Threat Informed Defense

“Threat-informed defense” applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. It’s a community-based approach to a worldwide challenge.

Understanding an attacker’s tactics and techniques is key to successful cyber defense.

digits projected on human face

Most organizations continue to use traditional methods such as commercial security products to block bad sites and malicious software and apply patches to correct vulnerabilities in installed software. Although effective against some threats, these approaches fail to stop advanced attacks and offer no insight into what an adversary does once it has penetrated the network.

To significantly improve their cyber defense, some organizations, including MITRE, have adopted a threat-based defense strategy. Threat-based defense uses the knowledge gained from single, often disparate, attacks and related events to reduce the likelihood of successful future attacks.

A comprehensive threat-based defense hinges on three elements:

  • Cyber threat intelligence analysis.
  • Defensive engagement of the threat.
  • Focused sharing and collaboration.

Cyber threat intelligence analysis. This type of analysis provides practical information and threat detection signatures that are more durable than current virus definitions. Once they scrutinize the information, specialists can use it to harden cyber defenses and improve ways to anticipate, prevent, detect, and respond to cyber attacks.

Using the cyber attack lifecycle (first articulated by Lockheed Martin as the “kill chain”) and classic intelligence analysis, as shown below, cyber threat intelligence analysts developed a framework to better understand and anticipate the moves of cyber adversaries at each stage of an attack.

Cyber Attack Lifecycle
Figure: Cyber Attack Lifecycle

Defensive engagement of the threat. This concept is critical to preventing or detecting future attacks. During the early stages of the lifecycle, defenders have an opportunity to detect and mitigate threats before an adversary establishes a foothold. During the later stages, incident response and mission assurance measures are used reactively.

Cyber defenders must proactively look for indicators of a pending, active, or successful cyber attack. Telltale signs can be developed through retrospective analysis and correlation of threat characteristics observed across the cyber attack lifecycle over time. This “learn from the past” approach, however, puts organizations at great risk if they intentionally defer remediation of compromises to learn about a cyber adversary’s actions post-Exploit. One solution is to establish synthetic environments that allow cyber defenders to observe an adversary’s post-Exploit activity while managing risks.

Focused sharing and collaboration. Among communities of cyber defenders, working in partnership provides a force-multiplier effect. These collaborations can greatly benefit cyber-threat intelligence analysis and strengthen cyber defenses.