Having completed the AttackIQ Academy Live “Building Threat-Informed Emulation Plans” course, I wanted to share a high-level approach to Threat-Informed Defense which allows organizations to prioritize better defenses based on their threat landscape. A threat-informed defense enables an organization to have prioritized protection and understanding of the threat actors of an organization, a playbook with mitigations, and the opportunity to test and validate those defenses. Before we get into the details, let’s set some baselines for those who might not understand the terms.
Business Mission is the understanding of an organization’s core drivers that drive it to produce the products, services, and other offerings and the critical assets that support that mission.
Threat Landscape — an understanding of the environment in which a business exists, including threat actors, competition, customers, and regulatory and environmental factors.
Threat Actors — These items can include people like employees, competitors, cybercriminals, and even activities that might want to inflict harm on an organization.
Mitigations / Defenses — understanding the potential tactics, techniques, and procedures (TTPS) that a threat actor might take to attack an organization. You can then devise tailored defenses that mitigate or limit the effects of those attacks.
Threat playbooks — documented and hopefully tested playbooks that validate the implemented mitigations.
While a technically focused individual might be drawn to the network maps and devices when trying to understand the business mission and the assets critical to achieving this, do not overlook the people and processes of the business. A potential threat actor will likely target an organization’s human assets as part of its attack. Understanding how the people, processes, and technology come together to create the products, services, or other offerings that allow the organization to achieve its mission, is a critical first step in a threat-informed defense.
With a solid understanding of an organization’s critical assets (people, process, data, technology), understanding the critical vulnerabilities and the centers of gravity they surround is the next step in this approach. Centers of Gravity are particular collections of people, processes, and technology, for example, in a research site, corporate office, etc.
The MITER ATT&CK framework is a helpful tool that can help you understand what TTP major threat actors might use is the MITRE ATT&CK framework. Focusing on the threats that are most likely to attack your organization allows you to start to prioritize the threat actors. Then using threat intelligence, you can determine what these threats are and what they do and how they do it, allowing you to choose informed defenses and mitigations based on the threats.
When using this intelligence to deploy mitigations to the critical vulnerabilities of your organizational assets, You can prioritize the implementation of these mitigations based on the techniques described using the MITRE ATT&CK framework and potential mitigations described. Another tool that you can use for defenses is the MITRE D3FEND framework.
Having your defenses and mitigations in place is just part of threat informed defense process; next, you want to ensure that those defenses are tested. Using Purple Teaming and Breach & Attack Simulation, you can test your protection to ensure that they work the way you intended. Purple Teaming is the process of Red Teamers simulating the approaches of a threat actor within your organization and working with the Blue Teamers to ensure that they see their techniques. Breach & Attack Simulation is IT security technology that can automatically spot vulnerabilities in an organization’s cyber defenses, akin to continuous, automated penetration testing. It allows you to test your defenses and improve your cybersecurity readiness.
Using these processes allows you to develop playbooks to respond to different potential attacks and how your organization should respond to them. These should be regularly or continuously tested as changes in the environment can affect how the implemented mitigations work. This continuous process should take threat intelligence to adjust and adapt to changes.