Defensive Measures

This section outlines the components that have been identified for the Defensive Measures dimension as well as the levels within the components. These components and levels form the basis for assessing how threat informed an organization’s Defensive program is.

Foundational Security

The degree to which threat informs and prioritizes preventative security measures.

  1. Basic security measures, limited asset inventory, ad hoc patching

  2. Several mitigations and security controls connected to relevant threats, key attack surfaces, and critical assets identified

  3. Automated patching, attack surfaces understood, full asset inventory mapped to business operations

  4. Knowledge of threat informs a risk management process

Data Collection

How and from where is data being collected?

  1. Logs collected from a single sensor type

  2. Logs collected from multiple sensor types

  3. Logs are tagged for indexing

  4. Threat-informed detection requirements (i.e. sensor configuration and deployment) inform log collection

Detection Engineering

How much are detection rules designed, tested, and tuned?

  1. Import detection rules from an open repository

  2. Prioritize and tune imported detection rules

  3. Test and tune custom detection rules

  4. Develop detection rules based on knowledge of low-variance behaviors, i.e. Summit the Pyramid

Incident Response

How automated, strategic, and effective are responsive measures against top-priority threats?

  1. Reactive to alerts, containment-focused

  2. Playbook-enabled, hunts are conducted and alert-driven

  3. Informed by knowledge of threat actor, proactive hunting

  4. Campaign-focused

Deception Operations

How extensive and effective are deception operations at enabling defensive objectives and the collection of new threat intelligence?

  1. Execute malware under controlled conditions to analyze functionality

  2. Artifacts intended to elicit a response from the adversary

  3. Honeypot deployed

  4. Honey network deployed