The Importance of Threat-Informed Defense for Our Cybersecurity Strategy
One of the biggest challenges faced by security leaders today is knowing how and where to prioritize. From my discussions with CISOs in Europe and the United States, across a wide range of industries, I hear the same thing time and time again: How do we prioritize based on limited resources and a seemingly impossible number of jobs to be done? We have to manage an ever-growing list of vulnerabilities, respond to countless security incidents and manage our organization’s compliance obligations, all with limited budget and staffing. How can this be done?
Compliance versus active cyber risk management?
A recent conversation I had with a senior executive at a critical national infrastructure provider highlights this challenge for me very succinctly. From his perspective, their cybersecurity posture was good, as they had been ISO 27001 certified for more than five years and continued to pass their annual audits, surely this put them in a strong position to manage their cyber risk and exposure? The answer, unfortunately, is more complicated than that.
This for me sums up an important distinction between compliance and active cyber risk management. Implementing ISO 27001 (or any other comparable standard) is an important step for organizations to take, because it allows them to be transparent, consistent and auditable in their information security policies and procedures.
But such approaches are focused on adhering to this documented set of policies and procedures. They help to develop a strong baseline, which is a critical foundational step, but do not necessarily assure that security teams build a dynamic response to the most pressing emerging threats, nor does it necessarily provide assurance that the established policies and procedures are effective in reducing the risk to an acceptable level.
To be effective at reducing cyber risk, we need to determine and validate our priorities based on our own risk. Whether this applies to realistic threats to our organization, the exposure we currently face for example from insufficiently segmented key assets, unpatched vulnerabilities on our internet-facing systems or unsecured users. We also need to consider resilience and recovery processes to resume operations if things go terribly wrong.
And when we have identified these priorities, we would do well to measure the coverage and effectiveness of the mitigating measures we have put in place.
The principle of Threat-Informed Defense
Threat-informed defense is a term coined by the MITRE Corporation and refers to the use of cyber threat intelligence to gain an understanding of our adversaries and then apply that knowledge to defense activities in our security program. But it is not just about intelligence on our adversaries, we also need to understand what we want to protect.
Many security teams use the concept of ‘crown jewels’ to identify critical datasets or IP, but it’s also important to think about ‘assets’ in the broadest sense. For modern cyber risk management, an asset is anything that could have a cyber impact on the organization – so this means a traditional compute device of course, but equally it could be a user, a policy, a network, a dataset, and so on. It is critical to understand how these relate to each other, what applications they support and what dependency we create across assets.
Then, we need to consider the attacker. Who would be interested in stealing, or damaging, our assets? Are we dealing with cyber criminals, nation state actors? The nature of the adversary helps us to define our threat model, but also should define how these threats could manifest. How would the attacker plan to get into your system?
This is the purpose of the MITRE ATT&CK™ framework, to help us work backwards from a suspected threat to understand common attacker techniques and tactics our adversaries might use to carry out attacks on our assets.
Prioritizing our defenses
So, what can security leaders do to better address cyber risk? Once we think in terms of a ‘threat-informed defense’, we look at how we are assigning our resources differently. Controls are still important, but they should be guided by that understanding of our critical assets, the suspected attackers, and their common tactics and techniques.
One way to operationalize this is with the use of MITRE ATT&CK mitigations. When we understand the threats we are likely to face, we can use mitigations to identify which compensating controls we should implement to defeat them. Security vendors, including Noetic, have adopted MITRE models into their software to allow security teams to understand their security posture across a range of different tools, simplifying our ability to assess and mitigate cyber risk.
For this approach to be effective, however, it must be dynamic. The threat model is constantly changing, as is our digital infrastructure, so our understanding of cyber risk needs to be constantly updated as well.
In my next blog, I’ll be looking more at how we can focus on a subset of critical security controls to see significant improvement in cyber risk and security hygiene.