Defensive Measures
This section outlines the key components that have been identified for the Defensive Measures dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat informed an organization’s Defensive program is. This assessment can be conducted using the companion spreadsheet published with this white paper.
Foundational Security 1
The degree to which threat informs and prioritizes preventative security measures.
None
Ad Hoc patching, limited asset inventory, basic security measures
Several mitigations and security controls 2 connected to relevant threats implemented, key attack surfaces and critical assets identified
Knowledge of threat informs a risk management process to prioritize a set of mitigations and controls
Prioritized 3 automated patching 4, attack surfaces understood, full asset inventory mapped to business operations and threats, hygiene best-practices implemented
Data Collection
Is the right data being collected based on the needs identified from analysis of threat intelligence?
None
Minimal visibility (e.g., single network sensor at network boundary)
Compliant with best practices for network and devices (e.g., logs collected from each device according to the manufacturer’s recommendations)
Threat-informed detection requirements guide sensor configuration and deployment 5 (e.g., additional Sysmon configuration driven by detection needs for ATT&CK Techniques)
Threat-Optimized (Sensors evaluated, configured, and deployed to meet all threat-informed detection needs)
Detection Engineering
How much are detection analytics designed, tested, and tuned to optimize precision, recall, and robustness for relevant malicious behaviors?
None
Import rules / analytics from open repository
Prioritize and tune imported rules / analytics from repository
Testing and tuning of custom detection analytics
Detection analytics developed based on knowledge of low-variance behaviors, customized to reduce false positives while maintaining robust 6 recall 7
Incident Response
How automated, strategic, and effective are responsive measures against top-priority threats?
None
Ad Hoc, Manual, Reactive
Playbook-enabled, partially automated
Informed by knowledge of threat actor (e.g., initial detection leads to follow-on investigation to detect other malicious actions expected in the campaign based on CTI) Proactive hunts are conducted driven by threat information rather than only alerts from existing analytics.
Strategic, holistic, optimized to deter future events (e.g., with an understanding of the full campaign and the adversary’s likely reaction to defensive response, the defenders take decisive and coordinated actions that effectively evict the adversary such that it is not easy for them to return)
Deception Operations 8
How extensive and effective are deception operations to enable defensive objectives and the collection of new threat intelligence?
None
Sandboxing of suspicious executables (e.g., email attachment detonation before delivery)
1 to several Honey* (pot, token, document…) deployed and monitored, enabling detection of malicious use and early warning
Honey network deployed and monitored
Intentional, long-term deception operations in a realistic honey network
References