Most organizations continue to use defense in depth approaches to protect their environment. Though these methods work, however, they are not always effective in detecting and stopping advance persistent attacks and they do not generally offer deep insights into what a potential adversary does once they are in the environment.
In order to improve cyber defense, organizations adopt threat informed defense strategy. Threat informed defense uses the insights gained from attacks and relevant events and helps organizations to reduce the likelihood of successful attacks in the future. Threat informed defense is a proactive approach towards cyber security that uses three key elements to provide an evolving feedback loop to security and risk teams.
- Cyber Threat Intelligence Analysis: Threat Intelligence analysis is taking existing intelligence such as TTPs (Tactics, Techniques and Procedures), malicious domains and malware hashes that are relevant and improve ways to anticipate, prevent, detect and respond to cyber-attacks.
- Defensive engagement of threats: Defensive engagement of threats takes what you have discovered from Intelligence analysis and allows security teams to look for indicators of pending, active or successful cyber attack. Organizations use deception techniques, Breach and Attack simulations to model attacker’s behavior uncovered during the intel analysis and perform simulated tests and ensure defense teams are prepared to respond to such adversary behavior.
- Focused Sharing and Collaboration: Having an increased collaboration and exchange of threat intel information among cyber defense community is key to a successful cyber defense program. By sharing threat actor TTPs through standards such as STIX (Structured Threat Information Expression)/TAXII (Trusted Automated Exchange of Indicator Information), the security community benefits together in successfully deploying defense strategies to protect the environment.
Threat informed defense enables defense teams to think from an attacker’s point of view and use the insights gained to reduce the likelihood of successful attacks in the future.
Reference: MITRE’s Center for Threat Informed Defense (CTID)