Make sure that the defender is capturing, utilizing, and refining knowledge learned to improve the defender's posture.

Understand frames how raw operational outputs can be collected, synthesized, and used to inform future operations and defensive strategies. The Understand goal helps the defender to assess their progress towards Strategic Goals. At its core, the Understand goal ensures that operational outputs can connect to and inform a larger strategy. To do this, the defender must turn the raw outputs from an operation into useful and actionable intelligence. These outputs may be in the form of collected PCAP, logs, qualitative defender observations, etc. Applying analytics to raw data can help the defender to map this data to adversary behavior. Now the behavior can be analyzed to contextualize the intelligence and inform the existing threat model.

For example, the defender may look at raw PCAP data and identify a new IP address that the adversary uses for exfiltration. This IOC can be added to the existing threat model. After applying behavioral analytics to the data, the defender might see that the adversary used a new Defense Evasion technique. In that case, the defender should update the threat model to include this new intelligence. At this point, the defender should assess if this new intelligence will affect any ongoing operations. For example, the defender should ensure that current collection efforts will detect this new TTP. Other opportunities to increase the defender's understanding post-operation include efforts to refine and update individual engagement activities based on qualitative and quantitative outputs. The defender can reflect on how the overall engagement went and refine future activities to maximize the usefulness.

Finally, the defenders should assess their own coordination and communication. Teamwork is essential during an operation. The defender should seek to improve coordination and skills with each operation. Engage defines a single approach to make progress towards the Understand goal.

  • Analysis, focuses on turning raw outputs into useful intelligence that drives future progress.
Unlike the Engagement Goals, Understand has only a single approach. This laser focus is intentional for the first release of Engage.

Engage seeks to highlight that denial, deception, and adversary engagement activities cannot be viewed as ""fire and forget"". Unlike many defensive technologies, these activities must be viewed only in context of how they inform and drive progress towards larger strategic goals. To this end, Analysis is essential to turn the raw operational outputs into intelligence that drives progress towards these strategic goals.

ID: SGO0002
Type:  Strategic 


Approach NameDescriptionID
Analysis Retrospective review of information gained from an operation . SAP0002