Threat-Informed Defense and Purple Team Operations: Lessons from the Pentagon and U.S. Cyber Command

The cybersecurity community is evolving from a fortress mentality of “network defense” to a “threat-informed defense” approach to achieve cybersecurity effectiveness, with purple team operations at the center.

Why is this happening and what does this transition mean?

Over the last decade, the U.S. military has been at the forefront of the transition to threat-informed defense operations, first in the intelligence-operations bond that developed after September 11, 2001, and then in cybersecurity. Traditionally in cybersecurity, “blue” team defenders focused their strategies on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches, and deploying commercial products. Red teams have traditionally been smaller, and testing has occurred periodically and not at the requisite scale to validate the blue team’s defense effectiveness.

If blue teams fail to orient towards the most important threats, however, resources are wasted. Absent effective testing, security controls fail. To improve cybersecurity effectiveness, security teams are transitioning to a threat-informed defense strategy with the MITRE ATT&CK framework, a purple team construct of red and blue teams, and an automated testing platform combined into an engine of optimization.

In this talk, author and former Chief Strategy Officer for Cyber Policy Jonathan Reiber will outline the evolution of threat-informed defense, discuss the value of MITRE ATT&CK and purple team operations, and show security teams how to move forward towards cybersecurity effectiveness. Participants will leave with a clear plan for how to affect change in their organizations and deliver results.