active Defense benefits are clear: • For the security operations team, Active Defense provides a deÕned set of improvement activities rationalized by CTI and connected to achievable objectives. The team builds countermeasures, hunts hidden intruders, and fortiÕes defenses based on real reporting about the behavior of real attackers. • For decision-makers, Active Defense connects resource deployment directly to measures of cybersecurity program effectiveness. Instead of focusing on performance measures like the “number of patches applied” and the “number of tickets closed,” effectiveness is demonstrated via a decrease in successful targeted attacks and a decrease in the time required in discovering and eradicating the attacks that were successful. For more information, please see

How industry is leveraging CTI Today’s marcet emphasis is on delinering CTI in the form of subscriptions and By attaining evidence- intelligence nisualization platforms3 but because subscriptions and intelligence based insight to nisualization platforms are not supported by an operational frameworc$ they result in cybersecurity and the a reactine security posture rather than an 9ctine

Subscriptions Not all threat intelligence subscriptions provide the same things. Many provide low-volume, high-conÕdence indicators and reports; others provide considerable volume with variable conÕdence; and some providers may focus on one type of threat (e.g., advanced persistent threats, cybercrime or hacktivism). This intelligence may come from dark web or deep web analysis, proprietary collection mechanisms and/or analysis of open source information. 20% The process of identifying and vetting data that is valuable for a speciÕc organization is of organizations outsource their threat challenging due to the sheer volume of these types of open, paid and internal sources. Even intelligence collection and/or feeds when sources are selected and data collection begins, many organizations are not capable of ingesting the full scope of what is provided (e.g., Indicators of Compromise (IOCs)), or determining action from data-heavy reports. Importantly, pivotal context surrounding information provided in feeds and reports is often missing, leaving the organization trying to understand the relevance without the background of why the data is important. Subscriptions should not just be limited to the automatic integration of feeds and electronic delivery of reports, but rather should be custom-Õtted to the industry and the organization’s needs in order to enable actions. This can be achieved by the provider working with the organization to determine the right selection of subscription offerings, which can be a combination of: Tailored technical indicator feeds for automatic integration 14% • • Informative webcasts and training events to target the operationalization of threat of organizations outsource their threat intelligence intelligence analysis Analyst-delivered brieÕngs to inform both security operators and executives • Industry- and business-speciÕc reporting on current events, emerging cyber threats and • trends on customized time schedules to meet operational needs (daily, weekly, etc.) Timely event-driven updates with analysis on signiÕcant and relevant cyber events • Having direct analyst support to deliver products, provide brieÕngs, answer intelligence related questions, and tailor analysis and recommendations to an organization’s threat landscape is pivotal for maximizing the use of subscription services. 50% Intelligence platforms of organizations have analysts that read and subscribe to speciÕc open Some threat intelligence solutions provide a combination of feeds in a technological source resources to keep their security platform that enable visualization of data, and with such a large number of cyber threat operations center (SOC) up to date intelligence providers to choose from, organizations can be tempted to select vendors offering this type of pre-conÕgured, stand-alone solution because these types of vendors are often immediately available and can initially appear to be more cost-effective. However, upon purchasing this service, organizations often realize that they have been left to make that data actionable and relevant for themselves, have little ownership of the data, and are at potential risk for contract fee increases while not fully realizing the value of their purchase. Intelligence platforms can be a crucial component to cybersecurity when combined with key processes within a mature intelligence program to visualize collected data and support long-term trending. Trending analysis can provide valuable insight speciÕc to the organization and to industry by showing changes in adversary tactics, techniques, and procedures (TTP) over time, and patterns in intelligence of value determined when key stakeholders take 41% the time to document their intelligence requirements. This analysis is most effective when of GISS respondents say their SOC captured in a way that leaders Õnd meaningful to business risk decision-making and the has a paid subscription to cyber prioritization of countermeasures and remediation activities. threat intelligence feeds @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence | 7

How industry is leveraging CTI The view today CTI marcet denelopment The development of mature CTI programs within a cybersecurity framework is the natural evolution of threat intelligence services beyond purchased subscriptions, feeds, and technical platforms. It is a long-term investment, which requires dedication and key stakeholders that can realize the lasting beneÕts this type of service provides. These long- 66% term visions among stakeholders are emerging despite conducting business in a world do not regularly present the threat that promotes smaller immediate value to cybersecurity over growing a more mature and landscape to the top governing structure secure posture over time. Intelligence services of this kind include a customized approach in the organization to governance, people, processes, technology and data. A robust CTI integration is grounded in tailored assessments that answer speciÕc stakeholder questions, consider the organization’s unique threat landscape, and provide immediate operational value with thorough recommended actions. To support this, organizations should consider developing a CTI program and also conduct a periodic assessment of how the threat landscape might affect them. CTI programs • A CTI program will help to enable the capability within an organization’s security operations structure to collect, analyze, produce and integrate its own and external 31% intelligence. The design, build, and operations development of a CTI program supports of GISS respondents say their SOC has simultaneous growth within corresponding security operations, allowing the organization dedicated individuals focusing solely on to ingest increasingly more robust threat intelligence, subsequently keeping the business cyber threat intelligence from being overwhelmed by data: this also allows them to take actions they are ready for, and to identify what must be additionally matured to take further actions. CTI assessments • Currently, in the marketplace there are gaps between an organization digesting threat intelligence and an organization then integrating the intelligence into operations. A common theme is frustration with where to start. CTI can be implemented incrementally, allowing small investments to improve and mature other areas of cyber threat management in a way that maximizes return on investment. Tailored assessments gather the pertinent facts and organize the pros and cons of various program attributes to promote a process-oriented approach, providing immediate insights and an evaluated look at where organizations can start integrating CTI. These assessments can answer speciÕc business questions providing a clear way forward through Q recommendations. 8 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

Cyber Threat Intelligence Report - Page 11

The case for operationalizing CTI A common challenge that permeates the industry is how best to make use of CTI: Operationalizing CTI How can an organization go about making CTI relevant and actionable? is necessary to derive • How can an organization integrate relevant and actionable intelligence into security • anything more than a operations? false sense of security Purchasing threat intelligence subscriptions, feeds, and/or reporting does not answer these from having read a questions; neither does installing a cutting-edge threat intelligence platform. Only through report or purchased an the unearthing of an organization’s unique CTI requirements and the designing of custom integration processes can the organization truly operationalize CTI. intelligence feed. However, EY has noted several issues that limit the operationalization of CTI. One issue is a lack of consolidation of intelligence sources (i.e., multiple subscriptions owned by the organization used by different divisions and not shared); another issue is the inability to maintain platforms or integrate intelligence results in shelved appliances; other organizations may have an inability to properly integrate purchased intelligence feeds into security technologies, which limits the ability to use the intelligence purchased in a meaningful way. Intelligence requirements Intelligence requirements are how an organization steers and scopes their CTI efforts in order to ensure they gain the right insight and the ability to operationalize the intelligence. The requirements are speciÕc and singular questions that an organization does not currently have a complete or current answer to and whose answer will add value to the business. Requirements should be developed based on multiple stakeholders operations, concerns and gaps in knowledge. In this way, the intelligence requirements will take on the shape and feel of the organization and become equally unique and diverse. For example, a manufacturing organization with a global presence will have global supply chain-related intelligence requirements, whereas a regional Õnancial organization may not. By identifying speciÔc iuestions that an organization needs answered$ they can target their intelligence collection and production to support operations and decision%macing Intelligence collection should take place both internally and externally to the organization. Internal data collected might include network event data, vulnerability scan data, and incident response reporting. Externally-derived data could include deep and dark web activity, social media and forum discussions, geopolitical news, and third-party reporting on adversaries and their activities. Many companies choose to purchase their externally derived intelligence through subscriptions and feeds. There are so many options and combinations of external and internal data to collect that deciding what to collect or purchase can be daunting. Many 54% organizations end up with data fatigue and signiÕcant amounts of data that they are not of GISS respondents say their information making use of, resulting in an absence of operationalizing CTI. By predeÕning intelligence security strategy is aligned with the requirements, an organization can focus its efforts and determine the most relevant cross organization’s business strategy section of collected sources for the organization. 10 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

It is not enough to simply collect the data — it must be used to paint the bigger picture of what is happening in the organization’s threat landscape. To do this, the data must be monitored, analyzed, trended, quantiÕed into metrics and then delivered to the appropriate audience to take action upon — daily, weekly, monthly, quarterly, yearly and even on-demand reporting can all serve to complete this picture. Intelligence production must answer different groups of stakeholder questions to the right level of operational detail, in a timely manner and in an ingestible format. 47% In this way, purchasing reporting, which is sold to multiple organizations, often does of organizations say their information not account for the speciÕc operational needs of your own organization, and it is security function reports to board-level for this reason that more and more organizations are asking how to make use of stakeholders less than twice a year threat intelligence reporting. Mniquely deÕned requirements, focused collection, and operational driven production are the answers. Using the intelligence to support the entire organization Cyber threat intelligence supports both decision%macers and security operations Collected and produced CTI must be integrated through processes designed to support both decision makers and security operations. The input processes and output products of a CTI program should be designed with the goal of improving cyber threat awareness across the entire organization at a variety of levels. EY believes that this can be achieved when CTI is viewed through the lens of “tactical,” “strategic” and “current” intelligence components and delivered to relevant stakeholders. CTI program components Tactical intelligence Strategic intelligence Current intelligence Acts as a force multiplier for internal Translates cyber threats into Rapidly delivers early warnings of • • • security operations to improve business risk the latest threats to stakeholders organizational threat posture Empowers business decision-makers across the organization • Drives agile, Öexible strategic and Provides technical intelligence that to prioritize short-term strategic • • actions tactical intelligence functions can be rapidly integrated within an organization’s native sensor and Same-day analysis of emerging Translates cyber threats into • Õrst line of defense capabilities • vulnerabilities with suggested Leverages adversary life cycle business risk remediation actions • analysis to reÕne various security operations functions @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence | 11

The case for operationalizing CTI Strategic%level intelligence analysis processes that directly support business operations • include prioritization analysis, risk assessments, and predictive analysis. All of these analytical processes require robust data sets and entail painstaking trending and analysis, but they provide valuable insight that can support decision-makers. Tactical level intelligence analysis processes directly support SOCs around the • adversary life cycle analysis. Intelligence Initial Command Privilege Data gathering exploitation and control escalation extraction Background Initial attack Eatablish Enable Enterprise Move Escalate Gather and Steal data Maintain research foothold persistence recon laterally privilege encrypt data presence By analyzing adversary activity across the life cycle of actions taken by the cyber criminal, tactical CTI analysts are able to: 1 Integrate known adversary tactics, techniques, and procedures into various security operations a& Focus more precise efforts to identify the adversaries’ activities earlier in the life cycle b& Target efforts to locate adversaries and identify damage post-breach 2 Develop threat models that illustrate likely adversary activity a& Informed analysis on adversaries likely to impact the organization, which assets they may target, and what network paths the adversary may take b& Provide threat models to attack and penetration professionals to actively emulate likely attacks 3 Create the first line of defense for internally derived network collection a& Collect essential network event data that supports strategic trending an analysis b& Provide network activity insight beyond the length of log capture 12 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

Current intelligence processes support both business operations and security • operations by focusing on getting the most timely data and rapid analysis to various The case for CTI — analysts and stakeholders. Current intelligence analysts are the Õrst line of defense example scenario for identifying relevant external intelligence and routing it to the parties that need to operationalize the intelligence. In this way, current intelligence is pivotal in ensuring With the rapidly changing threat timely operationalization of CTI. landscape and the impact of attacks All levels of intelligence are operationalized into remediation and countermeasure seemingly becoming higher, getting operations. In fact, intelligence-driven countermeasure operations are a guiding principal to ahead of potential attacks and EY’s point of view on 9ctive Defense — a deliberately planned and continuously executed vulnerabilities has been a major win campaign to identify and eradicate hidden attackers and defeat likely threat scenarios for some organizations that have targeting your most critical assets. improved their CTI capabilities. For Intelligence-driven remediation and countermeasure operations include processes that many organizations without insight enable the operationalization of CTI: into what is changing or further, insight into what their own current • Threat intelligence support to incident response plans posture is, getting panicked questions • Alerting upon and recommending actions for vetted current intelligence from executives can make an already • Targeting security operations along the paths of developed threat models. complicated situation that much more stressful. All of these processes will be unique to your organization’s operations and challenges. Q During several of the recent breaches where a speciÕc attack vector or vulnerability has been used, the organizations’ security teams not only CTI program maturity model were able to address those questions, Active Defense but in some cases pre-empt the • How can we mature discussion with a call to state that they Refine processes integration to get ahead? were aware of what was happening, • How can we do it better? Informing business and able to state if they were secure decisions • What should we do? against the speciÕc threat or, if not Data analysis secure, what the teams were doing to • How and why? remediate the situation quickly. Information These types of wins not only reduce sharing Optimized stress for the security team, but also • How and Managed • Generated and with who? • Lessons learned actionable intelligence bolster conÕdence in the abilities of Defined improved performance driving informed Data gathering business decisions the security team. • Who, what • Long-term • Learning how to ask the planning “right“questions • Effective tasking of when? Developing intel assets • Strategic intelligence Initial • Tactical intelligence Identifying requirements • Aligned to business • Security strategy @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence | 13

Conclusion The future of cyber threat intelligence Despite CTI not being fully proliferated within the marcetplace$ organizations will need to continue to adapt to change in the cyber threat landscape to better understand how threat intelligence can reduce their over%all business risc& CTI discussions surrounding business risc rather than bust security risc will become more and more common& Mnderstanding cyber threat riscs to the business’s Ônances$ reputation$ information and operations will continue to broaden the discussion beyond a security or technology audience& Short-sighted and pressured organizations will continue to buy threat intelligence feeds and technologies, without aligning such investments to a long-term vision for governance, integrated processes and unique business requirements. However, more and more companies will begin focusing on building a robust threat intelligence capability and/ or using tailored intelligence to answer their speciÕc business questions; this will lead to greater investments in the process design surrounding CTI and industry/organization tailoring of threat intelligence. Leading organizations will focus more heavily on customizing available CTI on their own, and become more willing to share threat intelligence with others in their ecosystem in order to make the threat intelligence actionable; this will lead to a greater distaste for proprietary protection of valuable intelligence context from intelligence vendors. In turn, CTI vendors will need to become more focused on providing details on how the adversary operates (dynamic indicators) than on sharing singular indicators of compromise (static indicators) that lack context. The Õnancial and government sectors will continue to lead the way in process-driven integration of CTI and information sharing. Industries with increasing risk and unique challenges, such as oil and gas, retail, health care, food and agriculture will increase investment in the area of CTI and, as these industries continue to evolve their threat intelligence capabilities, and they will undoubtedly contribute to the further development of the best practices in cybersecurity. CTI will help to enable organizations to leverage next generation security concepts such as: threat modeling, Active Defense, and advanced countermeasure operations. The aim will be to develop repeatable processes that are effective for all organizations in transitioning from a reactive security posture to a proactive approach. Organizations will better appreciate the need for understanding their own environment at a much deeper level in order to achieve this. There will be increased investment in the detailed mapping of networked environments, the long-term storage and visualization of security operations data, the identiÕcation and valuation of high value assets, governance and process design surrounding currently siloed security capabilities, the war-gaming of cyber scenarios against such assets, and the testing of countermeasures. Threats change over time, as do risks. EY believes that CTI processes can help organizations get ahead of those threats, mitigate the risks, and ultimately, ensure the success of the organization. 14 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

How can EY help? EY provides CTI advisory services around assessments, program builds, program support, and subscription services to clients around the globe. EY can also enable seamless integration for organizations wanting to integrate third-party cyber threat intelligence into security operations. Additionally, EY can help bridge the gap between tactical and technical aspects of CTI and help enable more strategic discussions that impact business decision-making. Throughout the development and maturation of a CTI program, EY: • Supports clients in maturing their processes to be able to ingest increasingly more robust threat intelligence • Helps create the in-house capability to translate technical/tactical intelligence into strategic insights for business decision-makers • Helps prevent clients from drowning in data and produces relevant intelligence • Provides a personalized look at our client’s threat landscape and identiÕes what must be matured to take further action • Pinpoints key internal/external information-sharing opportunities • Assists with technology selection and solutions architecture

Want to learn more? Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about EY’s perspective. Please visit EY’s Insights on governance, risk and compliance series at: Cyber threat intelligence: Creating trust in the digital world: Enhancing your security operations with Designing, building and operating an EY’s Global Information Security Active Defense effective program Survey 2015 Achieving resilience in the cyber ecosystem Cyber program management: identifying Cybersecurity and the Internet of Things ways to get ahead of cybercrime Using cyber analytics to help you get There’s no reward without risk: Unlocking the value of your program on top of cybercrime: Third-generation EY’s global governance, risk and investments: How predictive analytics can Security Operations Centers compliance survey 2015 help in achieving successful outcomes 16 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence

If you were under cyber attacc$ would you ever cnow? As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless. When one tactic fails, they will try another until they breach an organization’s defenses. At the same time, technology is increasing an organization’s vulnerability to attack through increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services, and the collection and analysis of big data. Our ecosystems of digitally connected entities, people and data increase the likelihood of exposure to cybercrime in both the work and home environment. Even traditionally closed operational technology systems are now being given IP addresses, enabling cyber threats to make their way out of back- office systems and into critical infrastructures such as power generation and transportation systems. Anticipating cyber attacks is the only way to be ahead of cyber criminals. With our focus on you, we ask better questions about your operations, priorities and vulnerabilities. We then collaborate with you to create innovative answers that help you activate, adapt and anticipate cybercrime. Together, we help you design better outcomes and realize long-lasting results, from strategy to execution. We believe that when organizations manage cybersecurity better, the world works better. So, if you were under cyber attack, would you ever know? Ask EY.

EY | Assurance | Tax | Transactions | Advisory About EY’s Advisory Services 9bout EY In a world of unprecedented change, EY Advisory believes a better working world means EY is a global leader in assurance, tax, helping clients solve big, complex industry issues and capitalize on opportunities to grow, transaction and advisory services. The insights optimize and protect their businesses. and quality services we deliver help build Through a collaborative, industry-focused approach, EY Advisory combines a wealth of trust and conÕdence in the capital markets consulting capabilities — strategy, customer, finance, IT, supply chain, people advisory, and in economies the world over. We develop program management and risk — with a complete understanding of a client’s most complex outstanding leaders who team to deliver on issues and opportunities, such as digital disruption, innovation, analytics, cybersecurity, our promises to all of our stakeholders. In so doing, we play a critical role in building a risk and transformation. EY Advisory’s high-performance teams also draw on the breadth better working world for our people, for our of EY’s Assurance, Tax and Transaction Advisory service professionals, as well as the clients and for our communities. organization’s industry centers of excellence, to help clients realize sustainable results. EY refers to the global organization, and may True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk refer to one or more, of the member Õrms of management when working on performance improvement, and performance improvement Ernst  Young Global Limited, each of which is a separate legal entity. Ernst  Young Global is top of mind when providing risk management services. EY Advisory also infuses Limited, a UK company limited by guarantee, analytics, cybersecurity and digital perspectives into every service offering. does not provide services to clients. For more EY Advisory’s global connectivity, diversity and collaborative culture inspires its consultants information about our organization, please visit to ask better questions. EY consultants develop trusted relationships with clients across the ¡ 2016 EYGM Limited. C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to All Rights Reserved. leading disruptive innovators. Together, EY works with clients to create innovative answers EYG no. AU3750 that help their businesses work better. ED None The better the iuestion& The better the answer& The better the world worcs& In line with EY’s commitment to minimize its impact on the environment, this document has been printed Our Risk Advisory Leaders are: on paper with a high recycled content. This material has been prepared for general informational ?lobal Jisc Deader purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer Paul van Kessel +31 88 40 71271 [email protected] to your advisors for speciÕc advice. 9rea Jisc Deaders Americas Amy Brachio +1 612 371 8537 [email protected] EMEIA Jonathan Blackmore +971 4 312 9921 [email protected] Asia-Pacific Iain Burnet +61 8 9429 2486 [email protected] Japan Yoshihiro Azuma +81 3 3503 1100 [email protected] Our Cybersecurity Leaders are: ?lobal Cybersecurity Deader Ken Allan +44 20 795 15769 [email protected] 9rea Cybersecurity Deaders Americas Bob Sydow +1 513 612 1591 [email protected] EMEIA Scott Gelber +44 207 951 6930 [email protected] Asia-Pacific Paul O’Rourke +65 8691 8635 paul.o’[email protected] Japan Shinichiro Nagao +81 3 3503 1100 [email protected]