Threat-Informed Defense 101: Understanding the Basics
Over the last decade, the MITRE ATT&CK knowledge base has been widely adopted by thousands of security defenders, ultimately forming a strong community for ATT&CK users. Security teams have leveraged ATT&CK to experiment in enterprises, build and release open source tools, as well as incorporate it into commercial products and services. More importantly, ATT&CK has become a common language that addresses a long-standing cybersecurity challenge: The industry’s focus on the vulnerability-centric approach. Unfortunately, this approach has not allowed cyberdefenders to get ahead of threats and vulnerabilities that persist. There is a constant defense struggle of finding, fixing and patching vulnerabilities to prevent exploitation or zero-days. The industry is long overdue for a different approach—one where cyberdefenders can really understand the underlying behaviors that adversaries use to achieve their objectives and use that threat-informed understanding to assess, shape and test their defenses rather than chasing endless vulnerabilities.
Chasing Vulnerabilities Vs. Understanding Adversaries
While it is true that vulnerabilities and adversary techniques are very different things, it is also true that the volume and velocity of new vulnerabilities all but assure that even the largest and well-resourced organizations will find it difficult to keep all their systems patched against all known vulnerabilities. In contrast, the relatively small number and modest growth rate in adversary techniques and sub-techniques in ATT&CK makes it a far more practical and sustainable means of organizing one’s defenses. Still, it remains critical to identify and patch systems with exploitable vulnerabilities, however, it is not sufficient to achieve robust cybersecurity. Although initially counterintuitive, the vast majority of the adversary behaviors cataloged in ATT&CK do not rely on an exploitable vulnerability.
Despite being difficult to accept, ATT&CK isn’t about vulnerabilities and it doesn’t change the fact that most of the publicly reported adversary behaviors in ATT&CK would work on systems that are 100% patched against all known CVEs. In reality, once they have achieved initial access, adversaries become users, albeit unauthorized ones, of the very same systems you are using. At this point they begin to “live off the land”, using the tools, resources and connections that exist to support the operations of your enterprise, instead of using those resources to achieve their malign objectives.
Putting a Lens on What’s Important
Understanding your vulnerabilities is essential but taking a threat-informed defense approach is critical to assess, organize and optimize your defenses. By leveraging a systematic application and deep understanding of adversary tradecraft and technology, and viewing your enterprise through the lens of an adversary, you gain critical insights into how to prioritize your security operations and investments. That shift in perspective helps you see more clearly how a skilled adversary would use your enterprise’s resources against you.
The ATT&CK knowledge base serves as a critical element of threat-informed defense, providing the common language to describe those behaviors but it is not its entirety. Much of the value of threat-informed defense comes from relating adversary behaviors in ATT&CK with the rest of an enterprise’s security context. That context can range from the specific threat groups that target similar organizations to defenses currently in place, to the efficacy of those defenses based on testing and even includes specific vulnerabilities that enable adversary behaviors. This makes it essential to bridge between relevant adversary behaviors and the defenses in place to stop (or at least detect) them.
Minding the Gap(s)
Leveraging threat-informed defense can unlock important insights into the current security posture of the enterprise. By basing analysis on known adversary behaviors, the process of identifying meaningful gaps in enterprise defenses becomes far more tractable than conventional compliance approaches alone. The relatively small number of adversary behaviors makes it possible to map them to your set of mitigating controls in frameworks such as NIST 800-53, CIS or CMMC as well as protection, detection and response capabilities provided by the cybersecurity tools you’ve deployed.
Moreover, a threat-informed approach enables the availability of clear benchmarks for the evaluation of existing controls and capabilities. With greater transparency into specific adversary behaviors, you now have a roadmap for how to begin to evaluate the ability of your fielded defenses to protect against, detect or respond to those behaviors. Ideally, you can implement a continuous testing program to automatically verify that your defenses continue to operate as expected.
While the threat-informed defense can deliver significant improvements in an enterprise’s security posture relative to the resources invested, it is important to note that it is not a substitute for good cyberhygiene. Organizations still need to identify their assets, manage their configurations and patch exploitable vulnerabilities in their systems. Threat-informed defense doesn’t obviate the need for those foundational activities, but it does provide a critically important means to assess, prioritize and measure their effectiveness of them. Threat-informed defense, when applied systematically within an enterprise, can significantly increase visibility into the effectiveness of the currently deployed defenses and provides a clear roadmap for improving those defenses over time.
