Final review before publication

center-for-threat-informed-defense · Jul 5, 2024 · 386588f · 386588f
1 parent 6e6879d
commit 386588f
Show file tree

Hide file tree

Showing 9 changed files with 892 additions and 295 deletions.
diff --git a/README.md b/README.md
@@ -1,87 +1,61 @@
 # Threat Modeling with ATT&CK
 
-<!-- TODO Put a one paragraph summary of the project here. -->
-
-Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
-exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
-dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
-Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt
-mollit anim id est laborum.
+Threat Modeling with ATT&CK defines how to integreate MITRE ATT&CK® into your
+organization’s existing threat modeling methodology. This process is intended for
+universal application to any system or technology stack (large or small) using any
+existing threat modeling methodology like STRIDE, PASTA, or Attack Trees. To demonstrate
+its use and applicability to a wide audience of cybersecurity practitioners, we apply
+this process to a fictional internet-of-things (IOT) system called the Ankle Monitoring
+Predictor of Stroke (AMPS).
 
 **Table Of Contents:**
 
-<!--
-TODO The table of contents should include only h2-h6, NOT h1. The "Markdown All In One"
-extension for VS Code will update the TOC automatically for you:
-https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
-Set the extension's TOC:Levels setting to "2..6"
--->
-
 - [Getting Started](#getting-started)
 - [Getting Involved](#getting-involved)
 - [Questions and Feedback](#questions-and-feedback)
-- [How Do I Contribute?](#how-do-i-contribute)
 - [Notice](#notice)
 
 ## Getting Started
 
-<!-- TODO Write one paragraph about how users should get started,
-     and update the table of resources below. -->
+Go to the project website to learn all about the Threat Modeling with ATT&CK process,
+including detailed steps for applying the process and comprehensive examples based.
 
-Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
-exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
-dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
-Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt
-mollit anim id est laborum.
-
-| Resource        | Description              |
-| --------------- | ------------------------ |
-| [Resource 1](#) | Description of resource. |
-| [Resource 2](#) | Description of resource. |
-| [Resource 3](#) | Description of resource. |
+| Resource                                                                                             | Description                                                              |
+| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
+| [Project Website](https://center-for-threat-informed-defense.github.io/threat-modeling-with-attack/) | The project website describes the comprehensive threat modeling process. |
 
 ## Getting Involved
 
-<!-- TODO Add some bullets telling users how to get involved. -->
-
 There are several ways that you can get involved with this project and help
 advance threat-informed defense:
 
-- **Way to get involved 1.** Lorem ipsum dolor sit amet, consectetur adipiscing elit,
-  sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
-- **Way to get involved 2.** Ut enim ad minim veniam, quis nostrud exercitation ullamco
-  laboris nisi ut aliquip ex ea commodo consequat.
-- **Way to get involved 3.** Duis aute irure dolor in reprehenderit in voluptate velit
-  esse cillum dolore eu fugiat nulla pariatur.
+- **Read the Threat Modeling process.** Read the detailed process defined by this
+  project and learn how to apply it by following through the realistic examples.
+- **Apply Threat Modeling to your own projects.** Put the project into action by using
+  it to conduct your next threat modeling exercise.
+- **Spread the word.** Provide feedback to us regarding the usefulness of the project
+  and share the word with your peers and colleagues in the industry.
 
 ## Questions and Feedback
 
-Please submit issues for any technical questions/concerns or contact
+Please submit [issues on
+GitHub](https://github.com/center-for-threat-informed-defense/threat-modeling-with-attack/issues)
+for any technical questions or requests. You may also contact
 [ctid@mitre-engenuity.org](mailto:ctid@mitre-engenuity.org?subject=Question%20about%20threat-modeling-with-attack)
-directly for more general inquiries.
-
-Also see the guidance for contributors if are you interested in contributing or simply
-reporting issues.
-
-## How Do I Contribute?
-
-We welcome your feedback and contributions to help advance
-Threat Modeling with ATT&CK. Please see the guidance for contributors if are you
-interested in [contributing or simply reporting issues.](/CONTRIBUTING.md)
+directly for more general inquiries about the Center for Threat-Informed Defense.
 
-Please submit
-[issues](https://github.com/center-for-threat-informed-defense/threat-modeling-with-attack/issues) for
-any technical questions/concerns or contact
-[ctid@mitre-engenuity.org](mailto:ctid@mitre-engenuity.org?subject=subject=Question%20about%20threat-modeling-with-attack)
-directly for more general inquiries.
+We welcome your contributions to help advance Threat Modeling with ATT&CK in the form of
+[pull
+requests](https://github.com/center-for-threat-informed-defense/threat-modeling-with-attack/pulls).
+Please review the [contributor
+notice](https://github.com/center-for-threat-informed-defense/threat-modeling-with-attack/blob/main/CONTRIBUTING.md)
+before making a pull request.
 
 ## Notice
 
 <!-- TODO Add PRS prior to publication. -->
 
-Copyright 2024 MITRE Engenuity. Approved for public release. Document number REPLACE_WITH_PRS_NUMBER
+© 2024 MITRE Engenuity. Approved for public release. Document number(s) REPLACE_WITH_PRS_NUMBER.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
 file except in compliance with the License. You may obtain a copy of the License at

diff --git a/docs/additional-resources.rst b/docs/additional-resources.rst
@@ -6,10 +6,19 @@ Additional Resources
 Cyber Threat Intelligence Resources
 -----------------------------------
 
-Leveraging existing CTI allows you to develop known attack vectors that could be used against your system. There are many resources for CTI data and this appendix is made to refence a few that we have found useful.
+Leveraging existing CTI allows you to develop known attack vectors that could be used
+against your system. There are many resources for CTI data and this appendix is made to
+refence a few that we have found useful.
 
-*	The Center’s `Sightings Ecosystem <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/>`_ project is an example of data that can be leveraged throughout this process to help identify, or highlight, commonly seen TTPs. At the time of publish, the work consists of over 1.6 million sightings of 353 unique techniques from almost 200 countries.
-*	Many venders publish opensource reports on blogs or their websites. Monitor these sources for new/relevant reports.  Attack Flow created best practices for selecting open-source reports and this can be beneficial during this step:
+*	The Center’s `Sightings Ecosystem
+ 	<https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/>`_
+ 	project is an example of data that can be leveraged throughout this process to help
+ 	identify, or highlight, commonly seen TTPs. At the time of publish, the work
+ 	consists of over 1.6 million sightings of 353 unique techniques from almost 200
+ 	countries.
+*	Many venders publish opensource reports on blogs or their websites. Monitor these
+ 	sources for new/relevant reports.  Attack Flow created best practices for selecting
+ 	open-source reports and this can be beneficial during this step:
 
 .. important::
     * Reports should be transparent about where the data originates and provide a technically competent overview of an incident.
@@ -19,9 +28,17 @@ Leveraging existing CTI allows you to develop known attack vectors that could be
     * Reports should distinguish between facts, assumptions, and analytical assessments.
     * When available, use attribution and targeting information from reports to enrich your attack flows.
 
-*	When it comes to researching CTI for embedded systems, MITRE developed a publicly available knowledge base called `EMB3D <https://emb3d.mitre.org/properties-list/>`_. This is a great resource for both theory and evidence. Start by down selecting by embedded system property and read through the various threats to each.
+*	When it comes to researching CTI for embedded systems, MITRE developed a publicly
+ 	available knowledge base called `EMB3D <https://emb3d.mitre.org/properties-list/>`_.
+ 	This is a great resource for both theory and evidence. Start by down selecting by
+ 	embedded system property and read through the various threats to each.
 
-It is a good idea to have a central location/repository for all your CTI data. This can be a spreadsheet or a threat intelligence platform (TIP) like OpenCTI (see example data below for FIN7). There are many TIP out there that will do to research work for you – automatically pulling in the latest vender reports. Some TIPs will even auto-parse the data in reports for you. Be sure to spot check any automated report parsing for accuracy.
+It is a good idea to have a central location/repository for all your CTI data. This can
+be a spreadsheet or a threat intelligence platform (TIP) like OpenCTI (see example data
+below for FIN7). There are many TIP out there that will do to research work for you –
+automatically pulling in the latest vender reports. Some TIPs will even auto-parse the
+data in reports for you. Be sure to spot check any automated report parsing for
+accuracy.
 
 Attack Flow
 -----------
@@ -30,13 +47,27 @@ Attack Flow
 
      <iframe width="560" height="315" src="https://www.youtube.com/embed/h_BC6QMWDbA?si=Abpy35U4SYKMYUeE" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
 
+.. TODO were they planning to put a video here? we don't have an attack flow youtube
 
 |
 
 Emulation Tools Mapped to ATT&CK
 --------------------------------
-There are existing processes or data sources you can leverage to answer these questions. Perhaps your organization has a process for system risk acceptance, or you actively track system patches and compliance metrics.
 
-Alternatively, you can stress test your system by subjecting it to some type of security assessment. This can be accomplished through an internal or external team emulating adversary behavior. Short of a full red teaming exercise, existing resources such as `Caldera <https://caldera.mitre.org>`_ integrate directly with MITRE ATT&CK and can be used as part of attack simulation exercises. Other tools, like the `Atomic Red Team <https://atomicredteam.io>`_, detail tests tied to specific ATT&CK techniques that can be performed on your system to evaluate the strength of your mitigations.
+There are existing processes or data sources you can leverage to answer these questions.
+Perhaps your organization has a process for system risk acceptance, or you actively
+track system patches and compliance metrics.
 
-These can all inform your secondary review and give you the answers you need. From this secondary review, you’ll be able to ensure that your mitigations are sufficiently tailored to your system as it evolves with time.
+Alternatively, you can stress test your system by subjecting it to some type of security
+assessment. This can be accomplished through an internal or external team emulating
+adversary behavior. Short of a full red teaming exercise, existing resources such the
+`Adversary Emulation Library
+<https://github.com/center-for-threat-informed-defense/adversary_emulation_library/>`_
+and `Caldera <https://caldera.mitre.org>`_ integrate directly with MITRE ATT&CK and can
+be used as part of attack simulation exercises. Other tools, like the `Atomic Red Team
+<https://atomicredteam.io>`_, detail tests tied to specific ATT&CK techniques that can
+be performed on your system to evaluate the strength of your mitigations.
+
+These can all inform your secondary review and give you the answers you need. From this
+secondary review, you’ll be able to ensure that your mitigations are sufficiently
+tailored to your system as it evolves with time.
diff --git a/docs/cheat-sheet.rst b/docs/cheat-sheet.rst
@@ -2,7 +2,10 @@ Condensed Process
 =================
 
 .. note::
-    This Condensed Process should only be used if your team has limited time to conduct threat modeling (days instead of weeks). Before using, please review Questions 1 through 4 of the uncondensed process.
+
+  This Condensed Process should only be used if your team has limited time to conduct
+  threat modeling (days instead of weeks). Before using, please review Questions 1
+  through 4 of the uncondensed process.
 
 :ref:`Question 1`
 -------------------
@@ -16,7 +19,8 @@ Condensed Process
 
 Develop a top-level Dataflow Diagram for your system
 
-Identify critical components and dataflows that, when impacted, would result in mission failure
+Identify critical components and dataflows that, when impacted, would result in mission
+failure
 
 :ref:`Question 2`
 -------------------
@@ -50,7 +54,8 @@ Implement the mitigations listed within the ATT&CK page for each brainstormed TT
 
 	**OR**
 
-Implement the NIST 800-53 controls for each brainstormed TTP using the MITRE Engenuity Mappings Explorer
+Implement the NIST 800-53 controls for each brainstormed TTP using the MITRE Engenuity
+Mappings Explorer
 
 .. figure:: /_static/condensedprocess4.png
   :alt: Mappings Explorer Outline
@@ -70,5 +75,6 @@ Implement the NIST 800-53 controls for each brainstormed TTP using the MITRE Eng
 
   Reevaluate
 
-Periodically repeat this process to evaluate your existing mitigations and make sure they are in sync with the development of your system.
+Periodically repeat this process to evaluate your existing mitigations and make sure
+they are in sync with the development of your system.
 
diff --git a/docs/index.rst b/docs/index.rst
@@ -3,20 +3,24 @@ Threat Modeling with ATT&CK |version|
 
 .. figure:: /_static/projectphoto.png
   :alt: Project Photo
-  :scale: 30%
+  :scale: 40%
   :align: center
 
 |
 
-Threat Modeling with ATT&CK provides a recommended approach that integrates the common language that security operations teams rely upon - `MITRE ATT&CK® <https://attack.mitre.org/>`_ - into their organization’s threat modeling practices. Creating an approach to threat modeling that integrates ATT&CK enables cyber defenders to focus on the activity of threat modeling with a clear, consistent understanding of adversary behaviors and tailor defensive investments to mitigate threats related to their systems or environments.
-At the core of this approach are four key questions, outlined in the `Threat Modeling Manifesto <https://www.threatmodelingmanifesto.org/>`_, that we need to answer:
-
-* Question 1: What are we working on?
-* Question 2: What could go wrong?
-* Question 3: What are we going to do about it?
-* Question 4: Did we do a good job?
-
-This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense (Center) <https://ctid.mitre-engenuity.org/>`_ and is funded by our `research participants <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/threat-modeling-with-attack/>`_, in furtherance of our mission to advance the state of the art and the state of the practice in threat-informed defense globally. This work builds upon The MITRE Corporation’s `Playbook for Threat Modeling Medical Devices <https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf>`_ by applying this integrated threat modeling approach to the fictional medical device created under that project.
+Threat Modeling with ATT&CK provides a recommended approach that integrates `MITRE
+ATT&CK® <https://attack.mitre.org/>`_ – the common language that security operations
+teams rely upon – into their organization’s threat modeling practices. The ATT&CK
+integration enables cyber defenders to focus on the activity of threat modeling with a
+clear, consistent understanding of adversary behaviors and tailor defensive investments
+to mitigate threats related to their systems or environments.
+
+This project is created and maintained by `MITRE Engenuity Center for Threat-Informed
+Defense (Center) <https://ctid.mitre-engenuity.org/>`_ and is funded by our `research
+participants
+<https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/TODO/>`_,
+in furtherance of our mission to advance the state of the art and the state of the
+practice in threat-informed defense globally.
 
 .. toctree::
     :maxdepth: 2