-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
initial draft
1 parent
eb026cb
commit 578909c
Showing
14 changed files
with
1,256 additions
and
13 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
Acknowledgements | ||
================ | ||
|
||
The Threat Modeling with ATT&CK team includes: | ||
|
||
* Ben Ballard | ||
* Tiffany Bergeron | ||
* Mike Cunningham | ||
* Mark Hasse | ||
* Courtney Hassenfeldt | ||
* Tyler Schechter | ||
* Dr. Kyle Wallace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
Additional Resources | ||
==================== | ||
|
||
Add appendix here? | ||
|
||
Cyber Threat Intelligence Resources | ||
----------------------------------- | ||
|
||
Leveraging existing CTI allows you to develop known attack vectors that could be used against your system. There are many resources for CTI data and this appendix is made to refence a few that we have found useful. | ||
|
||
* The Center’s Sightings Ecosystem (https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/) project is an example of data that can be leveraged throughout this process to help identify, or highlight, commonly seen TTPs. At the time of publish, their work consists of over 1.6 million sightings of 353 unique techniques from almost 200 countries. | ||
* Many venders publish opensource reports on blogs or their websites. Monitor these sources for new/relevant reports. Attack Flow created best practices for selecting open-source reports and this can be beneficial during this step: | ||
* “* Reports should be transparent about where the data originates and provide a technically competent overview of an incident. | ||
* Reports should originate from a vendor with a track record of accurate reporting and first-hand analysis of the incident in question. | ||
* Reports should provide the most current information on the malware or breach. | ||
* Reports should make it easy to identify any information gaps. Use multiple sources to address gaps and corroborate the data, if possible. | ||
* Reports should distinguish between facts, assumptions, and analytical assessments. | ||
* When available, use attribution and targeting information from reports to enrich your attack flows.” | ||
* When it comes to researching CTI for embedded systems, MITRE developed a publicly available knowledge base called EMB3D. This is a great resource for both theory and evidence. Start by down selecting by embedded system property and read through the various threats to each. | ||
|
||
It is a good idea to have a central location/repository for all your CTI data. This can be a spreadsheet or a threat intelligence platform (TIP) like OpenCTI (see example data below for FIN7). There are many TIP out there that will do to research work for you – automatically pulling in the latest vender reports. Some TIPs will even auto-parse the data in reports for you. Be sure to spot check any automated report parsing for accuracy. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
Other Center Projects | ||
===================== | ||
|
||
`CTI Blueprints <https://github.com/center-for-threat-informed-defense/cti-blueprints/wiki>`__ - *June 2023* | ||
This project developed an approach and prototype tool for creating narrative cyber | ||
threat intel reports that analysts need in the form they need them. Reports produced | ||
using CTI Blueprints include structured STIX content, are tagged with ATT&CK reference, | ||
and enable operational defensive cyber analysis, analytics testing, and adversary | ||
emulation. We will establish a new normal for cyber threat intelligence. Producers will | ||
create actionable intelligence for their consumers, and consumers will take specific | ||
threat-informed action. | ||
|
||
`Defending IAAS with ATT&CK <https://center-for-threat-informed-defense.github.io/defending-iaas-with-attack/>`__ - *November 2022* | ||
Defending IaaS with ATT&CK developed an ATT&CK matrix that enables users to easily | ||
understand and work with the techniques applicable to Infrastructure-as-a-Service | ||
(IaaS) environments, regardless of whether the attacks target the cloud management | ||
layer, the container technology, or the hosted infrastructure. The project also | ||
developed documentation and tools to simplify creating overlays for other domains | ||
like Industrial Control Systems (ICS) or Operational Technology (OT). | ||
|
||
`Sensor Mappings <https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack>`__ – *December 2023* | ||
The Sensor Mappings to ATT&CK Project (SMAP) is a collection of resources to assist | ||
security operations teams and security leaders with understanding which tools, | ||
capabilities, and events can help provide visibility into real-world adversary | ||
behaviors potentially occurring in their environments. SMAP builds on MITRE ATT&CK® | ||
Data Sources by connecting the conceptual data source representations of information | ||
that can be collected to concrete logs, sensors, and other security capabilities | ||
that provide that type of data. | ||
|
||
`Sightings Ecosystem <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/>`__ - *February 2022* | ||
This project provides cybersecurity defenders and researchers with critical insight | ||
into real-world, in the wild adversary behaviors mapped to ATT&CK. The ecosystem | ||
aims to fundamentally advance the collective ability to see threat activity across | ||
organizational, platform, vendor and geographical boundaries. Voluntarily | ||
contributed raw “sightings”, or observations, of specific adversary TTPs are mapped | ||
to ATT&CK, anonymized, and aggregated to produce intelligence describing insights | ||
from that data. | ||
|
||
`Summiting The Pyramid <https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/>`__ – *September 2023* | ||
Many analytics are dependent on specific tools or artifacts. Adversaries can easily | ||
evade these with low-cost changes that exploit the dependencies. This project | ||
developed a method to evaluate analytics relative to the adversary’s cost to evade. | ||
We further created approaches and tips for defenders to make their analytics less | ||
evadable. We demonstrated the methodology with a core set of analytics. | ||
|
||
`Threat Report ATT&CK Mapper <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/threat-report-attck-mapper-tram/>`__ - *August 2023* | ||
Many analytics are dependent on specific tools or artifacts. Adversaries can easily | ||
evade these with low-cost changes that exploit the dependencies. This project | ||
developed a method to evaluate analytics relative to the adversary’s cost to evade. | ||
We further created approaches and tips for defenders to make their analytics less | ||
evadable. We demonstrated the methodology with a core set of analytics. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Future Work | ||
=========== | ||
Here we can add any possible future work |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,37 @@ | ||
Introduction | ||
============ | ||
The process outlined in this paper details our recommended approach to integrating | ||
ATT&CK into your organization’s existing threat modeling methodology. At the core of | ||
this approach are four key questions, outlined in the Threat Modeling Manifesto, that | ||
we need to answer: | ||
|
||
.. TODO Add any chapters you wish as separate *.rst files that are referenced in the | ||
index.rst. This file can contain an introduction if you want, or delete it and | ||
create other chapters. | ||
* Question 1: What are we working on? | ||
* Question 2: What could go wrong? | ||
* Question 3: What are we going to do about it? | ||
* Question 4: Did we do a good job? | ||
|
||
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor | ||
incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud | ||
exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure | ||
dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. | ||
Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt | ||
mollit anim id est laborum. | ||
This process is intended for universal application to any system or technology stack | ||
(large or small) using any existing threat modeling methodology like STRIDE, PASTA, | ||
or Attack Trees. To demonstrate its use and applicability to a wide audience of | ||
cybersecurity practitioners, we apply this process to a fictional internet of things | ||
(IOT) system called the Ankle Monitoring Predictor of Stroke (AMPS). The fictional AMPS | ||
device gives the wearer and their healthcare providers indications and warnings of a | ||
stroke. The systems and subsystems that make up this device are modeled after a popular | ||
commercially available IOT device and intentionally chosen for their mobile/cloud-based | ||
dependencies. This broad application to a system spanning mobile and enterprise | ||
environments allows readers to visualize how this process could be applied to their | ||
problem sets. Examples throughout this paper are from the perspective of a security | ||
team working for the AMPS manufacturer. They have been tasked with modeling threats | ||
to the AMPS. | ||
|
||
TESTING: preview builds | ||
Using the process described throughout this paper, we identify critical | ||
components of the AMPS, prioritize threats to those components, and recommend mitigations. Threat | ||
modeling with ATT&CK allows us to leverage data from the Cyber Threat Intelligence | ||
(CTI) community and significantly improve our results in Questions 2 and 3. The below | ||
graphic is an overview of our recommended process to answer these questions. We will | ||
break down our means of answering each question in further detail throughout the paper. | ||
|
||
.. note:: | ||
|
||
The process will be accompanied by an example of a ficticious health device (AMPS). | ||
Detailed examples will be available in collapsed sections throughout the process. |
Oops, something went wrong.