top of page
Lewis Henderson

Threat Modeling and Real-Time Intelligence - Part 2

Leverage Internet Telemetry & Threat Intelligence for Benefits Beyond the MITRE ATT&CK Framework


The MITRE ATT&CK framework is like a blueprint of the battlefield, showcasing potential threat actors and their tactics to infiltrate an organization. It guides a security practitioner to identify gaps in an organization's capabilities by following the tactics a bad actor may use to gain access. It also covers the techniques employed by threat actors to move laterally inside a network and compromise additional systems and infrastructure. It sheds light on how vulnerabilities are exploited, leading threat actors to move laterally within networks. However, the framework remains static, providing a snapshot of known adversarial behavior.


It offers security leaders and practitioners guidelines and essential attributes for threat detection, but they are not designed to guide security leaders on how to gain the visibility needed to better detect threats. Real-time threat intelligence fills this void, providing the crucial context to attribute attacks, track adversary behavior, and map their infrastructure. It is a vital source of intelligence and visibility that extends beyond boundaries to address evolving threats. It steps in and supports rapid threat analysis by offering a dynamic view of bad actors that may be targeting you and acts as a single source of truth.


Real-time threat intelligence and the MITRE security framework are complementary forms of intelligence that enable analysts to defend against threat actors proactively. A security framework such as MITRE is adversarial-focused. It can help you find gaps in your capabilities and give you an idea of who may be attacking you and how they move laterally within your environment to gain further access to your business systems.


Real-time intelligence gives you a way to observe the beginning stages of an attack when threat actors are performing reconnaissance on you as their target, or your third-party networks. There are few useful recommendations on how to use tools to defend an organization at this stage. But solutions do exist! This blog seeks to discuss where, why and how these blindspots can be addressed using threat intelligence derived from external threat intelligence sources, and the strategic gains there for innovative security leaders to seize.


Real-Time External Threat Intelligence Complements the MITRE ATT&CK Framework


The MITRE ATT&CK framework is renowned for its adversarial approach to defense. It provides a structured process for understanding threat actors' tactics, techniques, and procedures (TTPs). It reveals their modus operandi, so analysts have a starting place to understand what tools, experience and knowledge they need to track down bad actors - both inside and beyond the perimeter. It enables security teams to fortify their defenses in the right areas and bridge capability gaps in others.


Frameworks offer guidelines and essential attributes for threat detection, but they are not designed to guide security leaders on how to gain the visibility you need to better detect threats. Real-time threat intelligence fills this void, providing the crucial context to attribute attacks, track adversary behavior, and map their infrastructure. It is a vital source of intelligence and visibility that extends beyond boundaries to address evolving threats. It steps in and supports rapid threat analysis by offering a dynamic view of bad actors that may be targeting you and acts as a single source of truth.


The threat landscape demands innovative approaches that move beyond static data and reactive methodologies. Among the tools at a security leader's disposal are real-time threat intelligence and the MITRE ATT&CK framework. These two pillars of defense, though distinct in nature, can pave the way for a proactive cyber-defense strategy that enables a shift towards anticipating and defeating threats from adversaries.


While the framework equips defenders with essential insights with a range of TTPs, you must independently learn how to create your own unique threat data and the playbooks that pivot off of it. When analysts can see infrastructure changes and trace communications with threat actor groups, they can find other victims of an attack and notify them of possible compromise. This type of threat reconnaissance is the primary way enterprise security teams can raise the cost of attack and make it less profitable for threat actors to target their organization.


Actionable Insight: Embrace both external threat intelligence and the MITRE ATT&CK framework to equip cyber defenders with the visibility they need. It is the cornerstone of a proactive cyber defense that does not relegate defenders to reacting to events and chasing false positives and other resource-draining efforts.


Close the Capability gap for Proactive Defense with the MITRE ATT&CK Framework and Real-Time Threat Intelligence


The MITRE ATT&CK framework lays the foundation for creating robust detection mechanisms and preparing for what can be expected to detect and mitigate a threat.


It doesn’t take long to notice that much of the model is focused on what occurs when an attacker is already in your network - what about when they are scanning your assets? Or when they have already compromised your network and are setting up staging servers to steal your data - your internal network analysis and security tools are blind to this activity at this point in the attack so far - gaining external visibility of attacker activity is the difference of that data remaining in your possession, or being stolen.


Up-to-date external threat intelligence has the potential to greatly enhance security across the board. By automating detection policies with data that analysts derive by tracking threat actor infrastructure, this can be applied across the entire MITRE model. i.e., before, during and after an attack. To achieve this, analysts need a real-time view of threat actor activities.


These insights and resulting additions to defense policies mean that analysts are not providing out-of-date information to block lists, ensuring defenses are optimized and effective. They are acting on what is happening now, ensuring that any updating of defense policies uses real-time data as it develops. Access to real-time information and visibility into threat actor movements enable analysts to build constructive views and learn about IOCs from an external threat perspective.


Actionable Insight: Use the MITRE ATT&CK framework initially as a gap analysis tool. Not only does it call out adversary tactics, but helps to inform where you may, or may not, have visibility, tools, data, knowledge or resources that add value to your cyber defense. Allocate resources to invest in technologies that enable analysts to create actionable threat intelligence playbooks, promoting effective attribution and preventative tactics.


How Visibility and Reconnaissance Pays off to Countering Attacks


A quick snapshot of the MITRE ATT&CK reconnaissance frameworks shows ten different reconnaissance techniques and more than 30 sub-techniques that a bad actor might employ in their reconnaissance effort to gather intelligence for a targeted attack. As a defender, the framework suggestions for pre-compromise mitigations offered are minimal. Detection recommendations are relegated to anomaly-based analysis, known for high false-positive rates. It leaves little path for security leaders working towards enacting a proactive defense strategy and wanting to get ahead of attacks.


When using threat intelligence based on internet telemetry, new possibilities open up to monitor malicious activity as it is happening.


Analysts have a ground-zero current source of truth to observe attacker behavior and quickly make decisions if a suspicious IP should be further investigated. Visibility beyond the perimeter pays off in the latter stages of attack by enabling analysts to anticipate what a threat actor is going to do next, and be able to specify proactive defenses to counter an attacks.


Creating visibility into the external threat landscape supports proactive defenses and a high detection efficacy in the pre-compromise stage. This visibility is crucial to building a proactive defense strategy and addressing all stages of compromise using the framework.

Aggressive efforts made in the pre-compromise stage of an attack can pay out benefits towards prevention during exfiltration. Suppose you use internet telemetry enriched with threat intelligence for visibility and reconnaissance in the pre-compromise stage. In that case, you already have the answers to block exfiltration proactively instead of relying on signature or anomaly-based detection methods. It is a better way to address threats than using reactionary methods that lead to high false positive rates.


Actionable Insight: Identify your visibility gaps that lie within the ‘Reconnaissance’ column of the MITRE ATT&CK framework. This will lead to data sources that will help you to better understand the threat actors that are reaching out to your own and third-party networks, including victims of ongoing attacks. It reveals their evolving tactics, and the changes they make to their infrastructure before another attack. External threat intelligence or internet telemetry are the only sources of knowledge and data that will fill the visibility gap for threat actors at the Reconnaissance stage of the model.


Enhance Detection Capabilities with Actionable Insights


Real-time up-to-date external threat intelligence derived from internet telemetry has the potential to greatly enhance security across the board. By automating detection policies with data that analysts derive by tracking threat actor infrastructure, it can be applied across the entire MITRE model. i.e., before, during and after an attack. To achieve this, analysts need to be able to observe attackers in real time view of threat actor activities.


These insights and resulting additions to defense policies mean that analysts are not providing out-of-date information to block lists, ensuring defenses are optimized and effective with current information. They are acting on what is happening now, ensuring that any updating of defense policies uses real-time data as it develops. Access to real-time information and visibility into threat actor movements enable analysts to build constructive views and learn about IOCs from an external threat perspective. It's important to remember that the MITRE ATT&CK framework does not provide a complete answer to defense against attackers' tactics, techniques, and procedures and only offers suggestions for mitigation and detection. Bad actors constantly innovate, and a security leader's response must do the same.


Let your analysts do more by tracing down attackers, making associations, and preempting an attack with reconnaissance-led intelligence that can actively block an attack. Once you enable visibility to internet telemetry and historical context, analysts are not just reacting to what is happening inside the network. This is foundational to enacting a proactive defense that turns the dynamics of the MITRE ATT&CK framework on its head and creates new areas for learning and preemptive defense.


Actionable Insight: Allocate resources to invest in technologies that enable analysts to create actionable threat intelligence playbooks, promoting effective attribution and preventative tactics.


Learn more about the threat vectors you should be considering for your Threat Model here


Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model.


Mature threat intelligence teams add tangible financial business value and reduction of business risk. Learn more about how our customer gained success integrating real-time threat intelligence to enact a proactive defense that goes beyond the MITRE ATT&CK framework to offer pre-compromise defense.




bottom of page