Understanding Threat-Informed Defence

Threat-informed defence (TID) is a crucial strategy that organisations can adopt to stay ahead of adversaries. This approach is centred on an understanding of adversary tradecraft and technology to improve defences systematically. This blog post will break down the aspects of threat-informed defence, exploring its definition, key components, and the steps necessary to implement it effectively.

What is Threat-Informed Defence?

Threat-informed defence is the systematic application of an understanding of adversary tactics, techniques, and procedures (TTPs) to enhance cybersecurity measures. Unlike traditional security approaches that may focus primarily on compliance or general best practices, TID is about using specific cyber threat intelligence (CTI) to drive defensive improvements. It emphasises understanding the actual threats that an organisation is likely to encounter and tailoring defences accordingly.

Key Components of Threat-Informed Defence

Threat-informed defence is often broken down into three components: CTI, testing and evaluation, and defensive measures. To make TID more approachable, this blog breaks it down a little differently.

Identifying Probable Threats

The first step in a threat-informed defence strategy is to identify the threats that are most likely to impact the organisation. This involves gathering and analysing CTI to understand the behaviour, goals, and capabilities of potential adversaries.

To predict future threats effectively, it is essential to analyse past incidents and look at what cyber threat actors (CTAs) have targeted your industry and geography. This forms the basis of your threat landscape. High-quality CTI goes beyond simple lists of indicators of compromise (IoCs); it provides context about the types of adversaries and their TTPs. This comprehensive understanding is critical for defining your threat landscape accurately.

Mapping Detections to a Framework

Detection use cases implemented across different cybersecurity tools are crucial for several reasons. They provide a standardised approach to identifying and responding to threats, regardless of the specific tools used. This standardisation ensures consistent security practices across the IT environment, focusing on actual threats rather than tool-specific nuances. A streamlined detection process allows for quicker identification and mitigation of potential threats.

Moreover, standardised detection use cases enable better measurement and evaluation of detection capabilities. Organisations can implement metrics and key performance indicators (KPIs) to measure the success of these detections, such as the number of true positives, false positives, and the time taken to respond to incidents. This data-driven approach helps identify gaps in detection capabilities, allowing for informed decisions on resource allocation and continuous improvement of the detection process.

Centralising detection and response processes in a Security Information and Event Management (SIEM) system can simplify and enhance these efforts. By analysing detection data, cybersecurity teams can determine whether certain threats are consistently being detected and addressed, or if there are blind spots needing attention. This holistic view of the threat landscape enables organisations to prioritise cybersecurity initiatives based on empirical evidence.

Getting the Right People, Processes, and Technology

To implement TID effectively, organisations need skilled personnel, robust processes, and the right technology. Look for self-starters and curious individuals who have demonstrated initiative, such as by working on independent projects or self-teaching security concepts.

Based on identified threats, organisations should select technologies that offer adequate protection. This process should be informed by the specific threat landscape, ensuring that tools and technologies are capable of countering identified risks. It is essential to recognise that tools like SIEM systems require proper inputs and ongoing maintenance to be effective. Processes are key to managing and optimising these tools.

Security Optimisation

Security optimisation involves continuously improving and refining cybersecurity measures. This includes:

• Identifying and Quantifying Cybersecurity Risks: Collect accurate data on the performance of existing security controls against actual threats. SIEMs are useful for measuring false positive rates and analysing past security incidents will help to identify gaps in your existing detections.
• Continuous Assessment: Regularly evaluate and calibrate staff skills, processes, and technologies to maintain a robust security posture. Purple team exercises are excellent for this purpose.
• Prioritising Security Investments: Use a quantified understanding of potential risks to make informed decisions about resource allocation. Assess your threat landscape, existing tools, and gaps to fill them strategically.

By continuously assessing tools and teams against the threat landscape and simulated adversaries, organisations can identify and address gaps, leading to ongoing improvements in their security posture.

Challenges in Implementing Threat-Informed Defence

Despite the clear benefits of TID, many organisations struggle with implementation due to:

• Foundational Cybersecurity Gaps: Many organisations lack basic cybersecurity foundations necessary for a threat-informed approach.
• Poor Quality of CTI: Incomplete, inaccurate, or outdated CTI can hinder informed decision-making.
• Immature IT Capabilities: Without mature IT asset management and change management practices, implementing dynamic and adaptive defences is challenging.
• Cultural Barriers: Shifting from a compliance-focused to a threat-informed security culture requires significant organisational change.
• Lack of Skilled Personnel: Implementing TID requires personnel who can translate threat intelligence into actionable defensive measures.

If a TID strategy is not yielding results, determine if one of the above challenges is getting in the way. Further work may be required to build the foundations before TID can be realised.

Steps to Implement Threat-Informed Defence

Establish Foundational Security Controls

Ensure that basic security measures are in place and functioning effectively. This includes good cyber hygiene practices and robust IT management processes.

Collect and Utilise CTI

Develop practices for gathering and utilising CTI. Integrate this intelligence into security operations to inform decision-making. If you cannot collect CTI, find a trusted partner that sells more than a list of IoCs.

Adopt a Proactive Security Posture

Move from reactive to proactive security by using frameworks like MITRE ATT&CK to prioritise specific threats. Implement continuous testing and improvement processes to ensure defences remain effective.

Foster a Threat-Informed Culture

Encourage a shift towards a threat-informed culture by training and educating staff, promoting collaboration, and emphasising the importance of CTI in all aspects of cybersecurity.

Conclusion

Threat-informed defence is a powerful strategy that leverages an understanding of adversary behaviours to enhance cybersecurity. By identifying probable threats, creating a measurement framework, getting the right people, processes and technology and optimising security measures, organisations can achieve a more effective and proactive security posture. Despite the challenges, adopting a threat-informed approach can lead to significant improvements in an organisation’s ability to defend against cyber threats.

Implementing threat-informed defence requires a combination of foundational cybersecurity practices, mature IT capabilities, high-quality threat intelligence, and a supportive organisational culture. By following the steps outlined in this guide, organisations can embark on the journey towards a more resilient and robust cybersecurity strategy.