Update 6/4

Update to graphics, pages, and video placeholders

docs/Graphics/csvExample.csv

@@ -0,0 +1,44 @@
+Reconnaissance,,Resource Development,Initial Access,Execution,Persistence,Privilege Escalation,,Defense Evasion,Credential Access,,Discovery,Lateral Movement,Collection,Command and Control,Exfiltration,Impact
+Active Scanning,Scanning IP Blocks,Acquire Access,Content Injection,Cloud Administration Command,Account Manipulation,Abuse Elevation Control Mechanism,,Abuse Elevation Control Mechanism,Adversary-in-the-Middle,,Account Discovery,Exploitation of Remote Services,Adversary-in-the-Middle,Application Layer Protocol,Automated Exfiltration,Account Access Removal
+,Vulnerability Scanning,Acquire Infrastructure,Drive-by Compromise,Command and Scripting Interpreter,BITS Jobs,Access Token Manipulation,,Access Token Manipulation,Brute Force,Credential Stuffing,Application Window Discovery,Internal Spearphishing,Archive Collected Data,Communication Through Removable Media,Data Transfer Size Limits,Data Destruction
+,Wordlist Scanning,Compromise Accounts,Exploit Public-Facing Application,Container Administration Command,Boot or Logon Autostart Execution,Account Manipulation,Additional Cloud Credentials,BITS Jobs,,Password Cracking,Browser Information Discovery,Lateral Tool Transfer,Audio Capture,Content Injection,Exfiltration Over Alternative Protocol,Data Encrypted for Impact
+Gather Victim Host Information,,Compromise Infrastructure,External Remote Services,Deploy Container,Boot or Logon Initialization Scripts,,Additional Cloud Roles,Build Image on Host,,Password Guessing,Cloud Infrastructure Discovery,Remote Service Session Hijacking,Automated Collection,Data Encoding,Exfiltration Over C2 Channel,Data Manipulation
+Gather Victim Identity Information,,Develop Capabilities,Hardware Additions,Exploitation for Client Execution,Browser Extensions,,Additional Container Cluster Roles,Debugger Evasion,,Password Spraying,Cloud Service Dashboard,Remote Services,Browser Session Hijacking,Data Obfuscation,Exfiltration Over Other Network Medium,Defacement
+Gather Victim Network Information,DNS,Establish Accounts,Phishing,Inter-Process Communication,Compromise Host Software Binary,,Additional Email Delegate Permissions,Deobfuscate/Decode Files or Information,Credentials from Password Stores,,Cloud Service Discovery,Replication Through Removable Media,Clipboard Data,Dynamic Resolution,Exfiltration Over Physical Medium,Disk Wipe
+,Domain Properties,Obtain Capabilities,Replication Through Removable Media,Native API,Create Account,,Device Registration,Deploy Container,Exploitation for Credential Access,,Cloud Storage Object Discovery,Software Deployment Tools,Data from Cloud Storage,Encrypted Channel,Exfiltration Over Web Service,Endpoint Denial of Service
+,IP Addresses,Stage Capabilities,Supply Chain Compromise,Scheduled Task/Job,Create or Modify System Process,,SSH Authorized Keys,Direct Volume Access,Forced Authentication,,Container and Resource Discovery,Taint Shared Content,Data from Configuration Repository,Fallback Channels,Scheduled Transfer,Financial Theft
+,Network Security Appliances,,Trusted Relationship,Serverless Execution,Event Triggered Execution,Boot or Logon Autostart Execution,,Domain or Tenant Policy Modification,Forge Web Credentials,,Debugger Evasion,Use Alternate Authentication Material,Data from Information Repositories,Hide Infrastructure,Transfer Data to Cloud Account,Firmware Corruption
+,Network Topology,,Valid Accounts,Shared Modules,External Remote Services,Boot or Logon Initialization Scripts,,Execution Guardrails,Input Capture,,Device Driver Discovery,,Data from Local System,Ingress Tool Transfer,,Inhibit System Recovery
+,Network Trust Dependencies,,,Software Deployment Tools,Hijack Execution Flow,Create or Modify System Process,,Exploitation for Defense Evasion,Modify Authentication Process,,Domain Trust Discovery,,Data from Network Shared Drive,Multi-Stage Channels,,Network Denial of Service
+Gather Victim Org Information,Business Relationships,,,System Services,Implant Internal Image,Domain or Tenant Policy Modification,,File and Directory Permissions Modification,Multi-Factor Authentication Interception,,File and Directory Discovery,,Data from Removable Media,Non-Application Layer Protocol,,Resource Hijacking
+,Determine Physical Locations,,,User Execution,Modify Authentication Process,Escape to Host,,Hide Artifacts,Multi-Factor Authentication Request Generation,,Group Policy Discovery,,Data Staged,Non-Standard Port,,Service Stop
+,Identify Business Tempo,,,Windows Management Instrumentation,Office Application Startup,Event Triggered Execution,,Hijack Execution Flow,Network Sniffing,,Log Enumeration,,Email Collection,Protocol Tunneling,,System Shutdown/Reboot
+,Identify Roles,,,,Power Settings,Exploitation for Privilege Escalation,,Impair Defenses,OS Credential Dumping,,Network Service Discovery,,Input Capture,Proxy,,
+Phishing for Information,,,,,Pre-OS Boot,Hijack Execution Flow,,Impersonation,Steal Application Access Token,,Network Share Discovery,,Screen Capture,Remote Access Software,,
+Search Closed Sources,,,,,Scheduled Task/Job,Process Injection,,Indicator Removal,Steal or Forge Authentication Certificates,,Network Sniffing,,Video Capture,Traffic Signaling,,
+Search Open Technical Databases,,,,,Server Software Component,Scheduled Task/Job,,Indirect Command Execution,Steal or Forge Kerberos Tickets,,Password Policy Discovery,,,Web Service,,
+Search Open Websites/Domains,,,,,Traffic Signaling,Valid Accounts,,Masquerading,Steal Web Session Cookie,,Peripheral Device Discovery,,,,,
+Search Victim-Owned Websites,,,,,Valid Accounts,,,Modify Authentication Process,Unsecured Credentials,Bash History,Permission Groups Discovery,,,,,
+,,,,,,,,Modify Cloud Compute Infrastructure,,Chat Messages,Process Discovery,,,,,
+,,,,,,,,Modify Registry,,Cloud Instance Metadata API,Query Registry,,,,,
+,,,,,,,,Modify System Image,,Container API,Remote System Discovery,,,,,
+,,,,,,,,Network Boundary Bridging,,Credentials In Files,Software Discovery,,,,,
+,,,,,,,,Obfuscated Files or Information,,Credentials in Registry,System Information Discovery,,,,,
+,,,,,,,,Plist File Modification,,Group Policy Preferences,System Location Discovery,,,,,
+,,,,,,,,Pre-OS Boot,,Private Keys,System Network Configuration Discovery,,,,,
+,,,,,,,,Process Injection,,,System Network Connections Discovery,,,,,
+,,,,,,,,Reflective Code Loading,,,System Owner/User Discovery,,,,,
+,,,,,,,,Rogue Domain Controller,,,System Service Discovery,,,,,
+,,,,,,,,Rootkit,,,System Time Discovery,,,,,
+,,,,,,,,Subvert Trust Controls,,,Virtualization/Sandbox Evasion,,,,,
+,,,,,,,,System Binary Proxy Execution,,,,,,,,
+,,,,,,,,System Script Proxy Execution,,,,,,,,
+,,,,,,,,Template Injection,,,,,,,,
+,,,,,,,,Traffic Signaling,,,,,,,,
+,,,,,,,,Trusted Developer Utilities Proxy Execution,,,,,,,,
+,,,,,,,,Unused/Unsupported Cloud Regions,,,,,,,,
+,,,,,,,,Use Alternate Authentication Material,,,,,,,,
+,,,,,,,,Valid Accounts,,,,,,,,
+,,,,,,,,Virtualization/Sandbox Evasion,,,,,,,,
+,,,,,,,,Weaken Encryption,,,,,,,,
+,,,,,,,,XSL Script Processing,,,,,,,,

docs/additional-resources.rst

@@ -1,16 +1,16 @@
 Additional Resources
 ====================
 
-Add appendix here?
-
 Cyber Threat Intelligence Resources
 -----------------------------------
 
 Leveraging existing CTI allows you to develop known attack vectors that could be used against your system. There are many resources for CTI data and this appendix is made to refence a few that we have found useful.
 
-*	The Center’s Sightings Ecosystem (https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/) project is an example of data that can be leveraged throughout this process to help identify, or highlight, commonly seen TTPs. At the time of publish, their work consists of over 1.6 million sightings of 353 unique techniques from almost 200 countries.
+*	The Center’s Sightings Ecosystem (https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/sightings-ecosystem/) project is an example of data that can be leveraged throughout this process to help identify, or highlight, commonly seen TTPs. At the time of publish, the work consists of over 1.6 million sightings of 353 unique techniques from almost 200 countries.
 *	Many venders publish opensource reports on blogs or their websites. Monitor these sources for new/relevant reports.  Attack Flow created best practices for selecting open-source reports and this can be beneficial during this step:
-    * “* Reports should be transparent about where the data originates and provide a technically competent overview of an incident.
+
+.. important::
+    * “Reports should be transparent about where the data originates and provide a technically competent overview of an incident.
     * Reports should originate from a vendor with a track record of accurate reporting and first-hand analysis of the incident in question.
     * Reports should provide the most current information on the malware or breach.
     * Reports should make it easy to identify any information gaps. Use multiple sources to address gaps and corroborate the data, if possible.

docs/cheat-sheet.rst

@@ -0,0 +1,33 @@
+Cheat Sheet
+==========
+.. note::
+    This cheat sheet can be used to save time throughout the threat modeling process outlined, but is it important to understand the full process prior to choosing this version. Please review Questions 1 through 4 before choosing this route.
+
+What are we working on?
+-----------------------
+
+* Develop a top level DFD for your system
+* Identify critical components
+
+What could go wrong?
+--------------------
+
+* Analyze your DFD using a simple attack tree or STRIDE
+* Brainstorm ATT&CK TTPs that could be used to attack the critical components within your DFD
+
+    * Gather ideas from TTPs used against your tech platform previously- see ATT&CK matrix and down select by platform 
+* Quick search through existing security stack for ability to defend against these brainstormed TTPs
+
+What are we going to do about it?
+---------------------------------
+
+* Implement the mitigations listed within the ATT&CK page for each TTP
+
+    **OR**
+
+* Implement the NIST 800-53 controls for each TTP using the MITRE Engenuity Mappings Explorer
+
+Did we do a good job?
+---------------------
+
+* Periodically repeat this process to evaluate your existing mitigations and make sure they are in sync with the development of your system.

docs/index.rst

@@ -19,10 +19,8 @@ mollit anim id est laborum.
     question-2
     question-3
     question-4
+    cheat-sheet
     additional-resources
-    future-work
-    acknowledgements
-    center-projects
 
 
 Notice

docs/introduction.rst

@@ -1,5 +1,9 @@
 Introduction
 ============
+.. figure:: /Graphics/introGraphic.png
+    :scale: 75%
+    :align: center
+|
 The process outlined in this paper details our recommended approach to integrating
 ATT&CK into your organization’s existing threat modeling methodology. At the core of
 this approach are four key questions, outlined in the Threat Modeling Manifesto, that

docs/question-1.rst

@@ -1,6 +1,9 @@
 Question 1: What are we working on?
 ===================================
-
+.. figure:: /Graphics/question1Graphic.png
+    :scale: 75%
+    :align: center
+|
 Question 1 enables the identification and analysis of the primary and secondary
 function(s) of the system. It identifies critical tasks that must be performed for the
 system to successfully accomplish its function(s) and highlights the resources those
@@ -123,16 +126,20 @@ At this stage, we want to determine: What is the ultimate purpose of the system?
 It’s here that we’ll invoke our fictional example device: the Ankle Monitoring Predictor of Stroke (AMPS). This made up IoT device is pulled straight from MITRE’s Playbook for Threat Modeling Medical Devices. In our scenario, this device is meant to be worn by a patient who is at increased risk of experiencing a stroke. By wearing the device throughout the day, the patient and their doctor can monitor for indicators of an imminent stroke via a companion app on the patient’s phone and readings uploaded to the AMPS cloud service each day.
 As a security team evaluating the AMPS for its manufacturer, we identified that a core mission objective of the AMPS’s is to collect and share patient health data in an accurate and secure manner. Because of the sensitive nature of the health data collected and shared by the AMPS, which includes location data to guide an emergency response in the event of a stroke, the AMPS device should effectively protect the confidentiality of that data.
 
-.. image:: Graphics/Picture1.png
-   :alt: Mission and System Decomposition
-   :height: 48px
-   :width: 24px
+.. figure:: /Graphics/3.png
+    :scale: 50%
+    :align: right
+
 
 Step 2: Identify Operational Tasks (Cross Functional Flow Chart)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 **Goal:** Planning your routes
 Next, leverage the knowledge pooled from stakeholders to determine the different operational sub-systems that contribute to the system’s primary purpose identified in Step 1. An Analytic Hierarchy Process (AHP) can be used to weigh the importance of different operational systems. Ask yourself, what are the operational tasks that must be executed to perform that function? These are also known as Mission Essential Functions (MEFs). To visualize these MEFs, we recommend using a cross functional flow chart like the one below for the AMPS.
 
+.. figure:: /Graphics/4.png
+    :scale: 75%
+    :align: center
+|
 Part 3: System Decomposition - Identify system processes by mapping operational tasks to system functions (Data Flow Diagram)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 **Goal:** Mapping your routes through the system
@@ -147,6 +154,13 @@ There are multiple ways to design a DFD but we recommend the DFD3 standard. Begi
 
 From these questions, start to draw your diagram and gradually add additional components and sub-systems to the DFD depending on scope and time. Start at a high-level and work your way down as seen in the below AMPS examples. Ultimately, these datapoints should come together to form a comprehensive map of your system.
 
+.. figure:: /Graphics/5.png
+    :scale: 70%
+    :align: left
+.. figure:: /Graphics/6.png
+    :scale: 50%
+    :align: right
+|
 
 Step 4: Determine which system functions are associated with distinct operational tasks.
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -176,3 +190,12 @@ Now that you’ve done mission and system decomposition, you should have a much
 * What are downstream effects of taking each cyber asset offline?
 
 In the example below, we’ve identified critical assets/components of the AMPS using our DFD, highlighting them in gold.
+
+.. figure:: /Graphics/7.png
+    :scale: 70%
+    :align: left
+
+.. figure:: /Graphics/8.png
+    :scale: 70%
+    :align: right
+