The use of threat intelligence has risen in popularity over the last few years, but security teams still have a difficult time integrating intelligence activities into their existing programs. And the reality is that many security programs are still in the early stages of maturity, making integrating threat intelligence activities into their existing, somewhat repeatable processes even more challenging.
Further, security teams are already running lean, and adding threat intelligence activities can spread resources even thinner. But that challenge doesn’t mean threat-informed defense has to wait. Although many large organizations have developed threat intelligence programs to support a fully-integrated threat-informed defense model, less mature security teams can still draw on common threat intelligence use cases, such as identifying industry-specific threats and adversary behaviors, without driving their security staff into the ground.
So, this article will discuss the purpose of threat-informed defense, how to get started with it, and highlight common use cases organizations can employ today.
What Is Threat-Informed Defense?
What Is Threat-Informed Defense?
Threat-informed defense is a term coined by the MITRE Corporation and refers to the use of cyber threat intelligence to gain an understanding of adversaries and then apply that knowledge to defense activities in a security program.
With the increasing number of cyber threats and adversaries who continually become more sophisticated, cyber defenders find keeping up with the latest threats and protecting their organizations from any and every attack nearly impossible. Instead, experts are urging security teams to take a different approach by using threat intelligence to identify the types of attacks likeliest to impact their companies and corporate infrastructures. This approach enables security teams to not only focus defensive efforts on the threats they’re most likely to face, but also periodically perform exercises to identify gaps in processes, procedures, and security tool implementation.
Although threat-informed defense may seem simple, it requires a multi-faceted approach and cross-functional collaboration amongst security staff and sometimes even various IT departments. The primary components of implementing threat-informed defense within an organization are as follows:
How to Implement Threat-Informed Defense
- Adopt a threat framework (typically MITRE ATT&CK).
- Implement a threat intelligence and sharing platform.
- Continuously identify and assess existing and future risks.
- Shift to a purple team mindset.
Together, these activities lead to a less reactive and more proactive approach to security operations, in turn resulting in effective, optimal defensive efforts.
Adopting a Threat Framework
The most common threat framework in use today when it comes to security operations is the ATT&CK framework, which stands for Adversary Tactics, Techniques and Common Knowledge. The framework is an open-source, community-driven one used to track adversary behaviors related to activities performed during intrusions.
In addition to tracking common techniques and procedures used to carry out attacks, MITRE links known threat groups and any software that they exploit. For example, adversaries may leverage public-facing applications to gain access to a back-end system. MITRE attributes this activity to specific threat groups and the software reported to have used the technique in past attacks.
Implementing a Threat Intelligence and Sharing Platform
Over the last decade, threat intelligence has become a crucial source of data for security teams. More recently, the director of CISA (Cybersecurity and Infrastructure Security Agency) has urged the industry as a whole to focus on knowledge sharing.
“My goal is to shift the paradigm from plain-old public-private partnership to true operational collaboration; from information-sharing to information-enabling.” — Jen Easterly, Director of CISA
Threat intelligence and sharing platforms are a key component for such collaboration, and corporate security teams must have a reliable source they consistently draw on for threat intelligence and information sharing. Although many open-source threat intelligence tools are available on the internet, many organizations are investing in threat intelligence platforms to provide an extensive library of information.
Platforms like Recorded Future and IntSights not only put threat data at your fingertips but also provide Dark Web monitoring, notifying your organization when credential leaks are detected or your name is mentioned on popular hacker forums. Information like this has become an invaluable way to stay ahead of bad actors that may be planning an attack.
Continuously Identifying Risks and Assessing Threats
Once your organization selects and implements a threat intelligence platform and information sharing approach, a team is ready to move into the risk identification and threat assessment phase of threat-informed defense. Understanding the risks that exist in an organization is essential to properly align threat assessments.
Any given organization faces a plethora of risks, so these dangers should be prioritized in order of criticality. In other words, the security team must collaborate with business stakeholders to understand the risks that, if realized, would disrupt business operations. For example, ransomware attacks are typically at the top of this list, impacting the availability of systems that enable a company to operate. With this understanding, the security team can identify threats that will impact the availability of business-critical systems and applications, then work collaboratively to fight those threats.
Security teams should also assess the threats that impact an organization’s broader industry. Many threat groups tend to target multiple companies in similar industries, like the healthcare or finance sectors. So, continuously assessing the prominent threats within an industry is important to understand the types of attacks an organization may face.
In general, risk and threat management are continuous cycles in a constant loop of information gathering and assessment, leading to the continuous improvement of security defenses through additional controls and protection mechanisms.
Shifting to a Purple Team Mindset
The last and arguably most important piece of threat-informed defense is the shift to a purple team mindset. Historically, security defense has been comprised of blue and red team operations, wherein the blue team are defenders and the red team are penetration testers.
The blue team is responsible for active defense efforts, like event analysis and investigation, threat hunting, and incident response. Red teams are formed to continuously assess the defense mechanisms and incident responders by performing the same activities threat actors would. The goal of red teams is to identify gaps in a security operations program so the blue team can improve their controls, processes, and procedures to close those gaps.
Although a purple team mindset obviously refers to a blended approach of blue teaming and red teaming, how does it relate to a successful implementation of threat-informed defense? As mentioned earlier, threat-informed defense is all about becoming proactive in security defense. To do that, blue and red teams must think about threats comprehensively rather than single-mindedly focusing on their respective spheres of responsibility.
A purple team mindset reduces two separate goals to one: improving the security operations program. This helps security staff work more collaboratively, regardless of role, to perform adversary emulation from end to end.
Why Adopt Threat-Informed Defense?
Threat-informed defense confers many advantages. Although it might seem intimidating and time-consuming to develop the capability within an organization, the benefits ultimately outweigh the costs once the program has matured.
The most obvious benefit of adopting threat-informed defense is that it provides a comprehensive library of threats and, as a result, a deep understanding of the organization’s threat landscape. It helps answer questions like what attacks a company is most susceptible to, who is most likely to attack, what capabilities those attackers have, how they have historically carried out their attacks, where the most critical gaps lie, and what needs to be done to close those gaps.
In addition, threat-informed defense leads to security optimization, or increased effectiveness of the overall security program. Through the various activities discussed in this article, a security team ensures the close monitoring and continuous improvement of security controls and can identify additional controls needed to close any gaps. On top of that, the continuous loop of risk and threat identification and assessment leads to a better security posture and improved compliance with industry regulations and frameworks like NIST, CMMC, HIPAA, and PCI-DSS.
Threat-informed defense has been a proven way to advance security programs and provide organizations with a roadmap for cybersecurity strategy to drive the continued maturity of their program. It benefits both the security team and the company as a whole, aligning security initiatives with the most important risks and threats to defend against. This leads to informed decision-making and spending at the executive level and fewer wasted resources from investing in irrelevant defense efforts.
As the amount of cybersecurity threats increases exponentially, organizations must adopt threat-informed defense to achieve effective and optimized security operations, while also achieving the balance of protecting the business and enabling it to run at the same time.