What is Threat-Informed defense Culture?
Marcus W. Johnson
1G |Cyber Threat Intelligence Engineer |MSc. Cybersecurity |SASE |SSE |ISC2 CC |ICS/OT Risks |MITRE ATT&CK Defender |Adversary Emulation & Detection Engineer |SOC/XDR |IAM|AI/ML |Security Controls Validation Engineer|
Why should any institution be concerned about being threat-informed?
A threat-informed defense is a strategy that applies an understanding of adversary tradecraft and technology to defend against cyber attacks, from nation-states to empire of criminal groupings. It was never easy in the past to have a framework that would catalog adversary behaviors to ensure security controls were actually performing as intended. We were in most cases left at the mercies of venders to tell us 'what-is' or what they thought was supposed to work, but no concrete means of verifying if indeed these controls are true to themselves as claimed by their manufactures. The cyber security ecosystem relied on assumptions and guesses to set baseline for security controls. What was needed is a framework that would become a universal cyber security risk language that could be spoken by all security professionals and implemented to achieving cyber security effectiveness and compliance with real threat-informed performance data.
The Center for Threat Informed Defense (CTID), its participants, and sponsors recognized that too little of the intended context and results of these sprawling collections of guidelines and directives was actually being passed through the lens of strict compliance and out into the realm of its intended consequence, sound, and innovative security practices.
So, MITRE set out to turn compliance requirements into operational realities. Something that could only be done through the use of MITRE ATT&CK as a translation fabric. What resulted is a foundation for organizations to transform compliance into an operational capability—a force multiplier for configuration control, security architecture testing, and risk management springing from the ability to understand and prove the operational results of compliance—and not just on paper.
MITRE ATT&CK as a foundational framework ends the era of 'strategic drafts' with focus on 'threats', it also shifts from 'fortress mentality' to 'threat-informed defense', it shifts from 'regulatory compliance' to cyber security 'effectiveness', now! as a result of real time performance data, security professionals can now show their leadership and boards how effective they are in meeting NIST requirements and moving beyond simple to true security intelligence into all fabric of their infrastructure leading to total improvement in the overall security posture.