Enhancing your Security Operations with Active Defense

Insights on governance, risk and compliance E nhancing your security op erations w ith A ctiv e D efense

C ontents Introdu ction 1 W hat is A ctive D ef ense? 3 P reparing an A ctive D ef ense 5 C ondu cting an A ctive D ef ense 7 Is A ctive D ef ense right f or me? 1 5

Introdu ction The next iteration of continu ou s improvement S ecu rity operations prof essionals have read the headlines and seen the reports of cy b er attackers grow ing more sophisticated and ever more destru ctive. A ccording to the trends identified by EY’s latest Global Information Security Survey* (GISS), most organizations are stru ggling to keep pace. O u r 2 0 1 4 su rvey indicated that 4 9 % of respondents ex pected their security budgets to remain “about the same.” Although our 2015 survey saw this figure drop to 39%, the percentage of organizations that reported plans to increase spending by 5 % - 2 5 % grew b y a mere 4 % . M any secu rity teams w ill f ace another y ear w ith the same or f ew er resou rces than they had this y ear. 8 8 % B eing ab le to ef f ectively deploy the secu rity resou rces that have b een allocated can also challenge an organization. Seventy-one percent of respondents rated the likelihood that of Inf ormation S ecu rity their organization would detect a sophisticated cyber attack at less than 50%. The most f u nctions do not f u lly meet common ob stacle cited f or secu rity program ef f ectiveness w as “ b u dget constraints” at the organizational needs* 62% with “lack of skilled resources” close behind at 57%. The cumulative effect of all these difficulties is well documented; the average time elapsed between breach occurrence and b reach discovery remains at 2 0 5 day s! 1 H ow can organiz ations im p rov e? E Y bel iev es that the answ er is A ctiv e D efense. The following four chapters of this report will introduce EY’s perspective on Active 1 1 % Defense and will show cyber defenders how their organization could adopt it to help enhance its cy b ersecu rity : of GISS respondents reported u sing data analy tics to detect W hat is A ctiv e D efense? secu rity b reaches. • EY’s vision of Active Defense defined • W hat does A ctive D ef ense add to the ex isting secu rity operations program? • How does Active Defense fit into a holistic cybersecurity program? * Results shown in this report are based on findings from EY’s Global P rep aring an A ctiv e D efense Inf ormation S ecu rity S u rvey 2 0 1 5 — ey . com/ giss2 0 1 5 • W hat are the prereq u isites to estab lishing an A ctive D ef ense program? • What must I understand about my organization to enable Active Defense? Insights on governance, risk and compliance • W hat mu st I u nderstand ab ou t my adversaries f or an A ctive D ef ense to su cceed? Creating trust in Conducting an A ctiv e D efense the digital w orl d E Y ’s G lobal Inf ormation S ecu rity S u rvey 2015 • W hat are the components of an A ctive D ef ense? • W hat is an A ctive D ef ense mission? • W hat ty pes of missions can I condu ct w ith A ctive D ef ense? Is A ctiv e D efense right for m e? • What are the benefits of an Active Defense? • Is my organization ready to implement an Active Defense? • How can EY help me prepare to conduct an Active Defense in the future? 1 M-Trends 2015: A View from the Front Lines — Annual Report, Mandiant (a Fire Eye company), 2015. E nhancing y ou r secu rity operations w ith A ctive Def ense | 1

2 | Enhancing your security operations with Active Defense

W hat is A ctive D ef ense? To understand how Active Defense can help improve security program effectiveness, we need an analogy. Many organizations think of the ideal enterprise network as a castle or A ctive D ef ense is a fortress: this mental model inclu des thick stone w alls, gu ard tow ers and may b e even a delib erately planned moat. C astles may keep real- w orld invaders at b ay , b u t w e have learned time and again that determined attackers nearly alw ay s su cceed in penetrating even the most secu re netw orks and continu ou sly via targeted attacks. Security professionals can’t rely on the integrity of the network’s ex ecu ted campaign perimeter and mu st operate u nder the assu mption that u ndetected maliciou s activity is present nearly all the time. to identif y and help A more appropriate analogy might be the enterprise network as a contemporary city. This eradicate hidden analogy w orks on several levels. C onsider the evolving w ay s that w e access data. U sers attackers and def eat have mu ltiple rou tes into and ou t of the netw ork throu gh company w orkstations, personally owned mobile devices, cloud storage and more. This means that legitimate users and likely threat scenarios intru ders b oth have nu merou s opportu nities to engage in u nseen activities. J u st as any city targeting y ou r most of sufficient size experiences near-constant unpoliced criminal activity, expanding network size and complexity have confounded defenders’ ability to monitor in near real-time as well. critical assets Indeed, respondents to EY’s 2015 GISS that reported experiencing significant incidents revealed that only 4 5 % of detected incidents w ere discovered b y the S ecu rity O perations Center (SOC). To maintain order, the castle guards of old evolved into the modern police, and secu rity operations prof essionals mu st evolve as w ell. W hat does A ctive Def ense add to the ex isting secu rity operations program? Let’s carry our analogy into the SOC. The security operations team comprises the enterprise’s network police force. Security monitoring with network and endpoint tools is akin to sending officers out to enforce speed limits and watch for crime. In the real world, patrol officers are effective at deterring and defeating the criminals that they can actually see. However, they aren’t effective at defeating the sophisticated crime that occurs behind closed doors and in areas that aren’t patrolled. For this, the city needs detectives. Rather than patrolling and monitoring, detectives cultivate informants, investigate leads, analyze evidence and actively hu nt su spects. How does Active Defense fit into a holistic cy bersecu rity program? M ost secu rity operations teams lack the “ detective” capab ility , and this is w here A ctive Defense can enhance organizational effectiveness. By employing a deliberate operational cy cle to plan, ex ecu te, and review intelligence- driven activities to help implement targeted cou ntermeasu res, f ortif y def enses and hu nt intru ders, A ctive D ef ense practitioners provide the organization with the capability to identify and help eradicate latent attackers that circu mvent traditional secu rity monitoring and target y ou r intellectu al property and b u siness sy stems. E nhancing y ou r secu rity operations w ith A ctive Def ense | 3

P reparing an A ctive D ef ense What are the prerequisites to establishing an Active Def ense program? A ctive D ef ense resu lts f rom the f u sion of timely threat intelligence w ith delib erately planned and executed proactive measures that help combat specific threat scenarios. A ctive D ef ense does not replace traditional secu rity operations. Instead, A ctive D ef ense organizes and enhances the existing security operations program. Conducting an Active D ef ense req u ires some preparation in order to achieve max imu m ef f ectiveness. A ctiv e D efense integration into security op erations Global integrated security operations Research and development O perate Integrate s t u p n I E Y attack and C y ber S ecu rity Incident Vulnerability A ttack and S of tw are penetration E Y data research monitoring response management penetration secu rity team scientists laboratory M onitor S ecu re Enable C y ber threat intelligence Service integration layer Anomaly P roactive Attack life cycle T hreat actor analysis endpoint analysis identification and f orensics targeting s H unting n S u rge C y ber recon- by - Def ended asset Indicator analysis and o monitoring fire activities A nal ysis identification prioritiz ation ti ra e p A ctive O D ef ense M ission p l anning Complex C ou nter- measu re C ou ntermeasu re T hreat scenario vulnerability development deployment validation identification Fortification First, cyber defenders must ensure that they have a clear understanding of the assets most coveted by potential attackers. In EY’s 2015 GISS, 23% of organizations with an SOC stated that their S O C , “ does not interact w ith the b u siness” and only 2 3 % reported that their S O C “ is tightly integrated, meeting w ith the heads of b u siness operations regu larly to understand business concerns and risks.” This interaction is key and also missing from many secu rity programs. Thoughtful conversations between security practitioners and business leaders produce a listing of assets to be defended. These are generally associated with critical business f u nctions and consist of important applications and sy stems along w ith sensitive 4 | E nhancing y ou r secu rity operations w ith A ctive Def ense

data repositories. R elevant assets w ill b e those that su b j ect the b u siness to seriou s consequences should they be manipulated, stolen, or taken offline. Examples include intellectu al property , research and development data su pporting f u tu re innovation, employees’ or customers’ personally identifiable information, payment card information for clients, and the indu strial control sy stems that su pport critical b u siness f u nctions. What must I understand about my organization to enable 2 3 % A ctive Def ense? N ex t, def enders mu st develop an u nderstanding of w hat “ normal” means f or the netw ork. of organizations with an SOC stated that their S O C “ does not Typically, this is referred to as a “baseline” in the context of security. However, much of interact with the business.”* this baseline lives in the minds of the IT staff rather than in security monitoring tools. This understanding is important for enhancing the security operations function, because A ctive D ef ense inclu des strong anomaly analy sis and hu nting components. M any activities ex ecu ted b y intru ders avoid triggering au tomated secu rity monitoring tools b ecau se they don’t fit the typical procedures, inputs or models of known attack signatures. Instead, they u se compromised credentials or illicit accou nts and b lend w ith regu lar u ser b ehavior. However, alert and experienced security analysts may recognize malicious activity when they see it, provided they have a model f or normal b ehavior on the netw ork. W hat mu st I u nderstand abou t my adversaries f or an A ctive Def ense to su cceed? 2 3 % Finally, defenders need an understanding of the threat actors that are likely to target their organization. Many security teams simply assume that they are targeted by the of organizations reported that, big-three nation state adversaries, organized crime groups and hacktivists. Although this “ O u r S O C is tightly integrated, may b e tru e, additional insight is req u ired in order to craf t an A ctive D ef ense. W ithin each meeting w ith the heads of grou p, motivations and capab ilities vary w idely . D ef enders shou ld w ork closely w ith threat b u siness operations regu larly intelligence providers to paint an accu rate portrait of the threat landscape w ith as mu ch to u nderstand b u siness concerns and risks.”* detail as possible. If possible, specific threat actors should be named and analyzed to gain insight that w ill b e leveraged in def ensive activities. A ctiv e D efense Conduct A ctiv e D efense m issions S tage 4 P lan, ex ecu te, review , repeat Identify and profile most lik el y threat actors t S tage 3 Inj ect timely intelligence to drive mission selection A dd env ironm ental contex t Insigh D evelop/ leverage netw ork and endpoint activity b aselines S tage 2 Identify internal critical assets Descriptively profile at both business and technical level S tage 1 E nhancing y ou r secu rity operations w ith A ctive Def ense | 5

6 | Enhancing your security operations with Active Defense

C ondu cting an A ctive D ef ense A ctive D ef ense consists of delib erately planned and ex ecu ted def ensive actions called “missions.” Each mission is followed by activities designed to capture lessons learned and enhance organizational learning. Missions include one or more specific objectives and a defined end-state, and they may last between one day and several weeks. Mission ob j ectives ty pically inclu de the implementation of one or more targeted cou ntermeasu res to defeat specific threat scenarios or deliberately planned activities to identify hidden intruders (hunting). A lthou gh individu al missions may take the f orm of proj ects, an A ctive D ef ense program is conducted as an iterative operational cycle. Each cycle focuses on defending a specific asset or group of assets from a specific threat actor and may include one or more missions. The operational cycle includes phases for planning, mission execution (of one or more missions) and cycle review. Each mission within the operational cycle also includes analogou s phases f or planning, ex ecu tion and review . Identif y likely W eekly Analyze threat actors and Define desired Plan CTI brief scenarios end- state H igh- valu e asset or adversary f ocu sed Realize improvements M aintain D el iberatel y E x ecu te p l anned, m ission H arden focused Com p l icate H u nting or fortification R eview C aptu re lessons A chieve desired learned end- state E nhancing y ou r secu rity operations w ith A ctive Def ense | 7

W hat are the components of an A ctive Def ense? Cyber threat intelligence (CTI) helps lay the groundwork for Active Defense and provides context and guidance during operations. Once likely adversaries have been identified, defenders work with their threat intelligence provider to identify specific tactics via cyber kill chain analy sis. K ill chain analy sis is the division of the steps taken b y an adversary as part of an attack into individu al “ b u ckets” that correspond to the links of the kill chain. A lthou gh researchers f rom L ockheed- M artin originally introdu ced this concept in a 2 0 1 1 w hite paper,3 there are a number of variants. Regardless of variant, identification and analy sis of tactics is key . Typ ical attack l ifecycl e Intel l igence Initial ex p l oitation Com m and and control P riv il ege escal ation Data exfiltration gathering B ackgrou nd Initial attack Establish Enable Enterprise M ove Escalate Gather and S teal research f oothold persistence reconnaissance laterally privilege encry pt data data • S earch • Z ero day s • M alw are • R oot kits • N etw ork • S tolen • R oot kits • FTP and • FTP and engines • S ocial installation • Trojans scanning credentials • Trojans email email Tactics • P u b lic engineering • S tolen • A ccou nt • R emote • A ccou nt • Z IP and R A R • W eb releases • S pear credentials creation desktop creation compression posting • External phishing connections • M alw are • Encrypted scanning • Establish encry ption C 2 tu nnels • W ater V P N s holing A P T X P riority 1 R & D • W eb • Executives • W orkstations • S ecu rity • S hares • S hares • A dmin • S hares • pdf , doc, servers and • W eb applications • W orkstations • W orkstations accou nts • W orkstations x ls, ppt • External assistants servers • O perating • S ervers • R & D data applications • R emote sy stems • S ervers • S ervers • S ervers w orkers • R ou ters • R ou ters • R ou ters • pdf , doc, Targets • S ocial x ls, ppt media 3 Hutchins, Eric, Michael Cloppert, and Rohan Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” Lockheed Martin Corporation, 2011. 8 | E nhancing y ou r secu rity operations w ith A ctive Def ense

B esides know n tactics, additional data collected and mapped f or relevant threat actors inclu des: • A ttacker sou rce IP ranges • M alw are metadata • Typical hardware or software leveraged by the attacker • Typical hardware or software targeted by the attacker • Typical times of attacker operations 3 1 % of respondents say their S O C For each defended asset, defenders also gather: has individu als f ocu sed solely on cy b er threat intelligence • H ardw are or sof tw are u sed to access the sensitive data and b u siness processes • Patch level and patching schedule for identified hardware and software • P reviou s attack inf ormation • D etailed identity and access inf ormation associated w ith the resou rce This information is supplemented with intelligence about current events in the organization’s industry to determine who is attacking peers and for what purpose. Industry peers are a great source to develop first-hand insight about the latest tools, tactics and procedu res u sed b y attackers. 5 0 % 3 5 % of respondents say that they have a matu re or very matu re inf ormation of responders say their S O C has secu rity strategy analy sts that read and su b scrib e to specific open-source resources O nly 1 2 % of organizations perform all security operations functions in-house 2 3 % of S O C s do not interact w ith the b u siness 2 9 % of S O C s collab orate and share data w ith other pu b lic S O C s 4 3 % of S O C s collab orate and share data w ith others in their indu stry 4 2 % of SOCs have not detected a significant incident O nly 1 9 % of SOCs have discovered a significant cybersecurity incident O nly 4 7 % of organizations think their SOC would be likely to detect a sophisticated attacker. Enhancing y ou r secu rity operations w ith A ctive Def ense | 9

W hat is an A ctive Def ense mission? A key facet of Active Defense is the enhanced operational focus and effectiveness realized throu gh the delib erate planning of A ctive D ef ense missions. S ecu rity teams ty pically harden their def enses on an ad hoc b asis, implementing indu stry b est practices w hen they have time or in reaction to high-profile vulnerability announcements. By contrast, Active Defense missions are planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network. This means that defenders’ time is spent deterring and defeating the enterprise’s most likely attackers rather than an undefined or nonspecific adversary. W hat ty pes of mission can I condu ct w ith A ctive Def ense? The use of the term “mission” conveys the fact that the operational process proceeds with a significant amount of analytical rigor and discipline in order to achieve maximum effectiveness in accomplishing the organization’s security goals. Missions are planned in response to specific threat intelligence in the unique context of the defended organization; and b y f ocu sing on the threat to the b u siness f rom real- w orld threat scenarios, A ctive Defense practitioners can maximize their defensive capabilities for their security budget. Although Active Defense is inherently adversary focused, it is also tailored for specific defended assets — typically the organization’s most valuable proprietary data and business sy stems. A n A ctive D ef ense mission can inclu de any activities that meet this description. However, we find that a few general categories of activities tend to generate the greatest retu rns. A ctiv e D efense m ission categories F ortification H unting N etw ork reconnaissance A nom al y anal ysis Manual identification and validation Focused investigation for anomalous and of complex vu lnerab ilities and threat scenarios maliciou s activity that cannot b e detected b y and development of netw ork situ ational au tomated secu rity monitoring tools aw areness f or decision makers Targeted counterm easures Trap p ing and coercion L everage insight f rom the intelligence process A lter netw ork and endpoint conditions to to design and implement cou nter- measu res provoke a hidden attacker into engaging in that defeat specific threat scenarios maliciou s activity liab le to b e detected b y targeted intensive monitoring 10 | E nhancing y ou r secu rity operations w ith A ctive Def ense

Fortification The first category of Active Defense mission includes those activities that help improve the enterprise’s defenses against specific tactics that may be used by specific attackers. N etw ork reconnaissance Network reconnaissance missions develop the organization’s understanding about its own level of risk to specific threat actors or threat scenarios. Missions of this type are generally more complex than straightf orw ard vu lnerab ility scanning and may inclu de mock attacks or 4 1 % red team ex ercises. A n ex ample of an inf ormation gathering mission w ou ld b e a mu lti- day of responders say their S O C ex periment to determine w hether ex isting secu rity monitoring tools are ab le to identif y the has a paid su b scription to cy b er u se of a particu lar piece of malw are on the netw ork. threat intelligence f eeds Tail ored counterm easures Tailored countermeasures are most often focused on network and endpoint fortification and attempt to deter, degrade or defeat specific adversary tactics. Active Defense fortification activities dif f er f rom hardening activities ex ecu ted b y traditional secu rity operations teams in that they are ex ecu ted delib erately in response to timely threat intelligence ab ou t a threat actor or threat scenario rather than as “ indu stry b est practices” on an ad hoc b asis. • “Cyber clear-and-hold” is an example of a network and endpoint fortification A type of network and endpoint fortification, clear-and-hold is a strategy employed to help prevent intru ders f rom re- occu py ing territory f rom w hich they have b een ej ected b y def enders. C learing is done via hu nting or proactive f orensics. A f ter the clearing stage, the holding stage is usually characterized by regular inspections, surveillance and the improvement of def enses. A clear- and- hold mission may b e w arranted du e to a nu mb er of internal or ex ternal factors. D ef enders may learn ab ou t an attack against an indu stry peer and may w ish to apply clear- and- hold tactics to protect the data ty pes that w ere taken in that attack. A nother driver cou ld b e the discovery of a vu lnerab ility that cannot b e patched in a critical sy stem. H osts on the same netw ork segment cou ld then b e cleared to ensu re that they are not cu rrently harb oring attackers w ho cou ld take advantage of the w eakness. A ctivities of this natu re can u su ally only b e su stained f or a b rief period of time b ef ore resources must be redeployed to other areas. For example, a clear-and-hold mission w ou ld likely b e appropriate du ring the period w hen a merger/ acq u isition is b eing planned (from the earliest stages) and executed. Once the merger is announced publicly and completed, the protection provided b y clear- and- hold tactics is no longer necessary arou nd the sy stems containing merger data. E nhancing y ou r secu rity operations w ith A ctive Def ense | 11

H unting Hunting missions attempt to discover latent (but active) attackers on the network, or previou sly u nknow n evidence of past attacks. B y actively ex amining seemingly b enign activity or artif acts in the contex t of know n tactics and techniq u es of particu lar threat actors or in the context of specific threat scenarios, Active Defense practitioners take the initiative against attackers and redu ce the time that attackers can ex pect to operate inside the network before being identified and eradicated. Hunting missions fall generally 4 7 % into tw o categories. of respondents reported that A nom al y anal ysis their organization does not These missions examine artifacts located on particular hosts along with patterns of currently have an SOC* network traffic to identify malicious activity that automated security monitoring tools miss. Although the organization may have a sophisticated and comprehensive deployment of sensors to condu ct secu rity monitoring f or netw ork segments and endpoints, there are many f orms of maliciou s activity that thw art au tomated detection b u t are plainly ob viou s to hu man analy sts. A s w e discu ssed previou sly , the ab ility to identif y anomalou s activity is one of the key enab lers of A ctive D ef ense and is critical to hu nting missions. A nomalou s activity is any activity that is strange, abnormal or doesn’t belong in the context in which it is seen. This contex t cou ld inclu de the u ser w ho is engaging in the activity , the time w hen the activity is 2 6 % ob served, the f req u ency w ith w hich the activity occu rs and other circu mstances. In addition to hu nting f or anomalou s activity in new event streams, def enders shou ld ensu re that of respondents that do they search historical data as well. The time when defenders become aware of a particular have an S O C , 2 6 % ou tsou rce maliciou s b ehavior is alw ay s af ter the time w hen attackers b egan u sing it: thu s, historical real-time security monitoring* logs must be searched to ensure that a compromise hasn’t already occurred. • Identify cyber staging areas A nomaly analy sis can b e u sed to identif y cy b er staging areas, and to deter or def eat sensitive data exfiltration. Attackers often form a beachhead within a compromised network. This is a host from which they launch sorties against other hosts on the netw ork and on w hich they may store stolen data. O f ten this data is compressed, obfuscated, or even encrypted, to make it look like something it isn’t. For instance, def enders may discover a large data cache rolled into several encry pted and compressed RAR files that have had their file extensions altered to make them look like video clips. This beachhead concept is important because hackers must prepare a staging ground w ithin one or tw o “ hops” f rom a location on the netw ork f rom w hich data w ill b e stolen. N ot only is this req u ired in order to limit the amou nt of activity on a target host to prevent detection, b u t rou ting connections and data throu gh additional sy stems is technically complicated and su b j ect to discovery as w ell. To identify staging areas, defenders search likely beachhead locations near sensitive sy stems f or stolen data and stored tools. In enterprises that enf orce data storage locations for users, such as those that require all personal files to be saved to a network- shared f older, this search can b e straightf orw ard. S earching may also b e aided b y enterprise file naming schemes. These often aren’t apparent to outsiders, so attackers may inadvertently create filenames that immediately appear anomalous. 12 | E nhancing y ou r secu rity operations w ith A ctive Def ense

Trap p ing and coercion These missions attempt to compel latent attackers to perform activities that will cause them to b e discovered. O nce an attacker gains access to the netw ork, escalated privileges and estab lished persistence, they are u nlikely to engage in additional overt maliciou s activity . This is because they likely have gained access to legitimate account credentials or have had the opportu nity to install maliciou s sof tw are to mask, clean or hide their activities. B y altering conditions on the netw ork, def enders can impose a dilemma on hidden attackers. They must either work to maintain their access and subject themselves to the scrutiny of alert A ctive D ef ense practitioners, or they w ill lose access. H ere are ex amples of this ty pe 1 2 % of mission: of respondents that do • M al w are starv ation have an S O C reported M any ty pes of malw are emit a regu lar “ b eacon” or “ heartb eat” to a command and being able to fulfill all control (C&C) server as long as they are active. This serves two purposes. First, it acts fu nctions in- hou se as a remote notification to an attacker that his access to the network is still available. S econd, it provides au tomated control sy stems w ith an opportu nity to deliver orders to fielded malware instances (implants). H ighly sophisticated attackers may employ mu ltiple cooperating malw are implants that w atch each other to provide b acku p. If one implant sees that its partner has b een eradicated or is no longer commu nicating on the netw ork, it activates and takes over the beaconing and malicious activity. EY has seen one network that had primary implants installed on more than 2 0 servers, w ith alternate or b acku p implants hiding on another 14. The alternates weren’t detected until after the primaries had all been eradicated — the point w hen an incident response team w ou ld u su ally close the case and go home. C hanges in netw ork connectivity are u su ally the cau se that resu lts in the activation of dormant implants. C onsider simu lating this to “ starve” malw are of its netw ork access and change its b ehavior. N etw ork segments can b e cu t of f f rom one another temporarily to prevent cooperating malware samples from seeing or interacting with one another; this can resu lt in b acku p malw are spinning u p and try ing to take over f or w hat it thinks is an eradicated primary . • D N S m anip ul ation Malware authors typically use hostnames to configure malware C&C servers rather than IP addresses. This improves resiliency for the malware, since defenders typically block outgoing traffic to specific IP addresses (routers and switches don’t know about hostnames). Using a hostname allows the malware’s C&C server to be located at any IP address. The attacker just needs to register it, and DNS servers around the world will carry the new s to his deploy ed malw are. D ef enders w ho have tried to sq u ash a malw are infection have probably seen this behavior before: they block outgoing traffic from b eaconing malw are only to see it shif t to new destination addresses every f ew hou rs. By resetting the network’s DNS cache, defenders force renewed resolution of every hostname across the netw ork — inclu ding those u sed b y malw are. W ithin a f ew hou rs or day s, def enders can then ex amine the contents of the D N S cache f or low - density hostnames or hostnames that w ere resolved at odd hou rs. A b oatload of connections to www.google.com at noon on a Tuesday shouldn’t raise any eyebrows, but a single connection to www.malwaremothership.com at 2 a.m. on a Tuesday warrants closer inspection. E nhancing y ou r secu rity operations w ith A ctive Def ense | 13

14 | Enhancing your security operations with Active Defense

Is A ctive D ef ense right f or me? EY considers the ability to mount an effective Active Defense as a strategic end-state for the enterprise secu rity program, and the j ou rney to estab lishing an ef f ective A ctive D ef ense varies for every organization. According to EY’s 2015 GISS, 47% of respondents reported that their organization does not currently have an SOC; of those that do, 26% outsource real- time security monitoring, and only 12% reported being able to fulfill all functions in-house. Is m y organiz ation ready to im p l em ent an A ctiv e D efense? 4 7 % EY’s cybersecurity offerings help develop the security program with an eye toward of respondents reported that establishing an Active Defense. However, if any of the following statements reflect their organization does not your organization, then Active Defense may be right for you: currently have an SOC* We have an SOC, but we still aren’t finding evidence of advanced attackers. W e have an S O C , b u t w e still had a maj or b reach. W e have had an S O C f or a f ew y ears, b u t w e need to evolve b ey ond W hat are the static monitoring. We have strong business pressures to defend intellectual property or confidential benefits of an business information (R&D, M&A, ICS/SCADA, etc.). A ctiv e D efense? We have an outsourced SOC, but we don’t believe that our most valuable data and • A n agile operational sy stems are tru ly secu re. cy cle designed to help achieve rapid resu lts How can EY help me prepare to conduct an Active and accelerate learning Def ense in the f u tu re? • C y b er threat intelligence Many organizations can benefit from the enhanced operational discipline and adversary (CTI) analysis that helps f ocu s inherent to A ctive D ef ense. H ow ever, ef f ectiveness f rom an A ctive D ef ense program y ield new insights ab ou t req u ires appropriate matu rity levels in a range of secu rity competencies, inclu ding secu rity adversaries or the operations, security monitoring, asset identification and classification, IT operations, threat enterprise and generates intelligence, secu rity architectu re and others. B y f ocu sing on an A ctive D ef ense capab ility recommendations as a strategic goal, decision- makers and secu rity practitioners can engage in meaningf u l • A ctive D ef ense missions discussion about the steps for organizational improvement that will help realize the benefits f ocu sed on hu nting or describ ed herein. fortification When this occurs, the benefits of an Active Defense can be: • A ctive D ef ense helps • For the security operations team, Active Defense helps provide a defined set of enhance b u t does improvement activities rationalized by threat intelligence and security analytics; and not replace secu rity then connected to achievable objectives. The team builds countermeasures, hunts monitoring and hidden intru ders and b olsters def enses on the b asis of real reporting ab ou t the incident response b ehavior of real attackers. • For decision-makers, Active Defense helps connect resource deployment directly to measu res of cy b ersecu rity program ef f ectiveness. Instead of f ocu sing on perf ormance measu res like “ nu mb er of patches applied” and “ nu mb er of tickets closed,” ef f ectiveness can b e demonstrated via, f or ex ample a decrease in su ccessf u l targeted attacks or a decrease in the time req u ired to discover and eradicate the attacks that w ere su ccessf u l. An organization’s intellectual property and critical business systems have substantial monetary value, and organization leaders expect their security programs to keep the data secure and the attackers out. To this end, the effectiveness of the organization’s security operations can be significantly enhanced by an Active Defense guided by deliberate planning, a defined strategic end-state and an adversary focus. By organizing and integrating the organization’s existing security operations, Active Defense can help reduce the nu mb er of su ccessf u l targeted attacks and decrease the amou nt of time that intru ders can operate b ef ore b eing ej ected f rom the netw ork. E nhancing y ou r secu rity operations w ith A ctive Def ense | 15

W ant to learn more? Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issu es and provide y ou w ith valu ab le insights ab ou t ou r perspective. P lease visit ou r Insights on governance, risk and compliance series at www.ey.com/GRCinsights. Insights on Insights on governance, risk governance, risk and compliance and compliance Creating trust in Cyber P rogram the digital w orl d M anagem ent E Y ’s G lobal Inf ormation S ecu rity S u rvey 2015 C reating the path f orw ard Creating trust in the digital world: Cyber Threat Intelligence − Cyber Program Management: EY’s Global Infomation Security how to get ahead of cybercrime creating the path forward Survey 2015 www.ey.com/CTI w w w . ey . com/ C P M w w w . ey . com/ GISS20 1 5 Using cyber analytics to help you Security Operations Centers — Managed SOC — EY’s Advanced get on top of cybercrime: helping you get ahead of cybercrime Security Center: world-class Third-generation Security w w w . ey . com/ S O C cybersecurity working for you Operations Centers http: / / w w w . ey . com/ managedS O C w w w . ey . com/ 3 S O C Insights on Insights on governance, risk governance, risk and compliance and compliance M arch 2015 December 2014 Cyber breach response Cybersecurity A chiev ing resil ience in management and the the cyber ecosystem Breaches do happen. Internet of Things Are you ready? Cyber breach response Cybersecurity and the Achieving resilience in management — Breaches do Internet of Things the cyber ecosystem happen. Are you ready? www.ey.com/IoT w w w . ey . com/ cy b erecosy stem w w w . ey . com/ cy b erB R M 16 | E nhancing y ou r secu rity operations w ith A ctive Def ense

If you w ere under cyber attack , w oul d you ev er k now ? As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if , b u t w hen. H ackers are increasingly relentless. W hen one tactic f ails, they will try another until they breach an organization’s defenses. At the same time, technology is increasing an organization’s vulnerability to attack through increased online presence, b roader u se of social media, mass adoption of mob ile devices, increased u sage of clou d services, and the collection and analy sis of b ig data. O u r ecosy stems of digitally connected entities, people and data increase the likelihood of ex posu re to cy b ercrime in both the work and home environment. Even traditionally closed operational technology sy stems are now b eing given IP addresses, enab ling cy b er threats to make their w ay ou t of b ack- of f ice sy stems and into critical inf rastru ctu res su ch as pow er generation and transportation sy stems. For EY Advisory, a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses. We’ve shaped a glob al ecosy stem of consu ltants, indu stry prof essionals and b u siness alliances w ith one f ocu s in mind — y ou . A nticipating cy b er attacks is the only w ay to b e ahead of cy b er criminals. W ith ou r f ocu s on y ou , w e ask b etter q u estions ab ou t y ou r operations, priorities and vu lnerab ilities. W e then collab orate w ith y ou to create innovative answ ers that help y ou activate, adapt and anticipate cyber crime. Together, we help you design better outcomes and realize long- lasting resu lts, f rom strategy to ex ecu tion. We believe that when organizations manage cybersecurity better, the world works better. So, if you were under cyber attack, would you ever know? Ask EY. The better the q uestion. The better the answ er. The better the w orl d w ork s.

E Y | Assurance | Tax | Transactions | Advisory A bout E Y A bou t E Y ’ s A dvisory S ervices EY is a global leader in assurance, tax, In a world of unprecedented change, EY Advisory believes a better working world transaction and advisory services. The insights means helping clients solve big, complex industry issues and capitalize on opportunities and q u ality services w e deliver help b u ild trust and confidence in the capital markets to grow, optimize and protect their businesses. and in economies the w orld over. W e develop Through a collaborative, industry-focused approach, EY Advisory combines a wealth of ou tstanding leaders w ho team to deliver on consulting capabilities — strategy, customer, finance, IT, supply chain, people advisory, ou r promises to all of ou r stakeholders. In so program management and risk — with a complete understanding of a client’s most doing, w e play a critical role in b u ilding a b etter complex issu es and opportu nities, su ch as digital disru ption, innovation, analy tics, w orking w orld f or ou r people, f or ou r clients and f or ou r commu nities. cybersecurity, risk and transformation. EY Advisory’s high-performance teams EY refers to the global organization, and may also draw on the breadth of EY’s Assurance, Tax and Transaction Advisory service refer to one or more, of the member firms of professionals, as well as the organization’s industry centers of excellence, to help clients Ernst & Young Global Limited, each of which is realize sustainable results. a separate legal entity. Ernst & Young Global True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk L imited, a U K company limited b y gu arantee, management w hen w orking on perf ormance improvement, and perf ormance does not provide services to clients. For more improvement is top of mind when providing risk management services. EY Advisory also information about our organization, please visit inf u ses analy tics, cy b ersecu rity and digital perspectives into every service of f ering. ey . com. © 2015 EYGM Limited. EY Advisory’s global connectivity, diversity and collaborative culture inspires its A ll R ights R eserved. consultants to ask better questions. EY consultants develop trusted relationships with EYG no. AU3672 clients across the C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to leading disruptive innovators. Together, EY works with clients to 1 5 1 1 - 1 7 4 0 0 4 6 M W create innovative answ ers that help their b u sinesses w ork b etter. ED None The better the q uestion. The better the answ er. The better the w orl d w ork s. This material has been prepared for general informational pu rposes only and is not intended to b e relied u pon as accou nting, tax or other prof essional advice. P lease ref er to your advisors for specific advice. O u r R isk A dvisory L eaders are: ey . com/ cy bersecu rity G l obal R isk L eader P aul v an K essel + 3 1 8 8 4 0 7 1 2 7 1 pau l. van. kessel@ nl. ey . com A rea R isk L eaders A mericas A m y B rachio + 1 6 1 2 3 7 1 8 5 3 7 amy . b rachio@ ey . com E M E IA J onathan B l ack m ore + 9 7 1 4 3 1 2 9 9 2 1 j onathan. b lackmore@ ae. ey . com Asia-Pacific Iain B urnet + 6 1 8 9 4 2 9 2 4 8 6 iain. b u rnet@ au . ey . com J apan Y oshihiro A z um a + 8 1 3 3 5 0 3 1 1 0 0 [email protected] O u r C y b ersecu rity leaders are: G l obal Cybersecurity L eader K en A l l an + 4 4 2 0 7 9 5 1 5 7 6 9 kallan@ u k. ey . com A rea Cybersecurity L eaders A mericas B ob S ydow + 1 5 1 3 6 1 2 1 5 9 1 b ob . sy dow @ ey . com E M E IA S cott G el ber + 4 4 2 0 7 9 5 1 6 9 3 0 sgelb er@ u k. ey . com Asia-Pacific P aul O ’ R ourk e + 6 5 6 3 0 9 8 8 9 0 paul.o’[email protected] J apan S hinichiro N agao + 8 1 3 3 5 0 3 1 1 0 0 nagao- shnchr@ shinnihon. or. j p