Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Tailoring Security Training to Specific Kinds of Threats

Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous, many are harmless or irrelevant to individual organizations.

Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous, many are harmless or irrelevant to individual organizations.

CISOs often find themselves needing to prioritize the specific threats they need to defend against. In addition, they must take stock of their security strengths and weaknesses so they can focus their efforts on relevant threats. 

A major challenge to staying focused is media-driven distraction. CISOs who understand their security posture can ignore the media noise knowing that threat X is not a risk — either because it has been patched or because such an attack is highly unlikely to target an organization of their size or type. 

The benefits of tailoring security skills training to specific threats are transparent and ongoing. It enables an organization to address relevant risks with vigor and focus, to craft clearly defined training goals, and to ensure all team members acquire the right skills to identify and defend against the most dangerous threats.

How to Tailor Training

The best starting point is to be strategic — to focus on the type of attackers that threaten or could threaten the organization, create a profile of these adversaries, and identify their tools and tactics. Next, it’s important to perform an honest and realistic assessment of the security team’s tools and skills for combating the attackers — and to improve them where holes and deficiencies exist.

Below are five broad categories of threat actors, ranked by their level of sophistication, along with the corresponding defense measures needed to protect against them.

Advertisement. Scroll to continue reading.


These are typically amateurs or script kiddies who use publicly-available malware, credentials, and other TTPs that require low skills to use.

Defense needed: these actors can often be contained by automated machine detection using signature-based capabilities on an endpoint or network.

Prudent Threat Actors

Slightly more advanced than the first rank of criminals, these actors avail themselves of paid or publicly-available malware, credentials, and other TTPs that require low skills to use.

Defense needed: Automated detection works mostly, but sometimes an organization will need more complete configuration and log aggregation.

Emerging Actors

These criminals, often hacktivists, deploy modified public tools and paid tools. Many of the tools, such as Metasploit and Cobalt Strike, have potent, interactive capabilities. 

Defense needed: Basic threat intelligence and behavioral signatures are needed for full coverage.

Established Actors

Here the actors are nation-states and high-level criminal gangs, who use internally developed tools and capabilities.

Defense needed: Behavioral and advanced threat detection.

Strategic Actors

These are high-level attackers working for nation-states. Their tools and capabilities consist of the best OPSEC for specific situations. 

Defense needed: Behavioral detection supported by deep manual analysis of the environment.

Once an organization has determined which category or categories of threat actors they must defend against, the following best practices can be used to develop threat-centric security training.

Develop a detailed plan. Planning is always the bedrock of a good roadmap. The more time an organization takes to prepare a training plan — by researching its needs, critically assessing its resources, and by talking to partners and customers —the more likely its strategy will be successful.

Objectively assess new threats. Chances are, not all new threats will affect a given organization, either because it has been remediated by a patch or other control, or it is simply irrelevant to the organization’s size or vertical industry.

Use industry resources to identify threats to the organization/vertical industry. Some excellent resources are the major security publications, the Verizon data breach incident report, and industry specific ISAC threat intelligence feeds.

Collaborate with training partners to transform the plan into action. Partners can provide not just valuable insights but concrete advice on how to implement upskilling exercises, assessment and reporting.

The importance of tailoring security training to specific threats has never been more urgent, given the variety and volume of cyber risks facing the average organization. By focusing on attack tactics and techniques that pose clear and present danger to the business, a company can achieve the greatest return on its training initiatives.

Written By

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.