Towards a Threat-Informed Defense:

Lessons from DoD's Cyber Strategy and USCYBERCOM

The cybersecurity community is evolving from a fortress mentality of network defense to a threat-informed defense approach to achieve cybersecurity effectiveness. Why is this happening and what does this transition mean?

Over the last decade, the U.S. military has been at the forefront of a threat-informed transition, first in the intelligence-operations bond that developed between analysts and warfighters after September 11, and then in cybersecurity. Traditionally in cybersecurity, blue team defenders focused their strategies on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches, and deploying commercial products. Red teams are smaller and testing occurs periodically and not at the requisite scale to validate the blue team’s defense effectiveness. If blue teams fail to orient towards the most important threats, however, resources are wasted. Absent effective testing, security controls fail.

Three lessons emerge from the evolution of threat-informed defense. It is important to (1) understand the adversary’s approach using a threat framework like MITRE ATT&CK; (2) teams need visibility into their high-value assets and defense capabilities; and finally, (3) teams need to build tight bonds to validate security against threats.

Automation can stand at the center of a threat-informed defense strategy to test cybersecurity controls at scale. In this talk, author and former Chief Strategy Officer for Cyber Policy Jonathan Reiber will outline the evolution of threat-informed defense, discuss the value of MITRE ATT&CK and purple team operations, and show security teams how to move forward towards cybersecurity effectiveness. Participants will leave with a clear plan for how to affect change in their organizations and deliver results.