It may not be the latest trendy thing in the world of cyber – calm down AI, we’ll get to you later – but threat intelligence is still one of the most important topics out there. In fact, in the current landscape, staying one step ahead of adversaries is all about intelligence.
I’m pretty confident this view is shared by someone I recently had the pleasure of speaking to – Jon Baker, the Director and Co-Founder of the Center for Threat-Informed Defense at MITRE Engenuity. As someone who has been working to thwart cyber threats for more than two decades, Jon understands the importance of collective threat intelligence more than most.
As he puts it: “All of my work over the last 20 years has a common theme: how do we enable innovation and accelerate cyber defence capabilities across all of industry?”
Jon’s journey started as a software engineer working on a US Government-sponsored research project to develop next-generation vulnerability scanning capabilities. Today, he leads the Center for Threat-Informed Defense, a non-profit entity that brings sophisticated security teams from around the world together to scale knowledge and improve defensive capabilities across the private sector. I’ll let him explain more.
Collaborative problem-solving
Firstly, how did the Center come about? “We had a set of organisations that liked what we did with MITRE ATT&CK® – a framework which provides a free online knowledge base of cyber adversary behaviour – and wanted to help us expand it into an international resource. The mission was to advance cyber defence for the whole community. Today, I work entirely with industry to create foundational capabilities that enable innovation, and try to improve efficiency and effectiveness for cyber defenders globally.”
This work covers many areas – from mapping products to known cyber tactics, techniques, and procedures (TTPs), to conducting research into threat detection engineering. But everything is geared towards advancing the industry’s collective understanding of adversary behaviours in order to drive widespread defensive improvements for teams around the world. In Jon’s words, “we’re not just here to make life better for the biggest, most sophisticated orgs. We’re trying to advance the defence community globally.”
This collaborative approach has clearly worked, as the Center now boasts an international representation of security teams from across sectors. Along with their members, Jon and his team systematically work to identify the hard problems, gaps and challenges that cyber defenders face, and solve them through collaborative R&D with industry. There’s a focus on providing freely available, practical resources that any security team could implement. And, as topics are often raised by the members themselves, the work directly contributes to the security of the wider business ecosystem.
“We’re not just here to make life better for the biggest, most sophisticated orgs. We’re trying to advance the defence community globally.”Jon Baker, Director and Co-Founder of the Center for Threat-Informed Defense, MITRE Engenuity
“We get all sorts of interesting problems and challenges brought to us. For example, one of the most common challenges that businesses struggle with is the overwhelming nature of the MITRE ATT&CK knowledge base. There are so many different techniques and sub-techniques so it’s hard for defenders to figure out where to start or where to look next as they look to improve their defensive coverage.”
This inspired a project focused on creating a methodology for systematically prioritising techniques, then applying that methodology to the ATT&CK knowledge base and creating a list of techniques for a particular use case – in this case ransomware. But, true to form, the project’s participants wanted to make it as practical and accessible to security teams as possible. And so, an online calculator application was born, which is now widely used by security teams around the world to help them inform and prioritise techniques as they work to improve their defences.
“The calculator is integrated into various different security products and services, and I’m aware of several teams that use it for threat hunting activities. This example just shows how our members can take problems and collaborate to turn them into practical resources.”
Always looking forwards
Anyone involved in cyber security knows that the landscape changes quickly, and Jon is acutely aware of the need to constantly think about what’s next. And he’s certainly not shying away from that responsibility.
For example, one area the Center has been focused on is making it easier for security teams to take high-quality threat intelligence products and operationalise them. This is work that we at BAE Systems Digital Intelligence are proud to have contributed to through the CTI Blueprints project, which empowers teams to improve the quality, consistency and structure of their threat intelligence reporting.
It all comes down to making it easier for the consumers of those reports to operationalise them – i.e. turn them into action. This requires security teams to understand the needs of their different target audiences and meet those needs in an efficient way. By streamlining and elevating the threat reporting process, organisations will be able to make faster and more informed defensive decisions based on actionable intelligence.
“How adversaries might exploit AI threats is a topic we’re starting to explore in more detail and I expect our work in this area to grow over the coming months and years.”Jon Baker, Director and Co-Founder of the Center for Threat-Informed Defense, MITRE Engenuity
Another technology that everyone is talking about at the moment is, of course, artificial intelligence. The Center for Threat-Informed Defense is no exception: “We’re currently looking into using large language models to automate the process of detecting known attack techniques in threat intelligence reports, so security teams can spend more time focusing on their mitigation measures.
“We’re also investigating other ways that AI developments could impact the security community. Using AI to increase automation is a clear benefit, but there’s also plenty of concern around threats to AI systems and the new threats that AI tools could create. How adversaries might exploit AI threats is a topic we’re starting to explore in more detail and I expect our work in this area to grow over the coming months and years.”
But it doesn’t stop there. There’s also a growing interest in real-world threats against OT (Operational Technology) systems as organisations continue to leverage more OT capabilities. Jon anticipates that his team will soon increase its production of resources to help teams understand the OT threat landscape and how to defend against evolving threats.
This shows the value that the Center can provide. As a cross-industry research organisation, its members regularly come together to discuss new topics, challenges and problem areas as they emerge. As a result, its research programme naturally evolves in line with the threat landscape, keeping it at the forefront of innovation.
Adopting the right mind-set
Clearly, Jon and his team are making great strides in empowering organisations around the world to enhance their threat intelligence and cyber defence activities. But I wasn’t going to let him leave without tapping into his wealth of experience one last time. So, what advice would he give to businesses looking to up their threat intelligence game?
He believes it’s all about attitude: “For teams looking to implement a threat-informed perspective in their security programmes, it can be pretty overwhelming to get started. It’s all too easy to get bogged down and think you immediately have to be covered against all attacks, but that’s not the right mind-set.
“Remember that you don’t have to boil the ocean. Take the time to understand the threats that are most relevant to your organisation, then pick a particular ATT&CK technique and investigate it fully.”Jon Baker, Director and Co-Founder of the Center for Threat-Informed Defense, MITRE Engenuity
“Remember that you don’t have to boil the ocean. Take the time to understand the threats that are most relevant to your organisation, then pick a particular ATT&CK technique and investigate it fully. Understand what your ability is to observe that behaviour and how you can improve. When you can efficiently and effectively act on events that are triggered by that behaviour, you can move onto the next ATT&CK technique.”
Jon finished our conversation by emphasising that this isn’t something anyone finishes. It’s an ongoing process that involves continuously evaluating threats, understanding your ability to respond based on your specific technology environment, and leveraging this knowledge to improve your defences. Businesses must be prepared to embrace this mind-set. Just one of many learnings from a true expert of cyber defence.
Subscribe to The Digital Thread to hear more about the perspectives and experiences of our clients and stay up to stay with the latest insights from our experts
About the author
Adrian Nish, Head of Cyber Propositions
Further reading:
-
Enabling decision advantage in the cyber domain: As the threat intelligence landscape continues to evolve, operationalising cyber threat data is becoming an increasing priority for businesses and analyst teams
-
Unlocking defence transformation for the digital deterrent: With significant opportunities available for the UK to digitally transform defence, what lessons can we learn from commercial sectors?
-
The advantage of ‘Hunt Forwards’: HFOs provide an enhanced capability to identify cyber threats. But what exactly are they and how can they be modified for wider applications?
-
Between the data and the deep blue sea: Ben Holloway can be found spearheading the Navy’s Data and Applications from his berth at the UK’s Ministry of Defence. Here’s how he is getting on.
-
Exercising partner nations’ response to cyber attacks: Discover how we used bespoke exercises and a gamified experience to help 37 nations evaluate their incident response processes