Threat-informed defence is a cybersecurity strategy that aligns defence measures with the tactics, techniques, and procedures (TTPs) used by adversaries. It aims to proactively enhance an organisation’s security posture by understanding and anticipating potential threats. This article tells you all you need to know about threat-informed defence.
Core principles
Threat-informed defence is grounded in the idea that real-world intelligence about threats must shape effective security measures.
Its core principles include:
- Adversary emulation: Mimicking known attacker behaviours to test and improve defences.
- Prioritisation of efforts: Focusing resources on the most relevant threats based on the organisation’s risk profile.
- Continuous improvement: Evolving defences in response to new threats and vulnerabilities.
- Evidence-based strategy: Using threat intelligence, incident reports, and frameworks to make informed decisions.
Threat-informed versus threat-based
| Aspect | Threat-informed | Threat-based |
|---|---|---|
| Definition | Relies on a holistic understanding of threats, considering context, intent, and capability of adversaries. | Focuses primarily on known, immediate, or specific threats. |
| Scope | Broad and strategic, encompassing emerging, potential, and future threats. | Narrow and tactical, addressing identified and active threats. |
| Focus | Prioritises proactive measures and resilience to unknown or evolving threats. | Emphasises reactive measures to mitigate or eliminate current threats. |
| Data sources | Integrates diverse data sources: threat intelligence, historical trends, and risk analysis. | Uses direct threat intelligence from incidents, reports, and specific vulnerabilities. |
| Time horizon | Long-term focus, addressing both current and speculative risks. | Short-term focus on addressing immediate or near-term risks. |
| Examples | 1. Considering geopolitical risks in cybersecurity strategy. 2. Preparing for AI-driven phishing attacks. |
1. Patching a vulnerability after a specific malware outbreak. 2. Responding to a phishing campaign targeting employees. |
| Approach to mitigation | Builds layered defences, fosters adaptability, and anticipates unknown threats. | Implements targeted fixes or countermeasures for known issues. |
| Flexibility | Highly flexible and adaptive to changing threat landscapes. | Relatively rigid, tied to the specifics of known threats. |
| Outcome | Enhances organisational resilience and strategic foresight. | Minimises the impact of immediate threats and vulnerabilities. |
Key components
Threat intelligence
- Collecting, analysing, and operationalising data about current and emerging threats.
- Sources: Open-source feeds, commercial vendors, government alerts, and internal telemetry.
Frameworks and methodologies
- MITRE ATT&CK Framework: A comprehensive knowledge base of adversary TTPs mapped to attack phases.
- Cyber kill chain (Lockheed Martin): A model outlining stages of an attack, from reconnaissance to execution.
- Diamond model of intrusion analysis: Emphasises understanding relationships between adversaries, infrastructure, and victims.
Adversary emulation
- Tools like MITRE Caldera, Atomic Red Team, and Cobalt Strike simulate real-world attacks for testing defences.
- Red teaming exercises mimic advanced persistent threats (APTs) to test resilience.
Defensive alignment
- Utilising data from threat intelligence and frameworks to optimise controls, detection, and incident response.
- Focus on detection gaps, response capabilities, and resilience planning.
Automation and machine learning
- Automating threat detection and response using SIEM (Security Information and Event Management) systems and SOAR (Security Orchestration, Automation, and Response).
- Leveraging machine learning to detect anomalies and unknown threats.
Benefits versus challenges
Threat-informed defence offers significant benefits for organisations striving to enhance their cybersecurity posture. By leveraging threat intelligence, organisations gain actionable insights into adversary tactics, techniques, and procedures (TTPs), enabling them to prioritise security measures based on real-world threats. This approach enhances proactive risk management, ensuring resources are allocated where they are most needed. Threat-informed defence also fosters a deeper understanding of evolving cyber threats, helping organisations build resilience and agility in the face of sophisticated adversaries. Furthermore, this strategy facilitates collaboration and information sharing across industries, strengthening collective defence efforts and improving the overall cybersecurity ecosystem.
However, implementing a threat-informed defence strategy is not without challenges. One of the primary hurdles is the complexity of gathering, analysing, and operationalising threat intelligence effectively. Organisations often face a deluge of data, making it difficult to filter relevant and actionable information from noise. Another challenge is the lack of skilled personnel with expertise in threat intelligence and incident response, which can hinder the ability to act on insights promptly. Additionally, integrating threat intelligence into existing security frameworks may require significant investment in tools, technologies, and processes, which could strain budgets and resources. Lastly, ensuring the accuracy, timeliness, and reliability of threat intelligence remains a persistent issue, as outdated or incorrect information can lead to misaligned defences and wasted efforts.
Despite these challenges, the adoption of threat-informed defence can provide a strategic edge in combating modern cyber threats when approached with the right tools, expertise, and collaborative efforts.
Threat-informed defence lifecycle
Stage 1: Threat landscape assessment
- Understand which adversaries are likely to target your industry and why.
- Prioritise based on industry reports, such as Verizon’s DBIR or Mandiant’s M-Trends.
Stage 2: Threat modelling
- Identify assets, attack paths, and weaknesses.
- Use frameworks like STRIDE (Microsoft) or PASTA (Process for Attack Simulation and Threat Analysis).
Stage 3: Implementation
- Align detection and response tools with mapped TTPs.
- Integrate adversary emulation exercises into routine testing.
Stage 4: Measurement
- Use metrics like dwell time, detection rate, and incident resolution time.
- Adopt purple teaming exercises to continuously evaluate both offensive and defensive capabilities.
Stage 5: Feedback loop
- Integrate learnings from incidents and exercises into the threat intelligence process.
- Regularly update tools, frameworks, and defences.
Tools and platforms
- Threat Intelligence Platforms (TIPs): Recorded Future, Anomali, MISP.
- Threat emulation tools: MITRE Caldera, Atomic Red Team, Red Canary.
- Detection & response: Splunk, SentinelOne, CrowdStrike Falcon.
- Vulnerability management: Tenable Nessus, Rapid7, Qualys.
Industries and use cases
Financial services
- Addressing advanced cybercrime (e.g., APT38 targeting SWIFT).
- Defending against fraud and insider threats.
Energy and utilities
- Combatting threats to SCADA/ICS systems.
- Resilience against state-sponsored attacks (e.g., Triton malware).
Healthcare
- Protecting sensitive patient data from ransomware and espionage.
- Ensuring compliance with HIPAA and GDPR.
Public sector
- Safeguarding critical infrastructure.
- Combatting disinformation and election interference.
Future trends
AI and machine learning in threat detection
Use of AI to predict adversary behaviour and automate threat responses.
Collaboration between organisations
Sharing threat intelligence through platforms like ISACs (Information Sharing and Analysis Centres).
Focus on Zero Trust Architecture
Aligning threat-informed defence with principles of identity verification, least privilege, and micro-segmentation.
Supply chain security
Addressing risks from third-party vendors and partners.
Legal considerations
| Category | Legal consideration | Relevant law or standard |
|---|---|---|
| Data protection & privacy | Ensure data collection during threat monitoring complies with privacy laws (e.g., avoiding excessive data collection). | GDPR, POPIA, CCPA, etc. |
| Verify data subject rights, such as access and rectification, are not violated during defensive actions. | GDPR (Articles 15-22), POPIA | |
| Confirm cross-border data transfers are lawful, particularly when using threat intelligence platforms hosted outside the region. | GDPR (Chapter V), POPIA (Section 72) | |
| Cybersecurity obligations | Meet statutory and contractual cybersecurity obligations for protecting personal or sensitive data during defence activities. | NIS Directive, SOC 2, ISO 27001 |
| Follow any mandated disclosure obligations in case of breaches identified during threat analysis. | GDPR (Articles 33-34), HIPAA | |
| Intellectual property | Ensure proprietary threat intelligence tools or data feeds do not infringe third-party intellectual property rights. | Copyright Act, IP Licensing Agreements |
| Protect proprietary algorithms, processes, or insights from misappropriation by third parties. | Trade Secrets Laws, NDA/Confidentiality Clauses | |
| Use of offensive tactics | Avoid unauthorised access or “hacking back”, which may breach anti-hacking laws even when responding to a threat. | Computer Misuse Act (UK), CFAA (US), Cybercrimes Act (SA) |
| Ensure honeypots, deception technologies, or active defence measures comply with national cybersecurity laws. | Local Cybercrime Laws | |
| Contractual relationships | Review vendor contracts to ensure clear roles and responsibilities regarding threat monitoring and response, including indemnities for breaches. | Master Service Agreements (MSAs), SLAs |
| Verify third-party vendors adhere to appropriate threat intelligence sharing standards. | ISO/IEC 27036-2, FS-ISAC Agreements | |
| Liability concerns | Assess potential liability for harm caused by false positives in threat intelligence shared with third parties. | Civil Liability Laws, Defamation Laws |
| Define liability caps for failures in defensive tools or systems leading to data breaches. | Contractual Liability Clauses | |
| Regulatory compliance | Align defensive measures with sector-specific regulations (e.g., banking, healthcare). | PCI DSS, HIPAA, Basel III, etc. |
| Engage with regulators when leveraging threat intelligence to influence compliance reporting. | FSB Cyber Resilience Guidelines, GDPR Accountability | |
| Ethics in threat sharing | Ensure ethical considerations in sharing intelligence, such as avoiding disproportionate harm to non-malicious actors. | ISAO Standards, Organisational Ethics Policies |
| Balance transparency with confidentiality in shared threat data. | NDAs, Data Sharing Agreements | |
| Cross-border jurisdiction | Address jurisdictional issues when engaging in global threat intelligence sharing or defence actions. | Conflict of Laws, International Treaties |
| Ensure compliance with bilateral agreements and treaties for cross-border data sharing. | CLOUD Act, Budapest Convention | |
| Incident response | Ensure incident response plans comply with mandatory notification and reporting requirements. | GDPR (Article 33), NIS Directive |
| Avoid potential legal liability for unintentional damage during containment activities (e.g., impacting third-party networks). | Civil and Criminal Laws | |
| Human rights | Verify that actions taken during defence (e.g., monitoring employee communications) respect fundamental rights to privacy and freedom of expression. | UN Guiding Principles, ECHR (Articles 8 & 10) |
| Insurance | Validate coverage under cyber liability insurance for defensive actions (e.g., active threat hunting). | Cyber Insurance Policies, Policy Exclusions |
How ITLawCo can help
ITLawCo specialises in aligning legal, IT, and policy considerations to fortify your organisation’s threat-informed defence strategy. Here’s how we can assist:
- Cybersecurity governance frameworks: We design governance structures aligned with industry frameworks like MITRE ATT&CK and ISO 27001 to ensure compliance and resilience.
- Incident response planning: We craft bespoke incident response strategies, ensuring your organisation is prepared to handle breaches swiftly and effectively.
- Threat risk assessments: ITLawCo evaluates your existing infrastructure to identify gaps in your defence posture, focusing on adversary-specific TTPs.
- Policy development: From AI governance to third-party risk management, we draft policies that align with threat-informed principles.
- Training and workshops: We provide tailored workshops for your teams to understand and implement threat-informed practices, leveraging behavioural insights for maximum impact.
- Regulatory compliance: Our team ensures your threat-informed defence aligns with laws like POPIA, GDPR, and sector-specific cybersecurity regulations.
- Cybersecurity strategy for public sector: With expertise in advising governments and public sector organisations, we help strengthen their digital ecosystems against adversarial threats.
By partnering with ITLawCo, your organisation can move beyond traditional security measures to adopt a proactive, legally compliant, and highly effective defence strategy tailored to your unique threat landscape. Contact us today.
