We must understand the threat to develop defenses properly. The security industry uses the term threat, but what is a threat? Dictionary.com [2] defines threat as: a declaration of an intention or determination to inflict punishment, injury, etc, in retaliation for, or conditionally upon, some action or course menace an indication or warning of probable trouble a person or thing that threatens. ISO 27001 [3] defines threat as: A potential cause of an incident, that may result in harm of systems and organization. NIST [4] defines threat as: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation, organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, or denial of service. Lets walk through this in the context of cybersecurity threats. A threat is an event that has the potential to impact an organization adversely. Are security operations teams defending against this threat A negative event Perhaps, but consider including the term threat-actor when using threat. A threat-actor is the person or group of people behind an attack. A solid defensive strategy must defend against an intelligent threat-actor determined to cause damage to an organization and not just a potential event. People are behind cyber-attacks. When the defense considers the tactics, techniques, and procedures (TTPs) of intelligent threat-actors, they begin to understand the real threat. Defenders can then implement robust security defenses that directly impact the ability a threat-actor has to perform harmful actions. Shifting security operations from the mindset of "Vulnerable" or "Not Vulnerable" and adopting an approach that focuses on threat actions will significantly improve the ability an organization has to not only prevent but also detect and respond to real threats. Diving into TTPs is the beginning of understanding security through the eyes of the threat. Organizations that use threat actions to drive their defensive TTPs can make life very difficult for threat-actors and even protect themselves against unknown or zero-day attacks.
