Improving Security Posture by Learning from Intrusions

Previous research have found that organisations lack structured approaches for learning from incidents, which results in organisations missing out on opportunities to improve their security posture. In this thesis, qualitative interviews with industry experts are used in combination with a case study to explore how organisations could leverage intrusions to improve their security posture. Findings from the interviews indicate that there is a lack of structured methods for organisations to learn from intrusions integrating double-loop learning, proactive discovery and information sharing. There are, nonetheless, models that structure either organisational learning or intelligence-driven active defence. One consequence is that high-value intelligence generated from intrusion data is not used effectively, or not used at all, when generating threat hunting hypothesises. Further, without a structured approach for sharing information, stakeholders that could have acted on that intelligence are instead making less informed decisions. To overcome these shortcomings, we introduce a model integrating post-incident activities with intelligence, adversary discovery and information sharing. The purpose of this model is to explicate how data, information and knowledge from intrusions could be used in a structured approach for proactive defensive operations and improved information flows. We argue that widening the scope of incident response standards and guidelines to embrace proactive defence principles, such as learning from intrusions, intelligence and adversary discovery, would aid organisations in structuring their holistic approach to cyber security and make it easier for them to adopt an active defence approach