During the Battle of Britain, the use of radar was decisive. It showed the British where German planes were going, so they could get their fighters in the air and be ready. They knew exactly where to focus their limited resources, making every move count. That’s pretty much the idea behind threat-informed defence in cybersecurity.
Threat-informed defence is all about using real-world data to make smarter decisions. It’s closely tied to risk management but improves on it. Instead of just guessing what might go wrong, it looks at actual threats and how likely they are to happen. By focusing on what threat actors are really doing, organisations can put their resources where they’ll make the biggest impact. Refining traditional risk management, which often focuses on impact, threat-informed defence digs into the likelihood of an attack. It prioritises what’s most probable, based on real evidence of how attackers operate. This means you’re not just chasing every new piece of malware but focussing your defences based on patterns that attackers use over and over.
The MITRE ATT&CK framework is a language that describes how threat actors behave. It pulls together public data on how attackers act, including their tactics, techniques, and procedures (TTPs). ATT&CK helps security teams focus on behaviors that are stable over time and across different attackers. This balance between actionable insights and long-term strategy makes it easier to get the most out of security investments.
By understanding the specific threats that are most relevant—based on your industry, location, or other factors—you can narrow down your defences to target the most likely risks. ATT&CK helps practitioners zero in on those high-priority behaviors and build a defence that works against real-world threats.
Cybersecurity is never static. Your digital landscape is always evolving, with new software updates, patches, and tools. Unfortunately, these changes often introduce new vulnerabilities. Security defences need to evolve alongside them. Constant monitoring and reassessment are crucial to make sure no gaps appear in your defences.
At the same time, attackers are always on the move. They’re constantly developing new tools and techniques but will stick to their old tricks if they still work. This is why it’s essential to defend against known threats proactively. The harder you make it for attackers to succeed, the more time, effort, and money they have to spend—which can ultimately discourage them.
We will dive into what this means for your security program, security operations centre (SOC), vulnerability management backlog, penetration testing plan, tool selection and configuration.
If you would like to improve the focus of your cybersecurity resources, we would love to chat.
Regards,
Mike
Comments