Conventional network defense tools such as intrusion detection systems and anti-virus focus onÂ the vulnerability component of risk, and traditional incident response methodology presupposes a
successful intrusion. An evolution in the goals and sophistication of computer network intrusionsÂ has rendered these approaches insucient for certain actors. A new class of threats, appropriatelyÂ dubbed the Advanced Persistent Threat” (APT), represents well-resourced and trained adversariesÂ that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, orÂ national security information. These adversaries accomplish their goals using advanced tools andÂ techniques designed to defeat most conventional computer network defense mechanisms. NetworkÂ defense techniques which leverage knowledge about these adversaries can create an intelligenceÂ feedback loop, enabling defenders to establish a state of information superiority which decreases theÂ adversary’s likelihood of success with each subsequent intrusion attempt. Using a kill chain model to
describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action,Â identifying patterns that link individual intrusions into broader campaigns, and understanding theÂ iterative nature of intelligence gathering form the basis of intelligence-driven computer network defenseÂ (CND). Institutionalization of this approach reduces the likelihood of adversary success, informsÂ network defense investment and resource prioritization, and yields relevant metrics of performanceÂ and eectiveness. The evolution of advanced persistent threats necessitates an intelligence-basedÂ model because in this model the defenders mitigate not just vulnerability, but the threat componentÂ of risk, too.