Many organizations struggle to gauge the true effectiveness of their security controls. Security measures frequently falter without detection and breaches still have significant consequences. Cybersecurity teams require a proactive and straightforward method to consistently monitor the actual performance of their security programs. To address this issue, adopting a Threat-Informed Defense strategy becomes crucial. Through ongoing testing of defenses, teams can accumulate more comprehensive data and gain insights into the performance of their security programs. In our “Threat-Informed Defense: What is it and how to implement it?” blog post, we guide you through the fundamentals of Threat-Informed Defense, its implementation, and how your organization can fully capitalize on security optimization for maximum benefits.

What is Threat-Informed Defense?

Threat-Informed Defense, as coined by MITRE Engenuity, is the recognition that few organizations around the world have the human and financial resources to detect and protect themselves from all cyber threats. Instead, a more effective strategy is to better understand the likely cyber threats that a particular organization faces, through the use of threat monitoring advisory services and threat monitoring feeds, to identify likely known threats and then to regularly test the organization’s resilience to those threats by conducting regular testing and validations of security controls.

Threat-Informed Defense applies a deep understanding of adversary trade craft and technology to protect against, detect and mitigate cyber attacks.  It’s a community-based approach to a worldwide challenge.

MITRE Center for Threat-Informed Defense

What Is the Purpose of Threat-Informed Defense?

The purpose of Threat-Informed Defense is to:

  1. Align the security and IT functions so that they are better prepared to identify known cyber threats to the business.
  2. To be able to regularly conduct cyber resilience stress tests, through threat-led attack simulations, that test and validate the effectiveness of security controls.
  3. To be able to detect and protect the business from the identified threats.
Threat-Informed Defense: What Is It and How to Implement It?

The Threat-Informed Defense Feedback Loop by Jon Baker for MITRE-Engenuity

How to Identify Relevant Cyber Threats

Whether an Advanced Persistent Threat (APT) actor has been identified as a potential threat, a specific malware or a common threat that affects a wide range of organizations, the adversarial behaviors and techniques used in these threats should be tested regularly to have the confidence that your cyber defenses would be able to detect them and protect against them if they were to actually affect your organization.

Sources

Cyber threat intelligence can be gained from a variety of sources and it is advised that information security teams use several of these to gain an accurate view of the most likely known threats that their business may face.

  • Government-sponsored cyber authorities (like CISA in the United States, the CCCS in Canada, NCSC in the United Kingdom, ACSC in Australia, etc. – all of these organizations and many others, issue regular threat advisories  that we advise you subscribe to and act on when they are published (here is an example of a CISA threat advisory on Lockbit ransomware)
  • Cyber threat advisory services – these can include analysts, security advisors, auditors and industry regulators
  • Cyber threat monitoring tools and services – there are many cyber threat intelligence (CTI) tools that can provide greater visibility into known active cyber threats to a business

Research

Some of these threats may be obvious, like Ransomware.  Others may be more specific to a geographic region, industry or related to companies that your business does business with.  However, in many cases, organizations are not structured or mature enough to take advantage of threat advisory and monitoring services. These services can also be expensive. The good news is that all is not lost.  MITRE, Validato and other organizations have conducted valuable research and analysis to help companies to identify and prioritize their cyber defensive efforts on the most likely known threats.  Some of these are:

  • Top MITRE Techniques* – a list of the most exploited MITRE ATT&CK Techniques compiled on an annual basis by the MITRE Engenuity team
  • Validato Top 25 MITRE ATT&CK Techniques* – a list of the MITRE ATT&CK techniques used by the most prevalent cyber threat actors and tools as compiled by the Validato threat team
  • Lockbit Ransomware – 2023’s most active ransomware actor*

*These, and many other threat scenarios can be tested out-of-the-box with Validato

Using Mitre ATT&CK to Identify Adversarial Behaviors

Central to MITRE Engenuity’s Threat-Informed Defense concept is the identification and mapping of adversarial behaviors employed by threat actors and the malware and tools that they use in offensive campaigns. Central to this concept is to better understand and defend against threat scenarios. MITRE ATT&CK has become an invaluable reference framework for understanding how cyber attacks are carried out.  The latest approach is that organizations should regularly test their security control effectiveness against the specific behaviors (or MITRE ATT&CK Techniques) used in each threat scenario. This approach is supported by MITRE, CISA, NCSC and others, Any gaps in an organization’s ability to detect or protect against unauthorized exploitation of these Techniques should be strengthened by hardening environments and configuring security controls and tools.

How Do You Test Cyber Defences Using Known Threat Scenarios?

Traditionally, testing threats to validate security defenses was conducted using some forms of penetration testing and Red Team testing. These tests can be complex, expensive and time consuming and invariably are only performed infrequently. Modern automated offensive security testing tools have somewhat democratized threat-informed defensive testing from a commercial and usability perspective. Validato is at the forefront of developing this technology.

When Cyber Threats Become Business Risks

Certain known cyber threats, like ransomware, are increasingly viewed as material risks to the business. As a result, cyber risks are being included in corporate risk registers, alongside traditional business risk scenarios (fire, flood, power outages, etc).  As with other material risks, like the weekly fire alarm test, some organizations are beginning to test cyber risk scenarios (and their associated threats) more regularly.

How Validato Can Help

Validato is an automated Breach & Attack Simulation (BAS) platform. It allows Information Security teams to safely test adversarial behaviors relating to known threat scenarios to test the effectiveness of their security controls.

With Validato, threat scenarios can be tested safely in live production environments by authorized users in a matter of minutes. The results are displayed with unbiased data in a matter of minutes.

 

Threat-Informed Defense: What Is It and How to Implement It?

The Validato Platform

Validato webinar recording on Threat-Informed Defense

We hope you found our “Threat-Informed Defense: What is it and how to implement it?” blog post informative. Get in touch with the Validato team if you have any questions, by filling out our contact form.