Mastering a Threat-Informed Defense in Cybersecurity: 5 Best Practices

Leading organizations, however, have begun to provide some guidance on how best to implement and sustain a threat-informed defense, which can be the

 

Mastering a Threat-Informed Defense in Cybersecurity: 5 Best Practices

Understanding the Concept of Threat-Informed Defense

The concept of a threat-informed defense in cybersecurity is relatively well-understood, yet implementing it effectively remains a significant challenge for many organizations. It's one thing to grasp the theory, but quite another to successfully operationalize this robust defensive strategy. Leading organizations, however, have begun to provide some guidance on how best to implement and sustain a threat-informed defense, which can be the key to achieving a more resilient cybersecurity posture.

If you've spent any significant amount of time in the cybersecurity field—let’s say five to ten years—you're likely familiar with the term “threat-informed defense.” But what exactly does it entail? Simply put, a threat-informed defense is an approach that focuses your security teams, technologies, and budgets on the threats most likely to impact your specific organization, industry, or region.

The Sun Tzu Approach: Knowing Both Your Enemy and Yourself

The concept aligns closely with the wisdom of Sun Tzu, the ancient Chinese military strategist, who famously said:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

In the context of cybersecurity, this means that security teams need to monitor the tactics, techniques, and procedures (TTPs) of their adversaries. They must also understand how these TTPs can be either prevented or detected by their existing security controls. Once these factors are clear, necessary adjustments can be made to cover any gaps in defenses.

The MITRE ATT&CK Framework: A Foundational Tool

One of the cornerstones of a threat-informed defense is the MITRE ATT&CK framework. This is a universally accessible, continuously updated knowledge base that models, detects, prevents, and fights cybersecurity threats based on known adversarial behaviors. Tools like the MITRE ATT&CK navigator allow security teams to create a visual representation of adversary TTPs, which can then be compared against the organization's security controls and defensive strategies.

If you’re looking to deepen your understanding of threat-informed defense, I highly recommend diving into specialized cybersecurity books that cover the MITRE ATT&CK framework and other essential tools in more detail.

Why Is Operationalizing a Threat-Informed Defense So Challenging?

While the basic understanding of a threat-informed defense is relatively straightforward, putting it into practice is where many organizations falter. Even though most security professionals grasp the concept quickly, many struggle to operationalize it effectively. Unfortunately, many cyber-threat intelligence programs remain haphazard and overly tactical, which can prevent organizations from moving forward with more advanced layers of a threat-informed defense.

So, what steps can be taken to overcome these challenges? In speaking with several organizations that have successfully implemented a threat-informed defense, it’s clear that there are a few key practices that can make all the difference.

1. Establish and Continuously Improve Your Threat Intelligence Lifecycle

The Six Phases of a Threat Intelligence Lifecycle

A successful threat intelligence lifecycle generally consists of six critical phases:

1. Direction and Planning
2. Data Collection
3. Processing
4. Analysis and Production
5. Intelligence Dissemination
6. Feedback

To get this process right, it’s essential to define the specific threats and threat actors that need to be tracked. This involves collecting, processing, and analyzing relevant intelligence, creating reports that are disseminated to the right stakeholders, and gathering feedback to ensure that the intelligence provided meets their needs.

Organizations that are still in the immature stages of this process often struggle with one or more of these phases. They may fail to get input from the business, become overwhelmed by the sheer volume of threat intelligence, or produce reports that are overly technical and not actionable. However, establishing a solid foundation in this lifecycle is critical for building an effective threat-informed defense.

Want to master these six phases? Consider exploring detailed cybersecurity books that offer comprehensive guides on establishing and refining a threat intelligence lifecycle.

2. Use Threat Intelligence for Exposure Management

The Power of Prevention

Everyone has heard the saying, “an ounce of prevention is worth a pound of cure.” A threat-informed defense embodies this principle by aligning threat intelligence with exposure management. For example, if your organization is conducting vulnerability scans across systems, applications, cloud infrastructure, and other attack surfaces, you’ll likely end up with a daunting list of tens of thousands of vulnerabilities.

Even large, well-resourced enterprises can't address all these vulnerabilities promptly. Therefore, leading firms rely on threat intelligence to prioritize fixing those vulnerabilities most likely to be exploited imminently or in the near future.

Some vulnerability management tools, such as those from Cisco (Kenna), Nucleus Security, and ServiceNow, offer this functionality. However, proactive organizations go a step further by developing the expertise to compare vulnerabilities against evolving threats across their entire IT infrastructure.

If you’re aiming to strengthen your exposure management approach, there are several excellent cybersecurity books that can provide in-depth insights and practical advice.

3. Drive Detection Engineering

Understanding and Closing Gaps in Defense

A threat-informed defense requires a deep understanding of adversary TTPs. Once you’ve compared these TTPs to your existing defenses, you’ll likely identify gaps that need addressing. The next step is to review and write detection rules and test them to ensure they work as intended.

Rather than relying solely on security tool vendors to develop the right detection rules, leading organizations invest in detection engineering across various toolsets, including XDR, email/web security tools, SIEM, and cloud security solutions.

While this can be both challenging and costly, open standards like Sigma and YARA can assist. However, many organizations also require additional support from service providers or specialized tools from vendors like Anvilogic, CardinalOps, Detecteam, or SOC Prime.

For those interested in mastering detection engineering, you can find cybersecurity books that delve into the specifics of this critical area.

4. Promote Threat Hunting

The Role of Threat Intelligence in Hunting

Once your cyber threat intelligence (CTI) lifecycle is functioning well, it will generate intelligence that can serve as the foundation for both automated and manual threat hunting. Some organizations use scripting for this purpose, while others create runbooks for SOAR tools. The basic concept is to automate the discovery of indicators of compromise (IoCs) observed on the network through tools like SIEM, EDR/XDR/NDR, firewalls, and cloud logs.

This process often triggers more advanced threat hunts using methodologies like the diamond model or pyramid of pain. These hunts are typically conducted by L3 SOC analysts searching for sophisticated patterns and behaviors indicative of malicious activity.

To enhance your threat hunting capabilities, there are several cybersecurity books available that offer step-by-step guides and real-world examples.

5. Pursue Continuous Testing

Learning from Failure

As another adage goes, “testing leads to failure, and failure leads to understanding.” For a threat-informed defense, continuous testing is vital. Leading organizations engage in regular red teaming and penetration testing, whether through in-house experts, service provider contracts, automated tools, or even by establishing a cyber-range with firms like Cyberbit.

The primary goal of continuous testing is to identify areas where the organization believes it is protected but isn’t. This process effectively bridges the Sun Tzu gap between knowing the adversary and knowing oneself. As continuous testing gains traction, many firms are establishing purple teams to align threats with defenses even more closely.

Interested in implementing continuous testing? Check out cybersecurity books that offer practical guidance on setting up and maintaining effective testing protocols.

The Payoff of a Threat-Informed Defense

Establishing a threat-informed defense isn’t easy, and many of the organizations I spoke with encountered obstacles along the way. However, those that persevered found the effort worthwhile. Security professionals reported improved security efficacy and more efficient operations, while CISOs noted that a threat-informed defense resonated with business executives and corporate boards. By providing a more focused view of cybersecurity coverage and necessary investments, the strategy helped bridge the gap between technical security measures and business objectives.

If you're looking to embark on this journey or refine your existing approach, I highly recommend investing in cybersecurity books that explore these topics in greater depth. The knowledge and insights you’ll gain will be invaluable as you work to implement a successful threat-informed defense in your organization.