Center for Threat-Informed Defense:
Threat-Informed Defense
What is Threat-Informed Defense?
Threat-Informed Defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.
Threat-informed defense enables the collective resources of all defenders to be greater than those of any one adversary. It identifies known adversary behavior, relevant to an organization’s threat model, and fosters a community-driven approach to enable an organization to proactively defend, self-assess, and improve defenses against those known threats.
The Threat-Informed Defense Triangle
Threat-informed defense is a continuous process in which defenders and adversaries are constantly learning and evolving. The three dimensions of threat-informed defense are:
- Cyber Threat Intelligence: knowing the adversary, their objectives, and their tactics/techniques/procedures (TTPs).
- Defensive Measures: implement prevention, detection, and mitigation tailored to known threats.
- Testing & Evaluation: assess defenses by emulating realistic adversary behaviors and TTPs.
The MITRE ATT&CK® knowledge base is a comprehensive reference of publicly reported adversary tactics, techniques and procedures (TTPs), including how to detect and mitigate them. ATT&CK also serves as a common language that enables widespread and efficient collaboration across organizations and industries. It enables defenders think at a level of abstraction that is concrete enough to be actionable, but abstract enough to remain stable over time and across adversaries.
Why Threat-Informed Defense?
Threat-informed defense aligns defensive measures to real-world observations of adversary tradecraft. Where cybersecurity often focused on brittle indicators of compromise that are easy for an adversary to change, threat-informed defense focuses energy on adversary behavior, which is more stable over time and more expensive for adversaries to evade. The result is more efficient use of defenders’ resources and a more robust program of prevention, detection, and response. Threat-informed defense enables the collective resources of all defenders to be greater than those of any one adversary.
Threat-informed defense is not intended to replace a baseline security program but rather to supplement other activities such as patch management and vulnerability management. It enables organizations to enhance their defenses proactively and adaptively against evolving threats.
The Center for Threat-Informed Defense
Our mission is to advance the state of the art and state of the practice in threat-informed defense globally.
Learn More
To learn more about our threat-informed defense R&D program, visit Our Work. For a broad overview of the principles and best practices of threat-informed defense, read the Measure, Maximize, and Mature Threat-Informed Defense (M3TID) publication.
Center R&D Projects Aligned to TID Triangle