Update existing threat models based on intelligence gained during engagement operation.
Informing Threat Model refers to the act of updating existing models based on new intelligence learned during the adversary engagement operation. Updates may include revising knowledge of adversary TTPs, IOCs, etc. Whenever the threat model is updated, it is essential to revisit any operational decisions that were made using the old threat model. Revisiting operational decisions is particularly important when the update to the threat model is related to new TTPs.
For example, suppose an adversary is observed demonstrating a previously unknown TTP. Any operation currently focused on this threat should be reassessed. Defenders should ensure that collection is adequate to monitor this new TTP and continue to ensure operational safety. When appropriate, sharing this updated threat model with the community will allow for greater collaboration and shared defense.