data repositories. R elevant assets w ill b e those that su b j ect the b u siness to seriou s consequences should they be manipulated, stolen, or taken offline. Examples include intellectu al property , research and development data su pporting f u tu re innovation, employees’ or customers’ personally identifiable information, payment card information for clients, and the indu strial control sy stems that su pport critical b u siness f u nctions. What must I understand about my organization to enable 2 3 % A ctive Def ense? N ex t, def enders mu st develop an u nderstanding of w hat “ normal” means f or the netw ork. of organizations with an SOC stated that their S O C “ does not Typically, this is referred to as a “baseline” in the context of security. However, much of interact with the business.”* this baseline lives in the minds of the IT staff rather than in security monitoring tools. This understanding is important for enhancing the security operations function, because A ctive D ef ense inclu des strong anomaly analy sis and hu nting components. M any activities ex ecu ted b y intru ders avoid triggering au tomated secu rity monitoring tools b ecau se they don’t fit the typical procedures, inputs or models of known attack signatures. Instead, they u se compromised credentials or illicit accou nts and b lend w ith regu lar u ser b ehavior. However, alert and experienced security analysts may recognize malicious activity when they see it, provided they have a model f or normal b ehavior on the netw ork. W hat mu st I u nderstand abou t my adversaries f or an A ctive Def ense to su cceed? 2 3 % Finally, defenders need an understanding of the threat actors that are likely to target their organization. Many security teams simply assume that they are targeted by the of organizations reported that, big-three nation state adversaries, organized crime groups and hacktivists. Although this “ O u r S O C is tightly integrated, may b e tru e, additional insight is req u ired in order to craf t an A ctive D ef ense. W ithin each meeting w ith the heads of grou p, motivations and capab ilities vary w idely . D ef enders shou ld w ork closely w ith threat b u siness operations regu larly intelligence providers to paint an accu rate portrait of the threat landscape w ith as mu ch to u nderstand b u siness concerns and risks.”* detail as possible. If possible, specific threat actors should be named and analyzed to gain insight that w ill b e leveraged in def ensive activities. A ctiv e D efense Conduct A ctiv e D efense m issions S tage 4 P lan, ex ecu te, review , repeat Identify and profile most lik el y threat actors t S tage 3 Inj ect timely intelligence to drive mission selection A dd env ironm ental contex t Insigh D evelop/ leverage netw ork and endpoint activity b aselines S tage 2 Identify internal critical assets Descriptively profile at both business and technical level S tage 1 E nhancing y ou r secu rity operations w ith A ctive Def ense | 5