Threat-Informed Defense

The concept of Threat Informed Defense is a proactive approach to cyber security that utilizes three elements to provide an evolving feedback loop to your security team:

• Cyber threat intelligence analysis

• Defensive engagement of the threat

• Focused sharing and collaboration

First Cyber Threat Intelligence Analysis

A threat-informed defense first begins with being threat-informed and being informed requires threat intelligence. from that point you are able to understand who is likely to attack you and how they are likely to do it. This information gives you the basis for your defenses.

so the Threat Intelligence Analysis is taking existing intelligence data like TTPs, malware hashes, or domain names, and applying human intelligence to harden cyber defenses. This improves ways to anticipate, prevent, detect, and respond to cyber-attacks.

let’s take a CRITS as an example of what is going into cyber threat Intelligence analysis

MITRE CRITS

CRITs is a free, open-source tool designed for analysts and security professionals working on threat defense. its main goal is to offer an adaptable and open platform for analyzing and collaborating on threat data.

it does a handful of things that assist with intelligence analysis such as:

• Collecting and archiving attack artifacts

• Associating artifacts with stages of the cyber attack lifecycle

• Conducting malware reverse engineering

• Tracking environmental influences

• Connecting all of this together to shape and prioritize defenses and react to incidents

we used CRITs here as an example, it gives us a good illustration of what the features of cyber threat intelligence are for more info about CRITs

moving forward to the second element which is

Defensive Engagement of the Threat

Defensive Engagement of the Threat takes what you’ve learned from Intelligence Analysis and allows you to look for indicators of a pending, active, or successful cyber attack.

Breach and Attack Simulation (BAS) tools fit in well here because they take the behavioral models uncovered during intel analysis and use to allow you to automate testing and reporting on what those behavior patterns look like in our enterprise.

These simulation results feed back into your Threat Intelligence Analysis and into the next

element we’re going to talk about: Focused Sharing and Collaboration.

Focused Sharing and Collaboration

By sharing threat actor TTPs through standards such as STIX and TAXII, the security community benefits together.

If you are part of a large organization with different security groups, information shared between groups in a standard format can help your enterprise build a threat informed defense.

Groups like MITRE’s Center for Threat Informed Defense (CTID) bring together sophisticated security teams from leading organizations around the world to expand the global understanding of adversary behaviors. They accomplish this by creating focus, collaboration, and coordination to accelerate innovation in threat-informed defense, building on the MITRE ATT&CK framework.