Cybersecurity isn’t a static practice, and with every new threat organizations are learning what they can do to be better defended against more advanced threats. Of all the players in this evolution, MITRE has become the initiative’s de-facto leader. They support Threat-Informed Defense (TID), a strategic approach that maximizes the effectiveness of cybersecurity investments by focusing on what real threat actors are doing. This methodology is based heavily on the MITRE ATT&CK framework. It provides a comprehensive geographic picture of cyber adversaries’ tactics, techniques and procedures, which informs and shapes better enabled defense postures.
At TID, we know the value of educating yourself on the tactics, techniques, and procedures used by threat actors. It’s designed to increase organizations’ preparedness against cyber threats. Beyond contributing to their security industry leadership, this initiative will improve their overall security posture. As cyber threats are growing and changing, TID adoption is quickly becoming a necessity for organizations of all types and sizes.
The Role of the MITRE ATT&CK Framework
The MITRE ATT&CK framework is a key foundational piece in the TID approach. The framework outlines the tactics, techniques and procedures of actual threat actors. This gives security teams the ability to identify where they may be most vulnerable given their attack surface. Strengthening defenses against the right things This insight helps organizations better focus their defenses on the tactics most often employed by attackers.
MITRE strongly recommends that organizations make TID exercises a routine, arguing that they should be held quarterly. This frequency allows for an agile defense that is always one step ahead and ready to address constantly evolving threats. Key stakeholders within organizations should be involved in these exercises to foster a comprehensive understanding of threat landscapes and enhance collective defense efforts.
Integrating TID not only equips organizations to respond to ongoing and emerging threats, it helps TID to long-term strategic planning. The continuous assessment of threat actor behaviors enables security teams to prioritize engineering efforts based on actual risks, thereby optimizing resource allocation.
Cyber Threat Intelligence as a Pillar of TID
Cyber threat intelligence is one of the three pillars of Threat-Informed Defense. This intelligence is the collection and analysis of information regarding current and developing cyber threats. By using this data to focus their energy, organizations can prioritize the right defense strategies for their unique circumstances.
Filigran is at the forefront of intelligent cybersecurity solutions. They offer the only open-source extended threat management (XTM) suite that combines a threat intelligence platform with powerful adversary emulation capabilities. This integrated suite provides the tools for organizations to operationalize TID, enabling security teams to proactively simulate any possible attack based on real-world situations.
The combination of threat intelligence and adversary emulation enables organizations to develop a more nuanced understanding of the threats they face. By employing Filigran’s XTM suite, security teams can tailor their defenses to address specific vulnerabilities and adversary tactics, ultimately enhancing their overall resilience.
Implementing TID: Six Actionable Stages
Threat-Informed Defense is a six-stage process that offers a pragmatic, executable model to help organizations build realistic and effective cyber defenses. These stages promote a proactive framework for cybersecurity that does more than react to threats but helps you anticipate them.
The first step of the process is all about getting a grasp on the threat landscape through ongoing monitoring and analysis. The onus should be on organizations to collect intelligence on threats and, in this environment, understand their vulnerabilities and account for them as well. After this, the second phase is the task of matching available defenses toward the tactics and techniques identified that an adversary may use.
The following phases involve testing and validating those defenses with simulated adversary attacks, building detection capabilities, and developing the incident response playbooks and processes. The last step underscores the importance of ongoing reevaluation. Adapting our defenses is key to ensuring they remain effective against constantly evolving threats.
Chief Information Security Officers (CISOs) can leverage TID to justify budget requests by presenting specific metrics related to risk reduction. This evidence-based approach to decision making lays bare the return on investment for investing in cybersecurity initiatives. It focuses on deliverable results and fosters greater preparedness to attacks and hazards.