Threat-Informed Defense: Using ATT&CK and Models to Plan Improvements
Threat informed defense means using knowledge about real attacks to guide security work, so defensive choices stay connected to how adversaries actually behave in the world. For a beginner, this idea matters because it turns cybersecurity from a pile of disconnected tools into a story about attackers, their steps, and the ways defenders can interrupt those steps. In threat informed defense, the starting point is not a catalog of products or buzzwords, but a simple description of how someone might break into a system, move around, and reach something valuable. That description becomes a map that shows which defenses should exist, where they should sit, and which events defenders must notice quickly when something suspicious happens. Thinking this way keeps learning grounded in real attacker behavior instead of abstract checklists and slogans, which helps every new concept feel like another piece of the same overall picture. This episode uses that map based thinking to connect several popular models so a new learner sees how they support threat informed defense together.
Many security models become easier to use when beginners treat them as maps rather than strict rulebooks, because maps describe where things are and how they relate instead of demanding one official path. A map can be followed in different ways depending on the traveler, and in cybersecurity the traveler might be a new analyst, a system administrator, or a security manager. When a learner opens a well known model and sees many boxes, arrows, and labels, it can feel like memorizing a complicated diagram from a textbook without understanding why it exists. Thinking of that diagram as a map lowers the pressure, because the goal becomes finding a few useful routes through it that match important real attacks. In a map mindset, the learner chooses a destination, such as protecting a simple web application, and then traces only the parts of each model that help understand how an attacker might approach that target. This approach turns big frameworks from intimidating walls of information into helpful guides that support threat informed defense step by step.
One of the most widely used maps is the MITRE Attack framework (Miter Attack), which is a public catalog of attacker behaviors based on real world incidents and research. This framework arranges those behaviors into tactics, which are the high level goals an attacker pursues, and techniques, which are the specific ways an attacker might achieve each goal on a system. The familiar grid or matrix view in the framework shows tactics as columns along the top, such as gaining initial access or maintaining persistence, with techniques listed beneath each column. For a beginner, it helps to think about this matrix as a menu of possible attacker moves, not a set of moves that will all appear in every single intrusion. Each square in the matrix is simply one behavior that might be chosen during an attack, so when building threat informed defense plans the learner uses only the behaviors that match the chosen attack story. This selective use keeps the framework practical and stops the matrix from turning into a memory exercise with little real value.
Another important map for threat informed defense is the cyber kill chain model, which describes an intrusion as a sequence of stages that begins long before the first alert appears on any dashboard. In this model, an attacker typically starts with reconnaissance, learning about the target environment, then moves into delivery and exploitation, where malicious content is sent and a weakness is triggered on a system. Later stages often include installation, command and control, and actions on objectives, where the attacker settles into the environment and begins reaching for valuable data or systems. The power of the cyber kill chain lies in its storytelling nature, because it turns a chaotic collection of events into a clear beginning, middle, and end. A beginner can draw a simple timeline on paper and place each important attacker action along that timeline, which makes it easier to see where new defenses or detections could interrupt the sequence. Treating the cyber kill chain as a story map helps connect individual behaviors from the earlier framework into a coherent attack journey.
A third map that supports threat informed defense is the National Institute of Standards and Technology Cybersecurity Framework 2 point 0 (NIST C S F 2 point 0), which many organizations use as a friendly way to organize their security outcomes. This framework groups cybersecurity work into broad functions such as identifying important assets, protecting those assets, detecting suspicious activity, responding to incidents, and recovering afterward. Each function is broken down into categories and outcomes that describe what should be true in the environment, rather than naming specific tools or brands that must appear. For a beginner, this distinction matters because it shows that a good framework talks about results, like having access managed or logs collected, instead of insisting on one vendor’s product name. When used as a map, NIST C S F 2 point 0 offers simple language that describes what strong security looks like, which can then be connected back to the more detailed attacker behaviors and sequences from the earlier models. This connection allows threat informed defense plans to trace each improvement idea from high level outcome down to specific attacker actions.
When these three maps are combined, threat informed defense becomes much easier to understand and practice, because each model focuses on a different angle of the same overall story. The Miter Attack framework catalogs individual attacker behaviors, the cyber kill chain arranges those behaviors into a timeline of stages, and NIST C S F 2 point 0 describes the defensive outcomes an organization should reach. A learner can imagine first choosing a likely attack story using the kill chain, then filling that story with specific behaviors from the Miter Attack catalog, and finally checking which NIST C S F 2 point 0 outcomes would block, detect, or limit those behaviors. This layered view turns three separate diagrams into a single big map that runs from attacker intent to defender success. It also keeps the work grounded in real threats, because every control being considered is tied back to some behavior that attackers have already demonstrated in the real world.
With the combined map in mind, a beginner can start by naming one or two simple attack paths, which are short stories describing how an attacker might move from the outside world to something valuable inside a system. Consider a small online college bookstore that sells textbooks and school merchandise, where customers log in, browse items, and store their payment details in an account. One attack path might describe an attacker sending a phishing email to a clerk, getting that clerk to open a malicious attachment, and then using the resulting access to reach the inventory system. Another attack path might involve probing the public website for a weak login page, guessing or stealing a password, and then moving into the admin area where prices and orders are controlled. Each path is a clear beginning to end story that can be told in a few sentences, and those stories are the starting routes the learner will walk across the combined defense map. Keeping the number of paths small at the beginning prevents confusion and makes early threat informed defense practice feel manageable.
Once the attack paths are described in plain language, the learner can map each one onto the cyber kill chain stages, which turns the story into a structured sequence that highlights important transition points. In the phishing example at the college bookstore, reconnaissance might include the attacker learning staff email formats, delivery would be the malicious email reaching the clerk, and exploitation would be the moment the attachment runs on the workstation. Installation and command and control could cover any malicious tools or remote access channels that the attacker establishes afterward, while actions on objectives would describe the attacker browsing systems that hold inventory, pricing, or stored customer details. Drawing this sequence as a line and labeling each stage forces the story to slow down, so the learner notices where the attacker has to take specific steps that could be monitored or blocked. This slow, stage by stage mapping lays the foundation for connecting more detailed behaviors and defensive outcomes in later steps.
After the attack story is aligned with the cyber kill chain, the learner can pull in the Miter Attack framework to describe which specific tactics and techniques are likely at each stage. For the reconnaissance stage against the college bookstore, the relevant tactic might involve gathering information about employee names and email patterns, with techniques such as searching public social media profiles or company pages for contact details. During delivery and exploitation, tactics might include initial access and execution, with techniques like sending malicious attachments or links that cause untrusted code to run on the clerk’s workstation. Later stages might map to persistence and privilege escalation tactics, with techniques such as installing a remote access tool or using a stolen password to gain broader rights on the network. Writing a few of these tactic and technique names next to each kill chain stage connects the high level story to concrete attacker actions and gives the learner a vocabulary that matches how many professional defenders already describe intrusions.
With attacker behaviors mapped onto the story, the learner can now bring in NIST C S F 2 point 0 to check for controls and visibility at each step, where controls are defensive safeguards and visibility means the ability to see important events in time to respond. For the phishing email stage at the bookstore, protective outcomes might include having staff security awareness training, email filtering that blocks known malicious attachments, and policies that discourage opening unexpected files from unknown senders. Detection outcomes might include logs from the email security system and endpoint protection alerts when suspicious attachments attempt to run. For later stages, protective outcomes could include limiting which systems the clerk account can access, while detection outcomes might include monitoring for unusual logins or access to sensitive inventory screens. By labeling each step in the kill chain with relevant NIST C S F 2 point 0 outcomes, the learner creates a table in their notes that links attacker moves to the desired defensive state, which makes it much easier to see where defenses are strong and where they might be missing entirely.
When the map is filled with attacker steps, behaviors, and desired outcomes, the empty spaces quickly turn into clear improvement ideas, because each gap represents a place where an attacker could move without meeting strong resistance or timely detection. If the bookstore scenario shows no training for clerks about phishing emails, that gap suggests an improvement outcome related to staff awareness and simple reporting procedures. If there is no logging from the systems that control inventory and pricing, another improvement idea might involve enabling auditing features and forwarding those logs to a central location for monitoring. The learner can write these ideas in plain language, such as improving email filtering, adding training sessions, or collecting new logs, and then attach them to relevant NIST C S F 2 point 0 outcomes so they stay connected to the larger framework. Thinking in terms of gaps and outcomes turns abstract best practice lists into a focused set of next steps that are clearly tied to concrete attack paths.
The same maps that organize defensive improvements can also guide a beginner’s personal learning plan, because they highlight which attacker behaviors, defensive techniques, and outcomes matter most for the chosen scenarios. Instead of trying to read every single entry in the Miter Attack catalog, a learner can start by studying only the tactics and techniques that appear in the defined attack paths. They might choose to practice recognizing phishing indicators, basic web login weaknesses, or suspicious administrative actions, and then connect each of those practice topics back to the relevant kill chain stages and NIST C S F 2 point 0 outcomes. This creates a feedback loop where learning new material immediately strengthens the ability to reason about mapped attack stories. It also stops the learner from drifting into random topics that feel impressive but do not help protect the simple environments they currently understand. By treating models as learning maps, beginners steadily build depth in the areas that matter most for real threat informed defense.
Using shared maps also helps beginners communicate more clearly with experienced blue teams, red teams, and managers, because everyone can point to the same attack paths, behaviors, and outcomes when discussing risk and improvements. Blue teams, the defenders who monitor systems and respond to incidents, often describe their work in terms of detection coverage across tactics and techniques from the Miter Attack framework. Red teams, the specialists who simulate attackers to test defenses, usually plan exercises around specific kill chain sequences and attack paths that mirror real world campaigns. Managers and risk owners frequently rely on NIST C S F 2 point 0 language to describe whether important business services are adequately identified, protected, detected, responded to, and recovered. When a beginner learns to translate between these perspectives using the combined map, they can join conversations by referring to concrete stories rather than vague fears or tool names. This shared storytelling style increases confidence, reduces miscommunication, and makes threat informed defense feel like a team effort instead of an individual struggle.
When threat informed defense is built around maps, it becomes much more approachable for beginners, because the focus stays on real attacker stories and the specific defensive responses that can change those stories. The cyber kill chain provides the narrative spine, describing how attacks unfold from early reconnaissance through final actions on objectives, while the Miter Attack framework supplies detailed behaviors that occupy each stage along that spine. NIST C S F 2 point 0 then describes the outcomes that strong organizations pursue, which allows every improvement idea to be traced from high level intent back down to particular attacker moves in familiar scenarios like a small bookstore or community site. With practice, a learner can look at a new security article or incident report and mentally place pieces of the story onto these shared maps. That skill turns overwhelming news into structured lessons about where defenses worked and where they failed, and it gives the learner a repeatable way to plan improvements and study goals that matter. This has been Mastering Cybersecurity, developed by Bare Metal Cyber dot com for growing defenders everywhere.
