Threat intelligence is all the rage. Certainly it’s good to know what your adversaries are up to. But just how much effort and attention should that get compared to systematically applying effective security controls?
Focusing too intently on threat intelligence is kind of like spying on possible and suspected burglars to understand their method of operation, while leaving your doors ajar and your windows open – and hoping to capture thieves before they escape with your diamonds. Do you really need to know that Miscreant X is fond of SQL injection to make certain your application is not vulnerable to that kind of attack? Wouldn’t it be better to close that window anyway, in case previously known Miscreant Y performs that kind of attack? It seems sensible to put in place controls to mitigate known attacks (and making certain the controls are effective) even if those attacks aren’t being used by any of your known adversaries. Those controls are what the NIST RMF is all about.
Of course too much proactive planning is a bad thing too.