Most organizations continue to use traditional methods such as commercial security products to block bad sites and malicious software and apply patches to correct vulnerabilities in installed software. Although effective against some threats, these approaches fail to stop advanced attacks and offer no insight into what an adversary does once it has penetrated the network.
To significantly improve their cyber defense, some organizations, including MITRE, have adopted a threat-based defense strategy. Threat-based defense uses the knowledge gained from single, often disparate, attacks and related events to reduce the likelihood of successful future attacks.
A comprehensive threat-based defense hinges on three elements:
- Cyber threat intelligence analysis.
- Defensive engagement of the threat.
- Focused sharing and collaboration.
We will examine each one.
Cyber threat intelligence analysis. This type of analysis provides practical information and threat detection signatures that are more durable than current virus definitions. Once they scrutinize the information, specialists can use it to harden cyber defenses and improve ways to anticipate, prevent, detect, and respond to cyber attacks.
Using the cyber attack lifecycle (first articulated by Lockheed Martin as the “kill chain”) and classic intelligence analysis, as shown below, cyber threat intelligence analysts developed a framework to better understand and anticipate the moves of cyber adversaries at each stage of an attack.
MITRE has developed an operational prototype tool called Collaborative Research Into Threats, or CRITs, which facilitates cyber threat intelligence gathering and analysis, including
- Collecting and archiving attack artifacts, including incidents, tactics, targeting data, and loss assessments
- Associating archived artifacts with the stages of the cyber attack lifecycle
- Tracking environmental influences, including politics, technology developments, vulnerabilities, and exploits from both open and sensitive sources
- Conducting malware reverse engineering to statically and dynamically analyze the characteristics and behavior of malicious software
- Analyzing the data collected to generate hypotheses about adversaries, their intentions, and their tactics, techniques, and procedures
- Drawing on all of these elements to shape and prioritize defenses and react to incidents
Defensive engagement of the threat. This concept is critical to preventing or detecting future attacks. During the early stages of the lifecycle, defenders have an opportunity to detect and mitigate threats before an adversary establishes a foothold. During the later stages, incident response and mission assurance measures are used reactively.
Cyber defenders must proactively look for indicators of a pending, active, or successful cyber attack. Telltale signs can be developed through retrospective analysis and correlation of threat characteristics observed across the cyber attack lifecycle over time. This "learn from the past" approach, however, puts organizations at great risk if they intentionally defer remediation of compromises to learn about a cyber adversary's actions post-Exploit. One solution is to establish synthetic environments that allow cyber defenders to observe an adversary's post-Exploit activity while managing risks.
Focused sharing and collaboration. Among communities of cyber defenders, working in partnership provides a force-multiplier effect. These collaborations can greatly benefit cyber-threat intelligence analysis and strengthen cyber defenses.