Measure, Maximize, & Mature Your Threat-Informed Defense
Written by Forrest Carver, Steve Luke, & Ivy Oeltjenbruns.
Leveraging knowledge of cyber threats to prioritize the allocation of limited resources is one of the most impactful and efficient ways to reduce overall risk.
The Measure, Maximize, & Mature Threat-Informed Defense (M3TID) project extends this concept of leveraging threat understanding to improve a security program by working towards an actionable definition of threat-informed defense and its associated key activities, as well as a formalized approach to measure threat-informed defense maturity. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged.
We developed M3TID in partnership with AttackIQ, Inc., CrowdStrike, Inc., HCA — Information Technology & Services, Inc., IBM Security, JPMorgan Chase Bank, N.A., National Australia Bank Limited, Safe Security, & Verizon Business to help the whole community systematically advance threat-informed defense. As we share our work, we will discuss threat-informed defense, and how an organization can take definitive steps to measure, maximize, and mature their threat-informed defenses.
What is Threat-Informed Defense?
“Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.”
With MITRE ATT&CK® at its core, threat-informed defense encourages a focus on adversary behaviors, the specific actions that adversaries take to achieve their goals, recognizing that there are a limited number of behaviors and that these behaviors are common across adversaries and time. This behavioral focus allows defenders to make a critical shift towards an adversary perspective on their defenses and the tools and techniques that are available to achieve their goals. Defenders apply this knowledge to move beyond reactively chasing indicators of compromise and towards more effectively mitigating threats.
Three Dimensions of Threat-Informed Defense
To implement an effective threat-informed defense, an organization must understand the threat and have an effective security plan in place. To understand the efficacy of existing or planned defenses and identify gaps, an organization must evaluate their current posture, as well as potential new measures, against the known threats. This process takes place in three main Dimensions:
1. Cyber Threat Intelligence (CTI) — understanding known behaviors of cyber adversaries; which specific adversaries are targeting its industry, technologies, or geography; and their motivations and typical objectives
2. Defensive (Counter) Measures (DM) — security actions put in place based on an understanding of the adversary; these could be technical (e.g. analytics, firewall rules, etc) or non-technical (e.g. policies, training, etc.)
3. Testing & Evaluation (T&E) — continuous assessments based on threat knowledge to validate defenses and illuminate gaps
Key Components and Maturity Levels
Each dimension of threat-informed defense is defined by 5 key components, for a total of 15 components. The graphic below summarizes these dimensions and their components:
For each component, there are 5 maturity levels, for a total of 75 levels. The graphic below gives an example of 1 component from each dimension, along with that component’s respective maturity Levels:
Measuring Threat-Informed Defense
The dimensions, components, and maturity levels defined by the M3TID project are the foundation of a scoring methodology.
- Scoring is performed at the maturity level of each component.
- The maturity level scores within a component are equally weighted, and those scores are averaged to determine a score for that component.
- Components within a dimension are also equally weighted. The scores for the 5 components of a dimension are averaged, giving the score for the dimension.
To determine an overall threat-informed defense score, the Dimension scores are weighted using the following logic:
- Defensive Measures (50% of total score) are the most important; without implementing Defenses, you are not achieving tangible impact.
- Cyber Threat Intelligence (30% of total score) is the foundation of the model, as a strong understanding of the adversary is required to appropriately defend, self-assess, and improve.
- Test & Evaluation (20% of total score) is important to proactively assess and evolve but has the least weight in the overall determination.
Proof of Concept Assessment Tool
To make it easier to engage with and implement the M3TID maturity framework, the team developed a proof of concept (PoC) assessment tool for organizations to use for initial self-assessments and evaluation of potential improvements. This tool enables practitioners to familiarize themselves with the dimensions, components, and maturity levels, conduct initial assessment and scoring, and understand relative current state strengths and weaknesses in their threat-informed defense implementation. The graphics below show views of the CTI Component tab and the Results tab of the tool once an organization completes initial scoring:
Mature your Threat-Informed Defense
This model is focused on how “threat-informed” a cybersecurity program is within a given organization. M3TID is intended to complement — not replace — existing cybersecurity frameworks and maturity models by focusing on the degree to which threat information is optimally leveraged in an organization. The M3TID Maturity Model is meant to be a straightforward, easy to use tool for organizations to measure their current state, assess progress, and continuously refine and optimize their security posture by prioritizing based on threat-informed principles. The Center continues to provide several resources that reinforce or enable continuous improvement in all three of the Threat-Informed Defense dimensions.
By leveraging M3TID to understand their current maturity level and identifying areas for improvement, organizations can make targeted investments and strategic decisions to strengthen their defenses. In the long run, this maturity model will help organizations optimize their resources, enhance their cybersecurity capabilities, and better protect their digital assets and infrastructure from potential attacks.
Organizations can access the full M3TID project content and the Assessment Tool from the project website: https://center-for-threat-informed-defense.github.io/m3tid/
If you have thoughts, processes, or best practices to contribute to this effort to effectively define the maturity levels and roadmap for becoming more threat-informed, please reach out to us at ctid@mitre-engenuity.org.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0105.
