What is Predictive Defense?
Predictive Defense is a concept that seeks to anticipate future threats using data analysis and structured analytical techniques. The goal is to start preparations as soon as a threat is perceived, whereas in conventional methods the response begins only after a threat is observed. To understand its significance, we need to explore the limitations of traditional approaches and the advantages of this forward-looking methodology.
Shortcomings of Reactive Defense
According to Mandiant's report[1], the time it takes for a vulnerability to be exploited has decreased to an average of five days. Yet, it’s widely known that many organizations still take 30 to 90 days to implement patches. This delay provides attackers with a significant window of opportunity. In ransomware attacks, for instance, attackers often deploy ransomware just six days after infiltrating a target network[2]. Such fast-paced operations shortens the window of opportunity for defenders to act.
Another issue is the long lead time required for cybersecurity investments to take effect. Implementing organization-wide changes is no easy task, and even the simplest controls can take months to deploy at scale. As a result, solutions designed for today’s threats may fall short at mitigating the risks by the time they are fully operational. If we can anticipate the threats we’ll face in advance, we can proactively develop the necessary measures to counter them.
Axes of Uncertainty: When, Where, and How?
To design an effective defense against cyberattacks, we must answer three fundamental questions: When will an attack occur? Where will it happen? How will it take place? Traditional methods focus on addressing the "how" and "where" through practices like penetration testing, threat hunting, and threat modeling, which helps identify the weakest points. However, the "when" has often been treated as unknowable. Risk assessments typically regard likelihood as a constant variable, whereas the probability of an attack is in fact dynamic and time-sensitive.
For example, an API key mistakenly uploaded to a public repository may be exploited by malicious actors within hours, whereas an SQL Injection vulnerability in a web application may remain unnoticed for months.
Predictive Defense tries to minimize this uncertainty, enabling organizations to perceive threats before they materalize.
Methods of Predictive Defense
Predictive Defense relies on various analysis techniques to anticipate future threats and risks. Key methods include:
Wargaming (How and Where):
Wargaming involves simulating potential attack scenarios to explore how and where they might occur. For instance, it examines how an employee’s credentials might be stolen and the cascading impact this could have on critical systems. By analyzing each step of a potential attack, weaknesses are identified, and targeted defenses can be developed.
Monte Carlo Simulations (Where):
This method evaluates the likelihood and impact of potential attacks across different scenarios. It repeatedly tests various attack paths (e.g., phishing attempts, brute-force attacks, or compromised credentials) against current defenses. By simulating thousands of scenarios, it estimates the probability of a successful attack within a given timeframe, helping prioritize risks and optimize resource allocation. This method is often used in conjunction with wargaming.
You can check out our blog post for more details about how to build probabilistic models.
Early Warning System (When):
Early warning systems detect indicators of emerging threats, allowing organizations to prepare in advance. For example, an uptick in malware indicators might signal a malvertising campaign that has just started. These systems use data from past incidents and threat intelligence sources to predict the timing of potential threats, enabling ample preparation times.
You can watch the following talk for more details about how to construct Early Warning Systems!
Geopolitical Risk Analysis (When):
Geopolitical risk analysis explores how factors like international relations, economic conditions, and regional conflicts can influence cyber threats. For instance, if a country faces sanctions, it may raise the likelihood of cyberattacks backed by that country. This analysis helps organizations better prepare for major risks, especially state-sponsored threats, by predicting how global events could trigger attacks. Common techniques used in this analysis include Indications & Warnings Analysis, Signposts of Change Analysis, and Alternative Futures Analysis.
You can find our book on this very topic, "Geopolitical Cyber Threat Intelligence," on Amazon!
Geopolitical Cyber Threat Intelligence — by Robin Dimyanoglu
Cone of Plausibility (Future Risks):
This forecasting tool maps possible future scenarios based on current trends and predictable variables. By outlining expected events and deviations, it provides a framework for understanding and preparing for potential risks. For instance, it can be used to assess how attackers might evolve their strategies if current credential stuffing techniques are no longer effective.
You can check out our following posts for more details about how to use Cone of Plausibility for forecasting.
Conclusion
Predictive Defense represents a paradigm shift in cybersecurity, moving beyond reactive methods to anticipate and counter future threats. By addressing uncertainties around "when, where, and how," it aims to enable organizations to build more dynamic, rapid, and effective defense strategies. This forward-thinking approach can optimize cybersecurity investments and ensures preparedness against emerging risks in an increasingly complex threat landscape.