Defensive Measures¶

This section outlines the components that have been identified for the Defensive Measures dimension as well as the levels within the components. These components and levels form the basis for assessing how threat informed an organization’s Defensive program is.

Foundational Security¶

The degree to which threat informs and prioritizes preventative security measures.

Basic security measures, limited asset inventory, ad hoc patching
Several mitigations and security controls connected to relevant threats, key attack surfaces, and critical assets identified
Automated patching, attack surfaces understood, full asset inventory mapped to business operations
Knowledge of threat informs a risk management process

Data Collection¶

How and from where is data being collected?

Logs collected from a single sensor type
Logs collected from multiple sensor types
Logs are tagged for indexing
Threat-informed detection requirements (i.e. sensor configuration and deployment) inform log collection

Detection Engineering¶

How much are detection rules designed, tested, and tuned?

Import detection rules from an open repository
Prioritize and tune imported detection rules
Test and tune custom detection rules
Develop detection rules based on knowledge of low-variance behaviors, i.e. Summit the Pyramid

Incident Response¶

How automated, strategic, and effective are responsive measures against top-priority threats?

Reactive to alerts, containment-focused
Playbook-enabled, hunts are conducted and alert-driven
Informed by knowledge of threat actor, proactive hunting
Campaign-focused

Deception Operations¶

How extensive and effective are deception operations at enabling defensive objectives and the collection of new threat intelligence?

Execute malware under controlled conditions to analyze functionality
Artifacts intended to elicit a response from the adversary
Honeypot deployed
Honey network deployed