The concept of threat-informed defense for cyber defenders grew organically from real-world practices observed among early adopters of the MITRE ATT&CK® framework. As MITRE's Jon Baker, director, Center for Threat-Informed Defense, explains on the SquareX Be Fearless podcast, the term emerged to capture a deeper, more systematic approach to cybersecurity.
"We had a whole series of conversations with early adopters of ATT&CK where we realized there was a consistent thing they were doing but we didn't have a name for it. Needing to come up with a term to reference operationalizing ATT&CK led to the phrase 'threat-informed defense.' We wanted it to be not just about operationalizing ATT&CK," said Baker. "We wanted it to be about that systematic process of studying adversary behaviors at a deep technical level and using that knowledge to look at defenses from the perspective of the adversary and try to drive changes in your defensive posture."
At its core, threat-informed defense is a continual, evolving process.
"One of the core ideas we've had with threat-informed defense is it really is a continual process," said Baker. "We're trying to continually understand adversary behaviors as they change and evolve and then use that knowledge to apply to how we test and evaluate our systems and how we improve our defenses."
The Center for Threat-Informed Defense was created in response to a growing need within the cybersecurity community. Sophisticated teams sought leadership from MITRE, not just for guidance, but for collaboration.
"It was a series of meetings with teams that led to the realization we had an opportunity, and it felt like a responsibility, that there were teams out there looking to MITRE to bring them together. I wanted to come up with a way to do that systematically to create enduring relationships with sophisticated teams and make it so this whole ecosystem could be self-sustained," said Baker. "That's what led us down this path of creating the Center for Threat-Informed Defense, where we bring sophisticated teams together to systematically identify problems and try to solve them through collaborative research and development, so our members drive what we do and how we do it."
What began as a practical tool has far surpassed expectations, becoming a foundational resource for cybersecurity teams worldwide.
"When we started, we thought ATT&CK would be useful. We had no idea it would turn into this thing that's used by almost every government organization out there, every government cybersecurity organization, and nearly every sophisticated security team," said Baker. "It's used all across the cybersecurity industry, and we're always learning of new people using it.”
Effective defense means more than tracking adversary moves. It requires systems built for rapid insight and collective action.
Baker emphasized, "It's important we set ourselves up so as we see adversaries, we're positioned to capture that, share it, collaborate, and develop solutions to document those changes and behaviors and define ways to mitigate them."
The internet browser remains a primary tool and a prime target for cyberattacks, especially through plugins, that enterprises often overlook.
"More security teams need to understand because the browser is where we all live and do business most of the time, it's sort of a ripe target, and you need to be looking at the security of the plugins you're allowing within your enterprise," Baker said.
Artificial intelligence (AI) may accelerate how attackers develop new behaviors, but the underlying process of research, development, and testing remains.
"With AI, you're still going to be restricted to that finite set of behaviors. With the assistance of AI, attackers may be able to develop new behaviors a little bit faster than they have in the past, but developing a new behavior is still fundamentally about doing research, creating capability, and testing that capability," said Baker. "There's always going to be a life cycle to that."
The Center's AI research initiative has become a major collaborative effort focused on understanding and mitigating threats to AI-enabled systems.
"What's happened over the last year and a half within the Center is the Secure AI research project has grown into a whole focus area where we get really strong engagement from our members, from the community, and trying to bring us together to understand the state of threats to AI-enabled systems and what we can do about them," Baker added.