How to Stop Drowning in Cyber Frameworks and Start Fighting Back
Key takeaways from EnsiderVoices Episode 3: Mitigating Cyber Threats In Asia: Leveraging Threat-Informed Defence
There is a strange comfort in frameworks.
They offer structure where there is chaos. They provide certainty where uncertainty reigns. And in cybersecurity, they’ve become gospel. MITRE ATT&CK. NIST. ISO 27001. For every threat, a control. For every gap, a grid. We pore over them like cartographers of the digital domain, convinced that if we can just tick off every cell, every tactic, every sub-technique, we’ll be safe.
But frameworks, like maps, are not the territory. And if we’re not careful, they can become a mirage—drawing us into the illusion that coverage equals security, and that completeness equals competence.
The MITRE ATT&CK framework is a triumph of collaborative intelligence. It catalogues real-world adversary behaviour in granular detail, breaking down the steps attackers use to infiltrate, persist, move laterally, and exfiltrate. For analysts, defenders, and researchers alike, it has become the lingua franca of modern threat detection.
Yet therein lies the problem: somewhere along the way, ATT&CK went from a reference to a destination. Organisations now chase “coverage” like it’s a badge of honour—building detection rules and dashboards that glow green, while overlooking the adversaries quietly slipping through the cracks.
The framework is vast—over 500 techniques and sub-techniques spanning enterprise, mobile, and cloud environments. And that’s before you factor in related projects like MITRE Engage and Defend. Attempting to operationalise it in full is not just overwhelming; it’s often unnecessary. Few organisations face every technique. Fewer still have the resources to defend against them all. And yet, many continue down this path, pulled by pressure from consultants, regulators, and their own anxiety.
We must ask: Are we building frameworks to understand threats, or using threats to justify frameworks?
The distinction matters. Because threat-informed defence is not about chasing MITRE scores. It’s about understanding who is likely to target you, what methods they use, and how you can realistically respond. The framework is a compass—not a checklist.
In a recent podcast hosted by Ensign InfoSecurity, cybersecurity experts explored how a growing number of Asian organisations are falling into the “framework trap”. Rather than contextualising MITRE ATT&CK to their industry and threat landscape, they attempt to implement it wholesale. The result? A sprawling patchwork of controls, some relevant, some not, with resources spread so thin they fail to protect what matters most.
There’s a better way—one that starts small, specific, and adversary-aware. Leading threat practitioners now advocate an incremental approach: start with one adversary group. Map out their known techniques. Overlay that with your business functions, regions, and digital assets. Build a heatmap of relevance. Focus on the top techniques. Design defensive actions that fit the threat, not the framework.
This process is not only more manageable—it’s more meaningful. It ensures every control in place has a purpose, not just a place. It lets cybersecurity teams say to their boards, “This isn’t just what we’re doing—it’s why we’re doing it.”
And that “why” is becoming more urgent by the day. In Asia, the threat landscape is evolving rapidly. Hacktivist groups once confined to defacements now engage in sophisticated ransomware campaigns. Proxy actors aligned with state interests operate in murky legal and geopolitical waters. Attribution is difficult, motivations are hybrid, and the line between ideology and profit is blurring. In this environment, frameworks that assume a clean taxonomy of techniques fall short. What’s needed is agility. Adaptation. Intelligence.
This is where many organisations falter. They confuse technical breadth with strategic depth. They implement the full ATT&CK matrix but never stop to ask: Which of these techniques are actually used by the groups targeting us? Are our controls tested against them? Do we have the logging visibility to detect their procedures, not just their tools?
To answer these questions, organisations need more than dashboards—they need perspective. They must move from framework implementation to adversary emulation. That means building threat models that reflect regional realities. Collaborating with intelligence providers who understand the local nuances. And investing in people—analysts, engineers, and hunters—who can interpret data, not just collect it.
This is not a rejection of frameworks. It’s a rebalancing. MITRE ATT&CK remains one of the most valuable tools in the defender’s arsenal—but like any tool, its impact depends on how it’s used. When treated as a north star, it can orient strategy. When treated as a scorecard, it distracts from it.
Cybersecurity has always been an arms race. But it’s also a philosophy. It’s not just about building taller walls—it’s about knowing who is trying to climb them, why, and how. The illusion of control, fuelled by over-engineered frameworks, can lull us into a dangerous complacency.
The true work lies in the uncomfortable space outside the framework—where threats evolve faster than our diagrams, and where defence must be lived, not just modelled.
If you’re drowning in frameworks, the answer isn’t to swim faster. It’s to stop, surface, and reorient. Find your threat. Know your enemy. Build what matters.
And never mistake the map for the terrain.
