Aug 10, 2020 Threat-Informed Defense, the MITRE ATT&CK Framework, and You
The concept of threat-informed defense is near and dear to my heart, given that it aligns with three themes I’ve been preaching about for years: the importance of matching cybersecurity investments (in both technology and operations) with risk; the value of aligning one’s cybersecurity practices with the MITRE ATT&CK framework; and the need to take an orderly approach to improving your cybersecurity maturity.
Let’s take these in order.
There are two parts to the concept of “matching cybersecurity investments with risk”. The first part is understanding your organization’s appetite for risk. Many times CISOs mistakenly think their job is to reduce the cybersecurity risk to zero.
It’s not. The job is to put the risk from a cybersecurity breach in line with other business risks the company is willing to tolerate. Very few organizations can achieve their goals without some risk; the only question is how much risk a particular company is willing to tolerate in the pursuit of those goals.
The second part is understanding the risk that specific threats pose to your organization, and making sure you spend the most time and energy defending against those risks. That’s where the notion of threat-informed defense comes in; how is a cybersecurity professional supposed to know which threats pose the greatest risk?
That’s where the MITRE ATT&CK framework comes in. Unlike the NIST framework (which is valuable in a different way), the MITRE framework focuses on enumerating types of attacks and characterizing their potential impact. MITRE also maintains real-time databases of attacks and attackers, including the nation-state attacks I’ve written about here and here, and covered in a webinar here.
Reviewing the MITRE ATT&CK framework is therefore a good way to start thinking about, and categorizing, classes of threats from a risk perspective.
The final step to turning thought into action: map your organization against Nemertes’ Cybersecurity Maturity Model. Regardless of what level you start at (unprepared, reactive, or proactive) you can apply the fundamental concepts of threat-informed defense to improve your cybersecurity stance.
In sum, start with an understanding of your company’s risk appetite and an awareness of the risks posed by cybersecurity threats. You can then move towards a threat-informed defense, moving up the cybersecurity maturity model to improve your stance from whatever state you’re starting in.