Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

Understanding Threat-Informed Defence

June 16, 2024
A breakdown of threat-informed defence, and how it can be used effectively.

by Kade Morton (CEO)
Introduction

Threat-informed 
defence 
applies 
adversary 
knowledge 
to 
strengthen 
security.

Threat-informed defence (TID) is a proactive cybersecurity strategy that helps organisations stay ahead of adversaries by systematically applying knowledge of their tradecraft, tactics, and technologies to strengthen defences.

This blog post will break down the aspects of threat-informed defence, exploring its definition, key components, and the steps necessary to implement it effectively.

What is Threat-Informed Defence?

Threat-informed defence is the systematic application of an understanding of adversary tactics, techniques, and procedures (TTPs) to strengthen cybersecurity measures. It involves using real-world threat intelligence to guide decisions about detection, prevention, and response. These defences must then be continuously tested, through simulations, red teaming, or other validation exercises, to assess and improve their effectiveness. The results generate new remediation actions and improvements. As time progresses, new threats and TTPs emerge, requiring constant updates to intelligence and defences. Threat-informed defence is not a one-time effort but a continuous, adaptive process that evolves alongside the threat landscape.

Unlike traditional, static security approaches that may focus primarily on compliance or general best practices, TID is about using specific cyber threat intelligence (CTI) as a starting point to drive continuous defensive improvements. It emphasises understanding the actual threats that an organisation is likely to encounter and tailoring defences accordingly.

Integrating TID with Frameworks and Standards

Threat-informed defence does not replace existing cybersecurity frameworks, it enhances them. Organisations often use frameworks such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, or the CIS Critical Security Controls to structure their security programs. TID complements these by introducing real-world threat intelligence into the decision-making process.

For example, NIST CSF outlines high-level functions such as “Identify,” “Protect,” “Detect,” “Respond,” and “Recover.” TID informs those functions by identifying which adversary behaviours are most likely to impact the organisation and ensuring defences are tailored accordingly. Similarly, MITRE ATT&CK® (touched on below) and D3FEND offer operational frameworks that map well to TID practices, helping teams visualise gaps in their detection and mitigation strategies.

Key Components of Threat-Informed Defence

Threat-informed defence is often broken down into three components: CTI, defensive measures, and testing and evaluation. To make TID more approachable an holistic, this blog breaks it down a little differently.

Identifying Probable Threats

The first step in a threat-informed defence strategy is to identify the threats that are most likely to impact the organisation. This involves gathering and analysing CTI to understand the behaviour, goals, and capabilities of potential adversaries.

To predict future threats effectively, it is essential to analyse past incidents and look at what cyber threat actors (CTAs) have targeted your industry and geography. This forms the basis of your threat landscape. High-quality CTI goes beyond simple lists of indicators of compromise (IoCs); it provides context about the types of adversaries and their TTPs. This comprehensive understanding is critical for defining your threat landscape accurately.

Aligning TID with Business Risk

An effective threat-informed defence strategy must be grounded in the business context. Not all adversary behaviours pose the same risk to every organisation. TID should prioritise threats based on their relevance to your environment, your industry, your assets, and your geography.

This alignment begins with threat modelling: mapping likely adversaries and their TTPs against your organisation’s environment, data, and processes. By focusing on high-impact, high-probability scenarios, organisations can use their CTI more strategically, ensuring limited resources are used where they matter most.

Mapping Detections to a Framework

Detection use cases aligned with a framework like MITRE ATT&CK provide a standardised way to identify and respond to threats, regardless of the tools in use. This standardisation ensures consistent practices across the environment and helps teams focus on real-world threats, not tool-specific quirks.

Standardised detections also enable better performance measurement. Organisations can track metrics such as true positives, false positives, and response times to evaluate effectiveness. These insights help identify detection gaps, guide resource allocation, and drive continuous improvement.

Centralising these efforts in a Security Information and Event Management (SIEM) system further enhances visibility, coordination, and response.

Assembling the Right People, Processes, and Technology

To implement TID effectively, organisations need skilled personnel, robust processes, and the right technology. Prioritise hiring self-starters with a demonstrated ability to learn independently, such as through personal security projects, open-source contributions, or certifications earned through self-study.

Based on identified threats, organisations should select technologies that offer adequate protection. This process should be informed by the specific threat landscape, ensuring that tools and technologies are capable of countering identified risks. It is essential to recognise that tools like SIEM systems require proper inputs and ongoing maintenance to be effective. Processes are key to managing and optimising these tools.

Tooling to Enable Threat-Informed Defence

Implementing threat-informed defence effectively requires more than just skilled personnel and good processes. It also benefits from the right supporting tools. These tools help operationalise TID by enabling the integration, validation, and continuous refinement of defences based on real-world threats.

Key categories of tools that support TID include:

  • Threat Intelligence Management Tools: These platforms allow teams to ingest, enrich, prioritise, and distribute cyber threat intelligence across the organisation. They help ensure intelligence is actionable and aligned with internal priorities.
  • Detection Engineering and Management Platforms: These tools assist in designing, testing, and deploying detection logic, often mapped to adversary behaviours. They enable consistency and reusability across detection use cases.
  • Adversary Emulation and Simulation Frameworks: Emulation tools allow security teams to simulate attacker behaviours in a controlled environment. This helps validate the effectiveness of existing defences against specific tactics and techniques.
  • Security Testing and Assessment Platforms: Tools that support red teaming, purple teaming, or continuous security validation help identify detection and response gaps by testing controls under realistic attack scenarios.
  • Centralised Logging and Response Infrastructure: Security Information and Event Management (SIEM) systems, Security Orchestration, Automation, and Response (SOAR) platforms, and other centralised tools play a key role in aggregating data, responding to detections, and coordinating across teams.

When selecting tools, it’s important to prioritise those that integrate well with existing environments, support open standards and frameworks, and allow for automation, collaboration, and continuous improvement. Tooling should accelerate, not complicate, the organisation’s ability to align its defences with the evolving threat landscape.

Optimising Security Continuously

Security optimisation involves continuously improving and refining cybersecurity measures. This includes:

  • Collect performance data on security controls against actual threats. SIEMs are useful for measuring false positive rates and analysing past security incidents will help to identify gaps in your existing detections.
  • Regularly evaluate and calibrate staff skills, processes, and technologies to maintain a robust security posture. Purple team exercises are excellent for this purpose.
  • Use a quantified understanding of potential risks to make informed decisions about resource allocation. Assess your threat landscape, existing tools, and gaps to fill them strategically.

By continuously assessing tools and teams against the threat landscape and simulated adversaries, organisations can identify and address gaps, leading to ongoing improvements in their security posture.

The Importance of Continuous Feedback and Intelligence Refresh

A threat-informed defence strategy is only as effective as the intelligence it’s built on. Adversaries evolve rapidly, and TTPs that were relevant last quarter may no longer pose the same risk today. This makes regular intelligence updates critical.

Organisations should establish feedback loops that continuously update their detection logic, playbooks, and controls based on:

  • New CTI from trusted providers
  • Lessons learned from red and purple team exercises
  • Detection performance metrics (e.g., missed detections, false positives)
  • Actual incidents and root cause analysis

By using these inputs to refine both CTI requirements and detection engineering, teams can ensure that their defences evolve in step with the threat landscape.

Steps to Implement Threat-Informed Defence

Establish Foundational Security Controls

Ensure that basic security measures are in place and functioning effectively. This includes good cyber hygiene practices and robust IT management processes.

Collect and Utilise CTI

Develop practices for gathering and utilising CTI. Integrate this intelligence into security operations to inform decision-making. If you cannot collect CTI, find a trusted partner that sells more than a list of IoCs.

Adopt a Proactive Security Posture

Move from reactive to proactive security by using frameworks like MITRE ATT&CK to prioritise specific threats. Implement continuous testing and improvement processes to ensure defences remain effective.

Foster a Threat-Informed Culture

Encourage a shift towards a threat-informed culture by training and educating staff, promoting collaboration, and emphasising the importance of CTI in all aspects of cybersecurity.

Measuring Success in Threat-Informed Defence

To track the effectiveness of TID over time, organisations need meaningful metrics that go beyond traditional compliance checklists. These should reflect how well defences align with and respond to real-world threats.

Key metrics include:

  • Coverage of Priority TTPs: What percentage of high-risk TTPs are actively detected?
  • Detection Effectiveness: True positives vs. false positives, false negatives
  • Response Time: Time to detect, investigate, and remediate confirmed incidents
  • CTI Refresh Frequency: How often is intelligence reviewed and updated?
  • Purple Team Findings Resolved: Ratio of successful purple team simulations addressed through remediation

These metrics not only quantify progress but also help demonstrate ROI to executives and ensure continuous accountability.

Challenges in Implementing Threat-Informed Defence

Despite the clear benefits of TID, many organisations struggle with implementation due to:

  • Foundational Cybersecurity Gaps: Many organisations lack basic cybersecurity foundations necessary for a threat-informed approach.
  • Poor Quality of CTI: Incomplete, inaccurate, or outdated CTI can hinder informed decision-making.
  • Immature IT Capabilities: Without mature IT asset management and change management practices, implementing dynamic and adaptive defences is challenging.
  • Cultural Barriers: Shifting from a compliance-focused to a threat-informed security culture requires significant organisational change.
  • Lack of Skilled Personnel: Implementing TID requires personnel who can translate threat intelligence into actionable defensive measures.

If TID efforts aren’t delivering results, revisit the above challenges. Strengthening foundational capabilities may be necessary before a threat-informed approach can succeed.

Conclusion

Threat-informed defence is more than a method, it’s a mindset. It equips organisations to evolve alongside the threat landscape by grounding their defences in real-world adversary behaviours, not assumptions or checklists.

By identifying likely threats, aligning detection with known TTPs, investing in the right people and technologies, and continuously validating and refining defences, organisations can shift from reactive to proactive security.

While implementation can be challenging, the payoff is clear: a security posture that is adaptive, measurable, and deeply aligned to the threats that matter most. The journey begins with foundational practices and grows into a resilient strategy that turns intelligence into action — and action into advantage.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2024 Arachne Digital, ALL RIGHTS RESERVED
Built by