The concept is well understood but putting it to work is much harder. Leading organizations provide some guidance on how to best implement this robust defensive strategy. Credit: Gorodenkoff / Shutterstock If you’ve been in cybersecurity for the past five to 10 years, you’ve probably heard the term “threat-informed defense.” Simply stated, a threat-informed defense focuses security teams, technologies, and budgets on those threats most likely to impact a particular organization, industry, geography, etc. The concept basically aligns with the famous (and often referenced) quote from Sun Tzu: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” To put this in cybersecurity terms, security teams need to monitor the tactics, techniques, and procedures (TTPs) of their adversaries, understand how these TTPs could be prevented or detected by their security controls, and then make any adjustments necessary to cover gaps in their defenses. The concept of a threat-informed defense is often associated with the MITRE ATT&CK framework, a universally accessible, continuously updated knowledge base for modeling, detecting, preventing and fighting cybersecurity threats based on cybercriminals’ known adversarial behaviors. By using the MITRE ATT&CK navigator (or similar tools) security teams get a visual representation of adversary TTPs which they can then compare to their security controls and defensive strategies. These few paragraphs provide a basic understanding of a threat-informed defense — what it is, how it works, and why it may be beneficial. Most security professionals get this right away, but while the concept may be easy to grasp, operationalizing a threat-informed defense remains an elusive goal for some organizations. Alas, many cyber-threat intelligence programs remain haphazard and tactical, preventing organizations from moving forward with additional layers of a threat-informed defense. What can be done? I recently spoke with several organizations about how they were approaching a threat-informed defense. Yes, there were many detours and lessons learned along the way, but I found that successful security teams were doing the following: Establishing and continuously improving their threat intelligence lifecycle A threat intelligence lifecycle is generally described across six phases: Direction and planning. Data collection. Processing. Analysis and production. Intelligence dissemination. Feedback. To get this right, you must define the threats and threat actors you want to track, collect, process, and analyze the associated intelligence, create and distribute reports to the right stakeholders, and then gather their feedback to make sure they are getting what they need. Immature organizations struggle at one or several of the phases — they don’t get input from the business, get buried by the volume of threat intelligence, produce overly technical reports, etc. It’s hard but getting this foundation working is critical for establishing an effective threat-informed defense. Using threat intelligence for exposure management Everyone knows the expression, “an ounce of prevention is worth a pound of cure.” A threat-informed defense supports this aphorism by aligning threat intelligence and exposure management. Assuming organizations are doing vulnerability scanning across systems, applications, attack surfaces, cloud infrastructure, etc., they will come up with lists of tens of thousands of vulnerabilities. Even big, well-resourced enterprises can’t remediate this volume of vulnerabilities in a timely fashion, so leading firms depend upon threat intelligence to guide them into fixing those vulnerabilities most likely to be exploited presently or in the near future. Some vulnerability management tools from vendors such as Cisco (Kenna), Nucleus Security, and ServiceNow provide this functionality, but proactive organizations go the extra mile and develop expertise for comparison of vulnerabilities with evolving threats across the entire IT infrastructure. Driving detection engineering As previously mentioned, a threat-informed defense involves understanding adversary TTPs, comparing these TTPs to existing defenses, identifying gaps, and then implementing compensating controls. These last steps equate to reviewing existing detection rules, writing new ones, and then testing them all to make sure they detect what they are supposed to. Rather than depending on security tool vendors to develop the right detection rules, leading organizations invest in detection engineering across multiple toolsets such as XDR, email/web security tools, SIEM, cloud security tools, etc. CISOs I spoke with admit that this can be difficult and expensive to implement. Open standards like Sigma and YARA can help, but many firms need further assistance from service providers, or specific tools from vendors like Anvilogic, CardinalOps, Detecteam, or SOC Prime. Promoting threat hunting Once a CTI lifecycle is running well, it will provide intelligence that can be used as a basis for automated and manual threat hunting. Some firms use scripting here while others create runbooks for SOAR tools, but the basic concept is to automate the discovery of indicators of compromise (IoCs) that have been seen on the network (by SIEM tools, EDR/XDR/NDR, firewalls, cloud logs, etc.). This process will likely trigger more advance threat hunts using other methodologies like the diamond model, pyramid of pain, and so forth, where L3 SOC analysts search for malicious and often, sophisticated patterns and behaviors. Pursuing continuous testing As another saying goes, “testing leads to failure and failure leads to understanding.” For a threat informed defense, leading organizations turn to continuous red teaming and penetration testing with in-house experts, service provider contracts, automated tools, or even creating a cyber-range with firms like Cyberbit. The goal? Find the places where they believe they are protected but aren’t. Continuous testing bridges the Sun Tzu gap between knowing the adversary and knowing yourself. As continuous testing gains acceptance and momentum, many firms leverage this process to establish purple teams to further align threats with defenses. Establishing a threat informed defense isn’t easy, and many of the firms I spoke with stumbled along the way, but each firmly proclaimed that it was worth the effort. Security pros crowed about better security efficacy and more efficient operations while CISOs said that a threat-informed defense made sense to business executives and corporate boards, by providing a much more focused view of cybersecurity coverage and necessary investments. This alone made their threat-informed defense strategies beneficial. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe