Defensive Measures

This section outlines the key components that have been identified for the Defensive Measures dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat-informed an organization’s Defensive program is. This assessment can be conducted using the MITRE INFORM Web Tool.

  1. Data Collection: This component discusses how your organization handles security-relevant logs. Organizations should aim to store logs from a variety of sources for a sufficient period of time to enable effective incident detection.

  2. Risk Assessments: This component discusses how often risk assessments are conducted and the extent to which their results are integrated into your organization’s workflow.

  3. Attack Surface Scoping: This component assesses the extent of your attack vector scoping.

  4. Detection Rules: This component is about how your organization sources and refines detection rules.

  5. Detection Rule Metadata: This component assesses which kinds of metadata are included along with your detection rules.

  6. Propagation between CTI and Detections: This component assesses the time it takes for new CTI to be integrated and deployed to your detection ruleset.

  7. Incident Response: This component assesses the extent to which your organization is prepared for and responds to active threats.

  8. Incident Recovery and Forensics: This component assesses how well your organization recovers from adverse incidents.

  9. Threat Hunting: This component assesses how proactive your threat hunting procedures are. Is threat hunting triggered by observed activity or does your organization anticipate likely adversary behaviors for investigation?

  10. Deception: This component assesses what kinds of systems (e.g., honeynet) or procedures (e.g., posting false information) your organization has set up to deceive adversaries.

Data Collection

To what extent is data collected, stored, and accessible?

  • Logs are collected and stored for at least 90 days

  • Logs are tagged for indexing

  • Logs are collected from multiple sensor types

Risk Assessments

To what extent are risk assessments performed and operationally useful to your organization?

  • Perform formal risk assessments at least annually

  • Results are used operationally, with measures taken to harden security posture based on findings

  • Assessment is focused on metrics and assets tailored to the organization’s need, informed by CTI team

Attack Surface Scoping

To what extent is your attack surface mapped out, understood and prioritized?

  • No mapping of Attack Vectors

  • Attack Vectors are mapped

  • Attack Vectors are mapped and periodically reviewed

  • Attack Vectors are mapped and prioritized periodically

Detection Rules

How does your organization manage detection rules?

  • Import rules from external source

  • Tune imported detection rules

  • Detection rules are correlated with attack surfaces

  • Detection rules are implemented based on business priorities

Detection Rule Metadata

What metadata are your detection rules annotated with that can help contextualize their alerts?

  • Behavioral description

  • Quantitative metrics

  • Frameworks and other standardizations

  • Associated malware, threat groups, or campaigns

Propagation between CTI and Detections

How long does it take on average to ingest new intelligence into your detection ruleset?

  • Within a Month

  • Within a Week

  • Within a Day

  • Within an Hour

Incident Response

How does your organization respond to an active threat?

  • Reactive to alerts, containment-focused

  • Playbook-enabled, some automation for lower-level or repeated threats

  • Responsive actions are informed by knowledge of likely threat actors and expected TTPs

Incident Recovery and Forensics

How does your organization recover from adverse incidents?

  • Ad-hoc or informal digital forensics capabilities

  • Documented and standardized forensic processes in place

  • Threat intelligence feeds are used to link forensic findings to specific threat actors/groups

Threat Hunting

How does your organization actively search out threat actors?

  • Ad-hoc or informal threat hunts triggered by observed activity

  • Hunts are conducted based on known/reported relevant vulnerabilities

  • Formal threat hunts are proactively conducted based on knowledge of likely adversary behaviors

Deception

To what extent does your organization seek to deceive future threats and keep them from useable/valuable data as defined in MITRE Engage?

  • Some lures or pocket litter

  • Disinformation spread

    • As discussed in NIST SP 800-160 Vol 2, this refers to intentionally spreading disinformation to adversaries (e.g., posting false information about a system to public forums, creating decoy accounts and credentials).

  • Full-scale honeynet