Three Dimensions of Threat-Informed Defense

Organizations can implement or improve threat-informed defense by starting with how they use cyber threat information. At a minimum, they can adopt an adversary perspective and ask what an attacker might do. This framing clarifies priorities and prompts practical questions: Which adversaries target our industry? What capabilities do they have? How well can we mitigate, detect, or continue operating through an attack? What should we do next? The three dimensions below help organizations assess where they are and how to improve.

This project helps organizations implement TID, measure their current state, and build a plan to mature over time. The sections below describe the three dimensions and their key components.

Threat-Informed Defense Cycle

TID Cycle

TID is a continuous process in which defenders and adversaries learn and evolve. To implement TID, an organization must understand threats and apply effective defensive measures. To evaluate existing or planned measures and identify gaps, the organization must assess its posture against known threats. The three dimensions of TID are:

  1. Cyber Threat Intelligence (CTI)

  2. Defensive Measures

  3. Testing & Evaluation

Proactive defense is central to TID. Effective TID continuously learns and evolves to keep pace with new threats and technologies.

TID: Dimensions and Components

Cyber Threat Intelligence

The first dimension of TID is Cyber Threat Intelligence (CTI), which focuses on understanding the adversary. This dimension measures how well the organization understands known adversary behaviors, which adversaries target its industry, technologies, or geography, and their motivations & objectives. CTI programs produce a tailored threat model of the highest-priority behaviors and inform the rest of the defensive program.

The Cyber Threat Intelligence Lifecycle consists of Direction, Collection, Processing, Analysis, and Dissemination. The INFORM model maps components to the cycle’s inputs and outputs. Together, these components determine how detailed an organization’s threat model is and how well it understands it.

Recorded Future Threat Intelligence Lifecycle

Recorded Future Threat Intelligence Lifecycle

The components of CTI are:

  1. Depth of Threat Intelligence: This component discusses the depth of CTI relative to the Pyramid of Pain. More depth corresponds to a higher level on the Pyramid and consequently more robust intelligence. For example, IOCs like IP blocklists tend to be highly dynamic while certain adversary behaviors are more invariant and useful long-term.

  2. Relevance of Threat Intelligence: This component is about how tailored CTI is to your organization. For example, your industry may have specific intelligence requirements or be prone to certain threats.

  3. Operational Integration of Threat Intelligence: This component is about how widely integrated CTI is across your organization. Is it limited to certain individuals and teams or does it influence company-wide workflows?

  4. Incorporation of Threat Intelligence: This component assesses how frequently CTI is incorporated into organizational workflows. Organizations should aim to have a regular cadence of CTI integration.

  5. Recency of Threat Intelligence: This component assesses how recently your organization’s CTI was produced.

  6. Speed of CTI Dissemination: This component assesses how quickly your organization processes and disseminates CTI.

  7. CTI-Driven Decision Making: This component assesses how quickly CTI is incorporated into business decisions.

CTI informs the next two dimensions of TID.

Defensive Measures

Defensive Measures sits at the core of TID. When an organization understands the adversary but does not act on that knowledge, it loses TID’s impact. TID applies across the security program, not just technical controls. An example of evolving defensive measures is CTID’s Summitting the Pyramid project, which uses knowledge of adversary tradecraft to create more robust cyber detections.

Summiting the Pyramid

Summiting the Pyramid

The Components of Defensive Measures are:

  1. Data Collection

  2. Risk Assessments

  3. Attack Surface Scoping

  4. Detection Rules

  5. Detection Rule Metadata

  6. Propagation between CTI and Detections

  7. Incident Response

  8. Incident Recovery and Forensics

  9. Threat Hunting

  10. Deception

Although improvements often yield technical measures, they do not have to be a firewall rule or a new SIEM detection. Any action that makes a network or system more secure can benefit from threat insight. This includes stronger policies, prioritized patching, new detections, deception operations, or additional security training.

Test and Evaluation

Testing and Evaluation helps an organization validate and grow. Testing against adversary-realistic TTPs validates defenses and reveals gaps. Continuous testing with updated threat knowledge and new approaches maintains a realistic view of security posture. For example, red or purple team exercises should leverage adversary emulation, which replicates the behaviors and attack flow of specific, relevant adversaries. The graphic below shows the high level FIN6 attack plan taken from CTID’s Adversary Emulation library.

FIN6 Adversary Emulation Plan

FIN6 Adversary Emulation Plan

Beyond that, testing can drive product or architecture changes to improve security, inform detection engineering and incident response, validate defensive controls, as well as other areas. Testing is an important way to rehearse before any real compromise occurs.

The key Components of T&E are:

  1. Test Focus

  2. Test Planning

  3. Test Relevance

  4. Test Triggers

  5. Test Results

Dimensions and their Components