W hat is an A ctive Def ense mission? A key facet of Active Defense is the enhanced operational focus and effectiveness realized throu gh the delib erate planning of A ctive D ef ense missions. S ecu rity teams ty pically harden their def enses on an ad hoc b asis, implementing indu stry b est practices w hen they have time or in reaction to high-profile vulnerability announcements. By contrast, Active Defense missions are planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network. This means that defenders’ time is spent deterring and defeating the enterprise’s most likely attackers rather than an undefined or nonspecific adversary. W hat ty pes of mission can I condu ct w ith A ctive Def ense? The use of the term “mission” conveys the fact that the operational process proceeds with a significant amount of analytical rigor and discipline in order to achieve maximum effectiveness in accomplishing the organization’s security goals. Missions are planned in response to specific threat intelligence in the unique context of the defended organization; and b y f ocu sing on the threat to the b u siness f rom real- w orld threat scenarios, A ctive Defense practitioners can maximize their defensive capabilities for their security budget. Although Active Defense is inherently adversary focused, it is also tailored for specific defended assets — typically the organization’s most valuable proprietary data and business sy stems. A n A ctive D ef ense mission can inclu de any activities that meet this description. However, we find that a few general categories of activities tend to generate the greatest retu rns. A ctiv e D efense m ission categories F ortification H unting N etw ork reconnaissance A nom al y anal ysis Manual identification and validation Focused investigation for anomalous and of complex vu lnerab ilities and threat scenarios maliciou s activity that cannot b e detected b y and development of netw ork situ ational au tomated secu rity monitoring tools aw areness f or decision makers Targeted counterm easures Trap p ing and coercion L everage insight f rom the intelligence process A lter netw ork and endpoint conditions to to design and implement cou nter- measu res provoke a hidden attacker into engaging in that defeat specific threat scenarios maliciou s activity liab le to b e detected b y targeted intensive monitoring 10 | E nhancing y ou r secu rity operations w ith A ctive Def ense