Sign in Subscribe
11 min read active-defence

The Problem of Why: Threat-Informed Prioritization in Security Operations. Part 1.

The Problem of Why: Threat-Informed Prioritization in Security Operations. Part 1.

What does it mean to be threat-informed when it comes to Cyber Defence?

It is one of those classic tough questions that don't have simple answers (at least not ones that are immediately obvious). The great Anton Chuvakin circled back to this topic recently. In this article, he asks an excellent question that goes to the heart of the problem:

"...why does everybody seem to support threat-centric security conceptually, but few practice it operationally?"

Operationalizing a threat-centric approach is not a simple undertaking. You must choose between strategic stances for threat intelligence data collection, information assessment, filtering, enrichment and triage.

You may be tempted to assume that the problem of threat-informed or threat-driven cybersecurity is a threat intelligence one, however, at its core, it is a problem of information significance: the dimensions of data provenance, relevance, interoperability, reliability, actionability and timeliness. What does a particular data cluster mean within the context of your organization and how does it inform actionable outcomes?

Ultimately, what we want is for information to be actionable, our threat intelligence pipeline should help improve the actionability gradients of threat-related data that our environment emits, so it can drive security control deployments like detections, mitigations, hardening, etc.

However, the reality we face in most organizations is far from a meaningful information processing pipeline. Most CyberSecOps models out there resemble Rube Goldberg Machines instead of meaningfully articulated data networks. It suffices to ask some of these questions to your hunting, response, SOC, detection engineering or threat intelligence teams to surface the struggles in providing insight as to what constitutes meaningful threat-driven decisions:

  • What helps drive the priority of your threat detection, hunting and intelligence collection endeavours?
  • What is your understanding of the purpose of collecting and processing information about threats that may impact your environment?
  • Why have you chosen risk "A" over risk "B" to be prioritized for action?
  • How do you determine the relevancy of a threat to your organization?
  • Do you simply leverage unidimensional criteria like playing MITRE ATT&CK bingo to decide where to best allocate your hunting and detection efforts?

When it comes to building a strategic approach for the allocation of resources to threat hunting and detection engineering efforts, there is no single "formula" that can define what is the optimal prioritization model. This, however, does not mean you are spared the need to quest (and question) around what constitutes meaningful progress for your organization. The perils of not doing so are falling into The Inevitable Kraken of Doom, as Dr. Jason Fox puts it:

... we collectively maintain a rich delusion of progress, busily working away, like automaton-golems, towards that what I call ‘The Inevitable Kraken of Doom’—an Eldritch beast that feeds upon the sweet nectar of our impending irrelevance.

Despite all challenges in navigating the complexities of threat-driven CyberOps, we seem to succeed in what I can only describe as perfomant ambiguity, an ability to operate coherently in situations where there is a high degree of uncertainty and complexity. Why is this? What do we intuitively know about threat-driven strategies that we haven't yet elevated to formal models?

In this article we will explore this topic and hopefully bring insight into the problem space.

This post is for subscribers only


Published by:

Diego Perez

You might also like...

Nov
28
The Uncertainty of Intelligence and the Entropy of Threats

The Uncertainty of Intelligence and the Entropy of Threats

In Part 2 of this series, we will explore the dimensions of information uncertainty, entropy and negentropy, superlinear defence-in-depth, latent space and threat intelligence as a decoding device for time-bound information.
21 min read
Aug
20
The Journeys of a Cyberscout

The Journeys of a Cyberscout

We live in an economy of distraction. In this era of fabricated intelligence, attention-sucking digital vampires, calculated buzzwords, over-optimization of every aspect of life, and the mindless echoing of information we call "news", there is little room for creative reflection and quiet pondering.
2 min read
Jan
09
The Threat Hunting Shift. Part 4: Adversarial Framework for Tactical Cyber Defense Operations II

The Threat Hunting Shift. Part 4: Adversarial Framework for Tactical Cyber Defense Operations II

Continuing from Threat Hunting Shift Part 3, we will now introduce the Defend and Design domains. So without further ado,
7 min read
Jan
08
The Threat Hunting Shift. Part 3: Adversarial Framework for Tactical Cyber Defense Operations I

The Threat Hunting Shift. Part 3: Adversarial Framework for Tactical Cyber Defense Operations I

Active Defence Adversarial Cyber Operations Framework or ADACOP, is a framework for sense-making and understanding the relationships between the different domains of active defence. ADACOP describes four tactical domains, namely: Design, Discover, Disrupt and Defend.
17 min read
Jul
10
Breaking the habit of talking about 'unknown unknowns' like you know what it means. Part 3.

Breaking the habit of talking about 'unknown unknowns' like you know what it means. Part 3.

Rumsfeld's simple knowledge matrix lacks the dimension of time. The article suggests an enhanced model, accounting for time and awareness in understanding knowledge dimensions. This new approach redefines knowns, unknowns, and predictability, aiding threat detection complexity.
4 min read