What is Threat-Informed Defense?

Threat-informed defense is a term introduced by the MITRE Corporation, referring to the application of cyber threat intelligence to understand potential adversaries and subsequently apply that understanding to defense strategies within a security framework.

With the surge of cyber threats and increasingly sophisticated adversaries, it has become nearly impossible for defenders to keep pace with every emerging attack. Security professionals advocate for a shift in strategy, suggesting that teams leverage threat intelligence to identify the types of attacks most likely to affect their organizations and infrastructure. This targeted approach allows security teams to concentrate their defensive measures on the threats they are most likely to encounter, as well as conduct regular evaluations to pinpoint weaknesses in their processes, procedures, and security tool implementation.

Although implementing threat-informed defense may appear straightforward, it demands a comprehensive strategy and collaboration across security teams and sometimes various IT departments. Key components for integrating threat-informed defense within an organization include:

• Adopting a threat framework (typically MITRE ATT&CK)
• Establishing a threat intelligence and sharing platform
• Ongoing identification of current and prospective risks
• Continuous threat assessment
• Embracing a purple team mentality

Collectively, these practices promote a proactive rather than reactive stance on security operations, resulting in more effective defensive strategies.

Adopting a Threat Framework

The most widely utilized threat framework in security operations today is the ATT&CK framework, which stands for Adversary Tactics, Techniques, and Common Knowledge. This open-source, community-driven model tracks adversary behaviors associated with intrusion activities.

Beyond cataloging common techniques and procedures for executing attacks, MITRE correlates known threat groups with the software they exploit. For instance, attackers might use publicly accessible applications to infiltrate back-end systems. MITRE links these actions to specific threat groups and the software associated with past incidents.

Reliable Source of Threat Intelligence

Over the last decade, the importance of threat intelligence as a data source for security teams has escalated. Recently, the director of CISA (Cybersecurity and Infrastructure Security Agency) has called on the industry to prioritize knowledge sharing.

"My goal is to shift the paradigm from plain-old public-private partnership to true operational collaboration; from information-sharing to information-enabling," — Jen Easterly, Director of CISA.

Threat intelligence and sharing platforms are essential for such collaboration, and organizations must cultivate a dependable source for ongoing threat intelligence and information sharing. While numerous open-source tools are available, many firms are investing in dedicated threat intelligence platforms that offer extensive resources.

Platforms like Recorded Future and IntSights not only provide immediate access to threat data but also include Dark Web monitoring, alerting organizations to credential leaks or mentions on hacker forums. Such information is invaluable for staying ahead of potential attackers planning a breach.

Continuous Risk Identification & Assessment of Threats

After selecting and implementing a threat intelligence platform and approach, organizations can transition to the risk identification and threat assessment phase of threat-informed defense. Understanding the risks present within an organization is crucial for effective threat assessments.

Organizations encounter a myriad of risks that must be prioritized based on their significance. Thus, security teams need to collaborate with business stakeholders to identify which risks could disrupt operations. Ransomware attacks, for example, often top this list as they can severely affect system availability.

By comprehending these risks, security teams can pinpoint threats that may jeopardize vital business systems and work collaboratively to mitigate them. Additionally, teams should evaluate threats relevant to their industry since many threat groups frequently target organizations within similar sectors, such as healthcare or finance.

In essence, risk and threat management is a continuous cycle of information gathering and assessment, leading to the ongoing enhancement of security defenses through further controls and protective measures.

Shifting to a Purple Team Mindset

The final, and arguably most crucial, aspect of threat-informed defense is adopting a purple team mindset. Traditionally, security operations have been divided into blue team (defenders) and red team (penetration testers) activities.

The blue team handles active defense tasks like event analysis, threat hunting, and incident response, while red teams assess defenses by mimicking the actions of threat actors. The red team's aim is to uncover vulnerabilities in the security operations, enabling the blue team to strengthen their controls and processes.

While a purple team mindset signifies a blend of blue and red team functions, it is essential for the successful execution of threat-informed defense. As previously mentioned, the goal of threat-informed defense is to adopt a proactive security stance. To achieve this, blue and red teams must approach threats holistically rather than solely focusing on their respective duties.

This mindset merges the objectives of both teams into one: enhancing the security operations program. It fosters greater collaboration among security personnel, regardless of their specific roles, to conduct comprehensive adversary emulation.

Why Adopt Threat-Informed Defense?

Implementing threat-informed defense offers numerous benefits. While developing this capability within an organization may seem daunting and time-consuming, the advantages ultimately surpass the initial investment once the program reaches maturity.

The most apparent benefit of threat-informed defense is the extensive library of threats it provides, resulting in a profound understanding of the organization's threat landscape. This knowledge aids in addressing questions such as which attacks the company is most vulnerable to, the likely attackers, their capabilities, historical attack methods, significant security gaps, and necessary actions to mitigate these gaps.

Moreover, threat-informed defense enhances security optimization, boosting the overall effectiveness of the security program. Through the outlined activities, a security team ensures consistent monitoring and improvement of security controls, while also identifying additional measures needed to address vulnerabilities. Furthermore, the continuous cycle of risk and threat evaluation contributes to a stronger security posture and improved compliance with industry standards such as NIST, CMMC, HIPAA, and PCI-DSS.

Adopting threat-informed defense has proven to advance security programs and offer organizations a strategic framework for cybersecurity, facilitating ongoing program maturity. It aligns security initiatives with the most pressing risks and threats, enabling informed decision-making and resource allocation at the executive level, thereby minimizing wastage on irrelevant defensive strategies.

As the landscape of cybersecurity threats continues to evolve rapidly, organizations must embrace threat-informed defense to achieve effective, optimized security operations while balancing the need to protect their business and maintain operational efficiency.