Turning threat intelligence into action: Key insights from our MITRE ATT&CK webinar

Despite cutting-edge advancements in cybersecurity tools and data, the Financial Services (FS) sector remains a prime target for sophisticated adversaries like Lazarus. Yet many FS organizations struggle to operationalize the vast amounts of threat intelligence they collect. Why? Because it takes more than information—it requires strategy, collaboration, and practical execution.

In our recent webinar, The Uncomfortable Truth About Your Organization and MITRE ATT&CK, experts from Hack The Box, including Adam Riccitelli, Lead Cyber Incident Response Analyst at S&P Global, and Mo Mohajerani, Compliance Lead and Security Operations Specialist at Paymenttools, shared practical strategies for operationalizing threat intelligence and building organizational resilience.

Watch the webinar

The threat landscape: anticipating the unknown

In the financial services (FS) sector, trust forms the foundation of every transaction—but this trust is under siege. Sophisticated adversaries like Lazarus exploit vulnerabilities with advanced tactics, threatening not just individual organizations but the broader financial ecosystem.

As Barrett Kopel, Solutions Engineer at Hack The Box, noted during our recent webinar:

"Financial institutions are prime targets, requiring the highest level of protection. The threats extend beyond financial gain, with motivations often tied to political and economic destabilization."

With stakes so high, the pressure to defend has never been greater:

• Evolving adversary tactics: Advanced persistent threats (APTs) are becoming more sophisticated, with attackers leveraging AI to enhance their strategies. Groups like Lazarus use AI to reduce breakout times, exploit hidden vulnerabilities, and infiltrate networks faster than ever before. As Mo Mohajerani, our panelist, highlighted, the recent shutdown of over 20 AI-driven operations underscores just how advanced these tactics have become, making them harder to detect and counter.

• Rising regulatory demands: Compliance frameworks such as DORA are reshaping the cybersecurity landscape, requiring faster breach reporting and more rigorous resilience testing. These mandates push organizations to reassess their defense strategies and adapt to increasingly stringent standards.

• Expanding attack surfaces: As organizations rely on third-party vendors and complex supply chains, the number of potential entry points for attackers increases. Each partner in the ecosystem introduces new vulnerabilities, amplifying the risk of supply chain attacks, data breaches, and unauthorized access to sensitive systems.

To effectively defend against these threats, organizations must take a priority-driven approach. This involves evaluating emerging risks, enhancing security controls, and adapting strategies to stay ahead of determined adversaries. And, as discussed during the webinar, this also means adopting AI-driven threat intelligence tools that outpace adversaries experimenting with similar technologies.

Bridging the gap between intelligence and action

On the surface, threat intelligence seems simple: collect data, identify risks, take action. In reality, many FS organizations face hurdles in operationalizing intelligence due to silos, resource strain, and misaligned tools.

Red and blue teams often work independently, leaving gaps in communication and response strategies. Even with advanced tools, organizations struggle to demonstrate ROI or improve detection engineering.

Adam Riccitelli from S&P Global summarized the core issue:

"Threat intelligence is great, but on its own, what is it? You have to operationalize it and feed it into detection engineering."

The most pressing challenge lies in prioritization—determining which threats to act on first and how to allocate limited resources effectively. Without clear priorities, organizations risk being overwhelmed by data without taking meaningful action.

So how can FS organizations overcome these obstacles? The answer lies in structured prioritization, hands-on training, and a culture of collaboration.

From silos to strategy: turning intelligence into operational readiness

During the webinar, we highlighted how frameworks like MITRE ATT&CK can help FS organizations focus their efforts by prioritizing adversary behaviors. However, knowing what to prioritize is just the first step.

To turn these insights into actionable defenses, teams need specific, targeted training to address those mission-critical priorities.

Step 1: Prioritize the threats that matter most

Effective defense starts with understanding which adversary (TTPs) pose the greatest risk to your organization. For example, the webinar featured a discussion about the Cuttlefish malware, tied to Lazarus Group, which employs T1557 (Adversary-in-the-Middle) techniques to hijack DNS lookups. By mapping TTPs to your vulnerabilities using frameworks like MITRE ATT&CK, your team can focus on the threats most likely to impact your environment.

Step 2: Train to act on those priorities

Once you’ve identified high-priority TTPs, the next step is ensuring your team is equipped to counter them. This requires targeted, hands-on training that mirrors real-world adversary behaviors. 

Example: A team practicing T1557 (Adversary-in-the-Middle) in a controlled HTB Lab setting can recognize things like DNS hijacking attempts and test countermeasures in real time, translating prioritization into operational readiness. By enabling teams to practice real-world scenarios and simulating adversary behaviors in a controlled environment, teams can build resilience and sharpen their skills. 

But operationalizing intelligence requires more than frameworks—it takes structured strategies to bridge gaps between detection and response.

Key strategies for resilience

1. Zero in on adversary behaviors

Focusing on adversary behaviors—not just Indicators of Compromise (IoCs)—is essential for moving from reactive defense to proactive threat mitigation. MITRE ATT&CK provides a structured framework to map TTPs to your organization’s vulnerabilities, turning complex threat data into actionable insights.

By zeroing in on the behaviors that pose the greatest risk, teams can cut through the noise and allocate resources where they’re needed most. This approach ensures defenses are aligned with your unique risk profile and business-critical assets.

Key takeaway: Start by identifying the TTPs most likely to impact your organization. MITRE’s Top 10 TTPs can help new teams establish a solid foundation, while mature organizations should develop Priority Intelligence Requirements (PIRs) tailored to their specific risks and objectives.

2. Bridge silos with purple teaming

Align your offensive and defensive teams to build a unified force against evolving threats. Bridge the divide between red and blue through purple Teaming, fostering collaboration, shared understanding, and coordinated strategies tailored to your organization's unique needs and challenges.

This approach goes beyond operational adjustments—it's a mindset shift. Purple teaming focuses on aligning objectives and ensuring both teams work toward the same outcomes. As Barrett Kopel from Hack The Box highlights:

"Purple teams are critical, but they need to be on the same level. If you have a disparity, like a junior red team and a senior blue team, you'll face inefficiencies. Both teams need to speak the same language and understand how to properly execute and capture exploits. This alignment is crucial for solving actual security challenges rather than just overcoming communication barriers."

Key takeaway: Start by adopting Purple Teaming to unite your red and blue teams under a shared mission. Ensure both teams operate at a similar skill level, and regularly align their expertise through collaborative exercises and joint training sessions, creating a unified defense against emerging threats.

3. Embrace hands-on simulations

Hands-on training is essential for preparing teams to respond effectively to real-world threats. 

Through immersive and realistic scenarios, teams can practice mirroring the adversary behaviors most likely to target their organization within a secure, controlled environment. These environments are designed to sharpen skills, stress-test defenses, and build the muscle memory needed to react quickly and confidently when an incident occurs.

Simulated attack exercises take this a step further, helping teams uncover hidden vulnerabilities, measure detection times, and evaluate response strategies. These exercises not only identify blind spots but also guide organizations in prioritizing improvements where they matter most.

As highlighted during the webinar, practicing isn’t just about getting it right—it’s about learning from what can go wrong. Preparing for mistakes allows teams to anticipate unexpected scenarios and address potential gaps before adversaries can exploit them.

Adam Riccitelli further reinforced this idea, emphasizing: 

“Hands-on practice creates muscle memory, making it easier to recognize and respond to threats effectively.”

Giacomo Bertollo, Head of Product Marketing at Hack The Box added:

“Cyber readiness is about practice. Just like athletes, teams must train consistently to build muscle memory and stay prepared.”

Key takeaway: Regularly carry out multi-stage simulations to uncover vulnerabilities, measure response times, and improve team readiness. Leverage post-simulation analysis to identify gaps in response times and defense mechanisms, using these insights to refine future simulations and address targeted weaknesses.

4. Leverage compliance as a catalyst

Turn compliance mandates like DORA and NIS2 into opportunities to bolster your organization's cyber resilience. These requirements aren’t just about ticking boxes—they can guide organizations in refining how they implement and evaluate security controls.

By aligning your threat intelligence program with industry-specific regulations, staying updated with evolving frameworks like MITRE ATT&CK, and integrating regular threat simulations, you can proactively identify and close gaps in your defenses.

As Mo Mohajerani highlighted, compliance frameworks can help reshape the way organizations think about security. In industries like finance, these mandates serve as a foundation for prioritizing cybersecurity strategies and building resilience against evolving threats.

Key takeaway: Use these requirements to prioritize gap assessments, align threat intelligence efforts with regulatory standards, and validate defenses through regular simulations. Shift from viewing compliance as a checkbox exercise to a strategic tool for strengthening organizational resilience.

5. Build a culture of continuous defense

Your defenses are only as strong as your people. Creating a culture of continuous learning and operational readiness ensures teams are equipped to face evolving threats. Foster an environment of adaptation and growth by empowering your teams with the time, resources, and leadership support they need to sharpen their skills and stay ahead of adversaries.

As Barrett Kopel, Solutions Engineer at Hack The Box, emphasized:

"My thing is operational readiness. You have to implement for your institution a culture that allows you time during the workday to just take a knee and get good at this new skill or reinforce this skill that I've had."

Key takeaway: Build a culture that values continuous improvement and readiness by dedicating time and resources for regular upskilling. This approach breaks down silos, promotes collaboration, and ensures your teams have the space to learn and adapt in real time, driving true resilience. For actionable insights, check out this guide on how to build a robust upskilling culture for security teams.

Threat intel is only part of the puzzle

The growing volume of threat intelligence is a challenge—FS organizations must turn that data into actionable defense strategies, tailored to their unique risk profiles and priorities. Simply collecting information is no longer enough; it must be operationalized.

By prioritizing the right threats, breaking down team silos, and fostering continuous learning, organizations can shift from reactive to proactive defense. This approach ensures security measures are not only effective but adaptable to the evolving threat landscape.

True resilience comes from integrating threat intelligence into daily operations—through tactical training, simulations, and cross-team collaboration. Whether using MITRE ATT&CK or aligning with regulatory standards, the goal is to turn intelligence into a dynamic, proactive defense.

Investing in operational readiness and fostering a culture of growth allows FS organizations to shift from reactive defense to an agile, forward-thinking force—prepared for tomorrow’s threats.

Missed the webinar? Catch the full discussion where our panel of cybersecurity experts shared practical strategies for operationalizing MITRE ATT&CK intelligence in financial services. Learn about real-world challenges, new threat actor techniques, and actionable solutions to enhance your defence strategy.

Ready to level up your defense? Hack The Box empowers teams to operationalize threat intelligence with hands-on training, advanced simulations, and collaborative tools. Start your free trial today and take the first step toward a stronger, more resilient defense.