How to Build a Threat-Informed Defense: Why You Need to Understand Adversaries

Security teams face a fundamental challenge: defending against adversaries they don’t fully understand. Traditional security approaches focus on vulnerabilities and compliance, but the most sophisticated threats aren’t stopped by patching alone, they’re stopped by understanding who’s targeting you, how they operate, and what they’re after.

This is where threat-informed defense transforms your security posture from reactive firefighting to proactive, intelligence-driven protection.

The Intelligence Gap in Modern Security Operations

Most security teams operate with a critical blind spot. They know their infrastructure, they understand their vulnerabilities, and they monitor their logs. But when an alert fires at 2 AM, the SOC analyst faces a crucial question: Is this noise, or is this an adversary I should actually be worried about?

Without understanding the threat actors targeting their industry and geography, security teams may struggle to:

• Prioritize alerts effectively – Not all suspicious activity deserves the same response
• Anticipate attack patterns – Reactive defense means you’re always one step behind
• Allocate resources wisely – Defending everything equally means defending nothing well
• Communicate risk to leadership – “We might get hacked” doesn’t drive budget decisions like “APT groups X, Y, and Z are actively targeting companies like ours”

Vague risks get ignored, focused intelligence gets budget.

The difference between knowing “ransomware exists” and knowing “Lockbit is actively targeting manufacturing companies in our region using these specific initial access vectors” is the difference between generic defense and targeted protection.

What Makes Threat Intelligence Actionable?

Not all threat intelligence is created equal. Raw Indicators of Compromise (IoCs) and generic threat reports could create more noise than value. Actionable threat actor intelligence answers specific questions your security team needs to make better decisions:

1. Who Is Targeting Organizations Like Yours?

Understanding which or what kind of threat actors prioritize your industry, geographic region, or company profile allows you to focus defensive efforts where they matter most. A healthcare provider in Europe faces different threats than a financial institution in Southeast Asia.

Key elements to track:

• Primary targets: Industry verticals, company sizes, geographic regions
• Motivation: Financial gain, espionage, disruption, or ideological
• Activity level: Are they currently active or dormant?

You needto filter, allowing you to isolate the exact actors targeting your industry and region. (SOCRadar Threat Actor Intelligence)

To bridge the gap between “we might get hacked” and specific, actionable intelligence, you need a filter that cuts through the global noise.

2. How Do They Operate?

Tactics, Techniques, and Procedures (TTPs) reveal the playbook adversaries use. This operational intelligence directly informs your defensive controls:

• Initial access methods: Are they exploiting public-facing applications, using phishing, or purchasing access from initial access brokers?
• Lateral movement patterns: How do they navigate your network once inside?
• Preferred tools: Do they use custom malware, living-off-the-land techniques, or commodity tools?
• Exfiltration methods: How do they steal data—cloud storage, DNS tunneling, encrypted channels?

TTP Map for a threat actor (SOCRadar Platform)

Map these TTPs with the MITRE ATT&CK® framework to pinpoint defensive gaps and prioritize detections based on real-world adversary behavior.

3. What Infrastructure Do They Use?

Adversary infrastructure provides concrete defensive value:

• Command and control (C2) infrastructure: Domains, IPs, hosting patterns
• Tool repositories: Where they stage their malware and tools
• Communication channels: Forums, marketplaces, and coordination platforms

This information feeds directly into your security controls, C2 domains and IPs become blocklists for firewalls and proxies, malware signatures inform EDR detection rules, and infrastructure patterns fuel proactive threat hunting queries to stop attacks before they land.

4. What Are Their Recent Campaigns?

Historical and ongoing campaigns reveal evolution in tactics and current focus areas:

• Recent victims: Which organizations have been hit?
• Evolving TTPs: Are they adopting new techniques?
• Campaign timing: Are there seasonal patterns or event-triggered attacks?

Case Study: Defending Against a Financially-Motivated Ransomware Group

Let’s make this concrete with a realistic scenario. Consider a mid-sized education technology company facing the threat of Akira Ransomware, one of the most active and financially successful Ransomware-as-a-Service (RaaS) operations, which has claimed over $244 million in ransom payments since March 2023.

Understanding the Adversary

Akira operates as a Ransomware-as-a-Service platform, distributed by threat groups including Storm-1567 and Howling Scorpius. With links to the defunct Conti syndicate, they’ve evolved into a sophisticated operation that has impacted over 470 organizations in 2025 alone. They target small to medium-sized businesses and larger enterprises across manufacturing, education, healthcare, IT, and financial sectors—primarily in North America, Europe, and Australia.

Their operational profile:

• Initial Access: Exploits unpatched VPN vulnerabilities (like CVE-2023-20269), uses compromised credentials from phishing or data breaches, and increasingly deploys ClickFix social engineering (fake CAPTCHA prompts that trick users into downloading malware)
• Credential Harvesting: Uses advanced techniques including comsvcs.dll MiniDump to quietly dump LSASS credentials without triggering typical Mimikatz alerts, employs Kerberoasting for domain credential extraction
• Lateral Movement: Rapidly moves through networks using RDP and SSH with stolen credentials, blending into legitimate administrative traffic while systematically scanning for backup servers, domain controllers, and security tools
• Defense Evasion: Deploys multiple ransomware variants (Akira_v2, previously Megazord), disables security software using PowerTool, clears event logs, and uses process injection into trusted system processes to execute commands under the radar
• Encryption Speed: Uses hybrid ChaCha20/RSA encryption with the newer Akira_v2 variant offering even faster encryption speeds specifically targeting VMware ESXi virtual machines
• Double Extortion: Notorious for lightning-fast data exfiltration—can steal data from Veeam backup servers in under 2 hours—using FileZilla, WinSCP, and RClone before encrypting systems

Threat actor card of Akira Ransomware (Threat Actor Profiles)

Translating Intelligence into Defense

Armed with the threat actor profile, your security team can build targeted defenses. Modern threat intelligence platforms organize this information to help you quickly identify what matters most for your organization.

Akira Ransomware (SOCRadar Threat Actor Intelligence)

CTI platforms like SOCRadar allow security teams to filter threat actors by target country, industry sector, and associated TTPs, making it easy to identify which adversaries pose the greatest risk to your specific environment.

Here’s how understanding Akira’s specific tactics translates into concrete defensive actions:

1. Closing Initial Access Vectors

Knowing Akira’s primary entry points like VPN vulnerabilities and ClickFix social engineering, you can prioritize where to strengthen defenses:

• Patch management: Address CVE-2023-20269 in Cisco VPN appliances; audit for externally exposed RDP
• MFA deployment: Implement phishing-resistant authentication (FIDO2/hardware tokens) on all remote access and privileged accounts
• User training: Educate staff on ClickFix attacks—fake CAPTCHA prompts disguised as verification tools
• Access monitoring: Alert on VPN logins from new geolocations, off-hours access, or rapid authentication attempts

Threat intelligence reveals the specific CVEs and attack vectors Akira affiliates actively exploit (SOCRadar Threat Actor Intelligence, ‘’akira’’ Vulnerabilities)

2. Detecting Lateral Movement and Credential Theft

Understanding their quiet credential dumping (comsvcs.dll MiniDump) and preference for living-off-the-land techniques:

• Credential monitoring: Detect unauthorized LSASS access and Kerberosting attempts on domain controllers
• PowerShell oversight: Flag execution policy bypasses, encoded commands, and scripts from unusual sources
• Account vigilance: Alert on new domain accounts, especially those mimicking admin naming patterns
• Infrastructure targeting: Monitor SSH to ESXi hosts and unusual RDP patterns across multiple servers

3. Protecting Your Crown Jewels

Akira systematically targets backup infrastructure and virtualization platforms—often exfiltrating data from Veeam servers in under 2 hours:

• Backup isolation: Segment backup servers with dedicated VLANs, unique credentials, and time-based access controls
• ESXi hardening: Disable SSH when not needed, restrict to specific management IPs, enable lockdown mode
• Privileged access: Baseline normal domain admin usage patterns and alert on deviations
• Network segmentation: Default-deny between VLANs, requiring explicit rules for legitimate traffic flows

The IoC tab, enabling security teams to proactively block known malicious infrastructure and detect ongoing attacks (SOCRadar Threat Actor Intelligence, ‘’akira’’ IoCs)

4. Preventing Encryption

Their Akira_v2 variant targets VMware ESXi with fast encryption speeds, using process injection to evade detection:

• Behavioral detection: Configure EDR to catch rapid file access patterns, volume shadow copy deletion, and process injection
• Immutable backups: Deploy write-once-read-many storage and air-gapped backups that ransomware can’t reach
• Rapid response: Pre-stage playbooks for immediate VM snapshots and containment, encryption happens in hours, not days

5. Stopping Data Theft

Their double extortion model relies on stealing data before encryption and threatening public release:

• Tool monitoring: Detect usage of FileZilla, WinSCP, RClone -Akira’s preferred exfiltration utilities
• Data classification: Know what’s sensitive so you can prioritize protection and assess breach impact
• Traffic baselines: Alert on unusual outbound data volumes, especially to external IPs or cloud storage
• Legal readiness: Maintain breach notification procedures -Akira publishes stolen data on their leak site

Targeted countries by Akira Ransomware (SOCRadar Threat Actor Intelligence)

Building Your Threat-Informed Defense Program

Implementing a threat-informed approach doesn’t require a massive team or budget, but it does require systematic integration of threat intelligence into your security operations.

1. Start With Your Threat Landscape

Identify the threat actors most likely to target your organization:

• Map your industry, geography, and company profile to known threat actor targets
• Focus on high-priority threat actors initially (threat intelligence platforms should provide popularity scores)
• Track both persistent, sophisticated groups (APTs) and commodity threats (ransomware, DDoS groups)

Filter threat actors by target country, industry sector, and threat type using SOCRadar’s Free Tools, helping security teams identify which adversaries are actively targeting organizations like theirs and prioritize defenses accordingly.

2. Integrate Intelligence Into Existing Workflows

Don’t create intelligence as a separate silo:

• Vulnerability management: Prioritize patches based on what exploits your threat actors are using
• Incident response: Include threat actor TTPs in your playbooks
• Threat hunting: Hunt for specific adversary behaviors, not generic anomalies
• Security architecture: Design defenses around actual attack patterns you face

3. Empower Your SOC Analysts

Give your analysts the context they need:

• When an alert fires, provide relevant threat actor information automatically
• Train analysts to recognize threat actor TTPs in logs and alerts
• Create quick reference guides for high-priority adversaries
• Reduce false positive fatigue by filtering alerts through threat relevance

4. Communicate Risk to Leadership

Translate technical intelligence into business risk:

• “We’re seeing increased activity from ransomware groups targeting manufacturing companies with $50-500M revenue“
• “Three organizations in our industry were hit by the same threat actor last month using this specific vulnerability we haven’t patched yet”
• “Our current security gaps align with the initial access methods used by financially-motivated threat actors targeting our sector”

This concrete, intelligence-driven communication gets budget approved and drives strategic security decisions.

5. Measure What Matters

Track the impact of threat intelligence on your security posture:

• Detection speed: How quickly are you identifying threat actor activity?
• False positive reduction: Are you spending less time on noise?
• Remediation effectiveness: Are you closing the gaps adversaries exploit?
• Threat coverage: What percentage of threats targeting your industry can you detect and respond to?

Common Pitfalls to Avoid

As you build your threat-informed defense program, watch out for these common mistakes:

1. Intelligence Overload

More threat feeds doesn’t mean better security. Focus on quality over quantity. Five well-understood threats you can defend against beat 50 generic threat reports you never action.

2. Static Intelligence

Threat actors evolve constantly. A threat profile from six months ago may no longer reflect current TTPs. Establish regular intelligence refresh cycles—monthly for high-priority threats, quarterly for others.

3. Missing the “So What?”

Every piece of threat intelligence should answer: “What should we do differently because of this information?” If you can’t answer that question, intelligence isn’t actionable.

4. Ignoring Commodity Threats

While sophisticated APT groups get the headlines, commodity threats like ransomware and business email compromise cause the most damage to most organizations. Balance your focus accordingly.

5. Siloed Intelligence Teams

Threat intelligence only creates value when it reaches the people who can act on it—SOC analysts, network defenders, incident responders. Break down silos between intelligence and operations.

The Road Ahead: Continuous Adaptation

Cybersecurity is an adversarial discipline. The threat actors targeting your organization are continuously adapting their tactics, developing new tools, and finding new vulnerabilities to exploit. Your defense must evolve at the same pace.

A threat-informed defense strategy isn’t a project with an end date—it’s an operational mindset that puts adversary understanding at the center of every security decision. It transforms security from a checkbox exercise into a strategic capability that actually reduces risk.

Start with understanding one threat actor deeply. Build defenses specifically for their TTPs. Measure the impact. Then expand to the next threat. Over time, you’ll build a comprehensive defense that’s precisely calibrated to the threats you actually face, not the threats you imagine.

The security teams who succeed in this landscape aren’t the ones with the biggest budgets or the most tools. They’re the ones who understand their adversaries and build defenses that match the threats they actually face. That’s the power of threat-informed defense.