added additional resources

center-for-threat-informed-defense · Jun 21, 2024 · db6d1f5 · db6d1f5
1 parent 5225cf4
commit db6d1f5
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/docs/additional-resources.rst b/docs/additional-resources.rst
@@ -12,12 +12,12 @@ Leveraging existing CTI allows you to develop known attack vectors that could be
 *	Many venders publish opensource reports on blogs or their websites. Monitor these sources for new/relevant reports.  Attack Flow created best practices for selecting open-source reports and this can be beneficial during this step:
 
 .. important::
-    * “Reports should be transparent about where the data originates and provide a technically competent overview of an incident.
+    * Reports should be transparent about where the data originates and provide a technically competent overview of an incident.
     * Reports should originate from a vendor with a track record of accurate reporting and first-hand analysis of the incident in question.
     * Reports should provide the most current information on the malware or breach.
     * Reports should make it easy to identify any information gaps. Use multiple sources to address gaps and corroborate the data, if possible.
     * Reports should distinguish between facts, assumptions, and analytical assessments.
-    * When available, use attribution and targeting information from reports to enrich your attack flows.”
+    * When available, use attribution and targeting information from reports to enrich your attack flows.
 
 *	When it comes to researching CTI for embedded systems, MITRE developed a publicly available knowledge base called `EMB3D <https://emb3d.mitre.org/properties-list/>`_. This is a great resource for both theory and evidence. Start by down selecting by embedded system property and read through the various threats to each.
 
@@ -32,3 +32,11 @@ Attack Flow
 
 
 |
+
+Emulation Tools Mapped to ATT&CK
+--------------------------------
+There are existing processes or data sources you can leverage to answer these questions. Perhaps your organization has a process for system risk acceptance, or you actively track system patches and compliance metrics.
+
+Alternatively, you can stress test your system by subjecting it to some type of security assessment. This can be accomplished through an internal or external team emulating adversary behavior. Short of a full red teaming exercise, existing resources such as `Caldera <https://caldera.mitre.org>`_ integrate directly with MITRE ATT&CK and can be used as part of attack simulation exercises. Other tools, like the `Atomic Red Team <https://atomicredteam.io>`_, detail tests tied to specific ATT&CK techniques that can be performed on your system to evaluate the strength of your mitigations.
+
+These can all inform your secondary review and give you the answers you need. From this secondary review, you’ll be able to ensure that your mitigations are sufficiently tailored to your system as it evolves with time.