Fortification The first category of Active Defense mission includes those activities that help improve the enterprise’s defenses against specific tactics that may be used by specific attackers. N etw ork reconnaissance Network reconnaissance missions develop the organization’s understanding about its own level of risk to specific threat actors or threat scenarios. Missions of this type are generally more complex than straightf orw ard vu lnerab ility scanning and may inclu de mock attacks or 4 1 % red team ex ercises. A n ex ample of an inf ormation gathering mission w ou ld b e a mu lti- day of responders say their S O C ex periment to determine w hether ex isting secu rity monitoring tools are ab le to identif y the has a paid su b scription to cy b er u se of a particu lar piece of malw are on the netw ork. threat intelligence f eeds Tail ored counterm easures Tailored countermeasures are most often focused on network and endpoint fortification and attempt to deter, degrade or defeat specific adversary tactics. Active Defense fortification activities dif f er f rom hardening activities ex ecu ted b y traditional secu rity operations teams in that they are ex ecu ted delib erately in response to timely threat intelligence ab ou t a threat actor or threat scenario rather than as “ indu stry b est practices” on an ad hoc b asis. • “Cyber clear-and-hold” is an example of a network and endpoint fortification A type of network and endpoint fortification, clear-and-hold is a strategy employed to help prevent intru ders f rom re- occu py ing territory f rom w hich they have b een ej ected b y def enders. C learing is done via hu nting or proactive f orensics. A f ter the clearing stage, the holding stage is usually characterized by regular inspections, surveillance and the improvement of def enses. A clear- and- hold mission may b e w arranted du e to a nu mb er of internal or ex ternal factors. D ef enders may learn ab ou t an attack against an indu stry peer and may w ish to apply clear- and- hold tactics to protect the data ty pes that w ere taken in that attack. A nother driver cou ld b e the discovery of a vu lnerab ility that cannot b e patched in a critical sy stem. H osts on the same netw ork segment cou ld then b e cleared to ensu re that they are not cu rrently harb oring attackers w ho cou ld take advantage of the w eakness. A ctivities of this natu re can u su ally only b e su stained f or a b rief period of time b ef ore resources must be redeployed to other areas. For example, a clear-and-hold mission w ou ld likely b e appropriate du ring the period w hen a merger/ acq u isition is b eing planned (from the earliest stages) and executed. Once the merger is announced publicly and completed, the protection provided b y clear- and- hold tactics is no longer necessary arou nd the sy stems containing merger data. E nhancing y ou r secu rity operations w ith A ctive Def ense | 11