Content updates

docs/collection.rst

@@ -0,0 +1,92 @@
+Threat Collection
+=================
+
+The Defending OT with ATT&CK threat collection is a customized collection of MITRE ATT&CK® 
+techniques tailored to the attack surface and threat model for OT environments. Historical attacks 
+against OT and adversarial tactics, techniques, and procedures (TTPs) as contained in 
+ATT&CK for Enterprise, ATT&CK for ICS, and other relevant ATT&CK datasets such as Cloud 
+and Containers were analyzed to identify and define a reference architecture and technology 
+domains of interest specific to OT. The resultant collection can be used by organizations 
+that use OT to evaluate, plan, and employ security controls based on known, real-world 
+adversary behaviors targeting those environments.
+
+Defending OT with ATT&CK provides a defined threat collection to assist defenders in 
+understanding which techniques adversaries could use within an IT/OT hybrid architecture. 
+This includes:
+
+* techniques that occur on enterprise systems used to manage OT,
+
+* techniques on Industrial Control Systems (ICS), and
+
+* techniques on OT assets that run similar operating systems, protocols, and applications as enterprise IT assets.
+
+ .. <<!-- TO DO --!>>
+   tagged techniques for OT environments
+   Total ATT&CK (sub-)techniques -> Mapped to each asset and count (i.e., 510 techniques mapped to each assets).
+   plus image
+   downloads:
+   - STIX bundle
+   - multi-domain ATT&CK matrix for Navigator
+
+**Download the Threat Collection**
+
+ .. <<!-- TO DO --!>>
+  get downloads for dota
+
+.. raw:: html
+
+    <p>
+        <a class="btn btn-primary" target="_blank" href="https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fcenter-for-threat-informed-defense.github.io%2Finsider-threat-ttp-kb%2Fgreen_seen_v1_v2.json">
+        <i class="fa fa-map-signs"></i> Download ATT&CK Workbench Collection</a>
+
+        <a class="btn btn-primary" target="_blank" href="..\green_seen_v1_v2.xlsx" download="green_seen_v1_v2.xlsx">
+        <i class="fa fa-download"></i> Download EXCEL (18kb)</a>
+
+        <a class="btn btn-primary" target="_blank" href="..\green_seen_v1_v2.json" download="green_seen_v1_v2.json">
+        <i class="fa fa-download"></i> Download JSON (153kb)</a>
+    </p>
+
+Building the Threat Collection
+------------------------------
+
+Defending OT with ATT&CK builds upon prior work developed by the Center, including 
+`Defending IaaS with ATT&CK <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>`_ and `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_.
+
+**Defending IaaS with ATT&CK**
+
+Defending OT with ATT&CK uses the methodology and tooling created as part of the Center's 
+`Defending IaaS with ATT&CK project <https://center-for-threat-informed-defense.github.io/defending-iaas-with-attack/>`_ as a basis. The Defending IaaS project methodology provides
+steps to identify and select techniques across multiple ATT&CK matrices that align to a defined 
+attack surface, proving to be a solid foundation for developing Defending OT project resources.
+
+The Center developed Defending IaaS With ATT&CK project to provide the community with a 
+collection of MITRE ATT&CK® techniques tailored to the unique attack surface and threat model 
+for Infrastructure-as-a-Service (IaaS). This collection can be used to plan and evaluate security 
+controls for organizations that use IaaS based on the known adversary behaviors described by ATT&CK.
+
+**ATT&CK Workbench**
+
+The Defending OT with ATT&CK project team used `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_ to explore and map adversarial 
+techniques, target assets, and campaigns. The team employed ATT&CK Workbench's search and 
+filter features for ATT&CK for Enterprise and ATT&CK for ICS domains, determined mapping of 
+assets to multi-domains from ATT&CK for Enterprise and ATT&CK for ICS techniques, and added 
+rationale in Workbench's note sections, to generate the shared mapping file.
+
+The Center created ATT&CK Workbench to enable users to explore, create, annotate, and share 
+extensions of MITRE ATT&CK®. ATT&CK Workbench allows users to manage and extend their own 
+local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base. ATT&CK Workrbench 
+is an open source tool publicly available on `GitHub <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend>`_.
+
+ATT&CK Workbench enables a number of important use cases within the ATT&CK community, such as:
+
+* **Cyber Threat Intelligence:** Take notes on techniques, groups, and other objects to collaborate within a threat intelligence team.
+
+* **Red Teaming:** Track and manage coverage of Red Team engagements the same way you track your ATT&CK coverage.
+
+* **Defensive Planning:** Stay up to date with the evolving threat landscape by downloading new releases of ATT&CK automatically.
+
+* **Collaboration with ATT&CK and the community:** Share your custom datasets with the ATT&CK community and download datasets created by others.
+
+
+
+

docs/exercise.rst

@@ -4,16 +4,15 @@ Cyber Tabletop Exercise
 Organizations need to proactively understand how to defend against advanced 
 persistent threat techniques that can be used to impact their operational 
 technology (OT) environment, regardless of whether these cyber-attacks affect 
-assets within different domains such as Enterprise and ICS. To demonstrate how 
-this project's resources can be used to meet that need, a cyber tabletop exercise 
-was conducted byproject participants.
-
-to assess and improve IT/OT defensive strategies for
-advanced nation state threat actor groups that use adversarial techniques 
-overlapping Enterprise and ICS domains
+assets within different technology domains. To demonstrate how this project's 
+resources can be used to meet that need, a cyber tabletop exercise was conducted 
+by project participants. Exercise goals included assessing and improving 
+information technology (IT) and OT defensive strategies for advanced nation state 
+threat actor groups that use adversarial techniques overlapping Enterprise and 
+Industrial Control Systems (ICS) domains.
 
 The ATT&CK-based tabletop exercise scenario was based upon the 
-`2022 Ukraine Electric Power Attack<https://attack.mitre.org/campaigns/C0034/>_` campaign. This real-world campaign by the 
+`2022 Ukraine Electric Power Attack <https://attack.mitre.org/campaigns/C0034/>`_ campaign. This real-world campaign by the 
 Russian threat actor group known as Sandworm Team used a combination of malware 
 and 15 ATT&CK techniques overlapping ATT&CK for Enterprise and ICS domains to gain 
 access to a Ukranian electric utility and send unauthorized commands to substation 
@@ -29,16 +28,16 @@ mechanisms captured. Upon conclusion of the exercise, participants held a brief
 identified areas of improvement for defense-in-depth, and developed recommendations 
 for security across multiple domains of the IT/OT environment.
 
-Environment
------------
+Conducting the Exercise
+-----------------------
 
-The exercise was conducted using the Defending OT with ATT&CK `reference architecture<./architecture.rst>_`. 
-This reference architecture is depicted in the image below. Exericse participants 
+The exercise was conducted using the Defending OT with ATT&CK `reference architecture <./architecture.rst>`_. 
+This reference architecture is depicted in the image below. Exercise participants 
 assumed the role of cybersecurity experts for an organization with a technical environment 
 similar to the hacked power plant infrastructure. Red boxes are used to indicate 
 assets impacted during the campaign.
 
-.. image:: ./_static/2022UKR.png
+.. image:: ./_static/2022ukr.png
 
 The ATT&CK techniques investigated during the exercise are provided in the table below, 
 organized under tactics - the reasons an advesary performs the action. A mix of techniques 
@@ -48,10 +47,34 @@ control system architecture.
 
 .. image:: ./_static/campaign.png
 
-Results
--------
+The following depicts an example of the presentation of adversarial threats for participant 
+discussion and evaluation, including consideration of potential mitigations, detection methods, 
+and risk scenarios:
+
+.. image:: ./_static/caddywiper.png
+
+Defensive Takeaways
+-------------------
+
+* Emphasize a threat-informed approach when evaluating the defense-in-depth of organizational security controls, particularly when securing and hardening enterprise assets. This was highlighted in the assessment of how threat actors exploit internet-facing assets during the initial stages of the cyber kill chain. 
+
+  * Without a threat-informed approach, security controls may not effectively address specific vulnerabilities exploited by threat actors, increasing the risk of successful cyber attacks.
+
+* Stress the importance of baselining and maintaining situational awareness in your operational environment through continuous monitoring of sensor health and status. This is crucial for identifying threat actor behaviors, including the use of living off the land (LoTL) techniques that blend with normal operational activities.
+
+  * Inadequate baselining and monitoring may lead to delayed detection of stealthy threat actor activities, potentially resulting in prolonged compromise and data exfiltration.
+
+* Prioritize privileged account management for shared administrator accounts and validate network segmentation across various zones, from enterprise (level 5) to operational and control (level 3), to mitigate lateral movement by threat actors or ingress of malicious artifacts.
+
+  * Poor privileged account management and inadequate network segmentation increase the risk of unauthorized access and lateral movement within the network, potentially leading to widespread compromise and data breach. 
+
+Offensive Takeaways
+-------------------
+
+* Consider repeating this exercise based on other cyber-attacks on Ukrainian Electric Plants in 2016 and 2020, and reviewing techniques associated with the Russian threat actor Sandworm.
+
+  * Ignoring historical attack patterns and specific threat actor techniques may result in overlooking critical vulnerabilities and attack vectors, leaving the organization vulnerable to similar cyber attacks.
+
+* Plan the next steps with a hands-on purple team exercise, where selected adversarial techniques are executed by a red team or programmatically using tools like Caldera and Caldera for OT. Evaluate the effectiveness of security controls and have the results assessed by a blue team of cyber-defenders.
 
-<<TO DO>>
-Used real-world example to identify and understand the best defensive capabilities to counter these threats. 
-Envision that we have proactively constructed an ATT&CK driven defense incorporating all framework recommendations.
-Survey results
+  * Without conducting a hands-on purple team exercise, the effectiveness of current security controls may not be accurately assessed, leading to gaps in defensive capabilities and increased exposure to cyber threats.

docs/index.rst

@@ -1,20 +1,20 @@
 Defending Operational Technology (OT) with ATT&CK
 =================================================
 
-Defending OT with ATT&CK provides a customized collection of `MITRE ATT&CK®<https://attack.mitre.org/>_` techniques 
+Defending OT with ATT&CK provides a customized collection of `MITRE ATT&CK® <https://attack.mitre.org/>`_ techniques 
 tailored to the attack surface and threat model for OT environments. The collection of 
 threats contained in the ATT&CK knowledgebase, including historical attacks against OT,
 are used to define a reference architecture and technology domains of interest for OT. 
 The resultant collection can be used by organizations that use OT to evaluate and employ 
 security controls for real-world adversary behaviors.
 
-This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense (Center)<https://ctid.mitre-engenuity.org/>_`
+This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense (Center) <https://ctid.mitre-engenuity.org/>`_
 and is funded by our research participants, in futherance of our mission to advance the state 
 of the art and the state of the practice in threat-informed defense globally. This work builds upon the 
-Center's `Defending IaaS with ATT&CK<https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>_` project by 
+Center's `Defending IaaS with ATT&CK <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>`_ project by 
 by using the methodology and tooling created under that project as a basis, and provides another collection
 of resources cyber defenders can use to understand and make threat-informed decisions for techniques that 
-might be used against their environment.
+could be used within an IT/OT hybrid architecture and environment. 
 
 .. toctree::
     :maxdepth: 2
@@ -23,12 +23,13 @@ might be used against their environment.
     introduction
     overview
     architecture
-    process
+    collection
     methodology
-    mappings
     use cases
     exercise
 
+.. <!-- TO DO --!> add image of Hybrid ATT&CK Matrix
+
 Notice
 ------
 

docs/methodology.rst

@@ -7,7 +7,12 @@ organization. By following these steps, organizations can effectively delineate
 surface, compile relevant threat intelligence, apply rigorous selection criteria, and build 
 a comprehensive threat collection to bolster their cybersecurity defenses.
 
+ .. <<!-- TO DO --!>>
+   build out the steps
+
 Step 1. Identify the attack surface.
+------------------------------------
+
    Determine the relevant technologies where a threat actor can impact operations and 
    generate a reference architecture that depicts technologies in scope for a hybrid 
    IT/OT system.
@@ -35,6 +40,7 @@ Step 1. Identify the attack surface.
 To learn more about assets, visist :ref:
 
 Step 2. Compile source information.
+-----------------------------------
 
    Gather information resources and applicable cyber threat intelligence including ATT&CK 
    adversary behavior used to target the identified IT/OT systems.
@@ -63,6 +69,7 @@ Key Focus Areas:
 * Identity Management (Azure AD)
 
 Step 3. Define selection criteria. 
+----------------------------------
 
    Develop guidelines including or excluding an adversary activity from the threat model. 
    Selection criteria includes virtualized infrastructure (e.g., virtual machines, cloud), 
@@ -105,6 +112,7 @@ Guidance:
 * Compile an initial list of applicable ATT&CK techniques for each asset.
 
 Step 4. Review applicable adversarial techniques. 
+-------------------------------------------------
 
    Review and evaluate adversary techniques for each asset according to previously defined 
    criteria. Exclude non-applicable techniques.
@@ -127,7 +135,9 @@ Curate a refined list of adversarial techniques for each asset.
 
   * Determine the final set of techniques for the collection.
 
-Step 5. Build custom threat collection. 
+Step 5. Build custom threat collection.
+---------------------------------------
+
    Generate a tailored threat intelligence collection for hybrid IT/OT systems. Provide 
    the collection in a sharable and extensible format.
 

docs/overview.rst

@@ -2,9 +2,12 @@ Overview
 ========
 
 Organizations need to understand which techniques adversaries can use against 
-Operational Technology (OT) systems. This includes and is not limited to:
+Operational Technology (OT) systems. This includes:
+
 * techniques that occur on enterprise systems used to manage OT,
+
 * techniques on Industrial Control Systems (ICS), and
+
 * techniques on OT assets that run similar operating systems, protocols, and applications as enterprise IT assets.
 
 Defending OT with ATT&CK provides a customized collection of MITRE ATT&CK® techniques 
@@ -18,15 +21,15 @@ adversary behaviors targeting those environments.
 
 Background
 ----------
-`MITRE ATT&CK®<https://attack.mitre.org/>` is a globally accessible knowledge 
+`MITRE ATT&CK® <https://attack.mitre.org/>`_ is a globally accessible knowledge 
 base of cyber adversary tactics and techniques based on public reporting and 
 observation. The ATT&CK knowledge base represents adversary goals as tactics 
 and specific goal-oriented behaviors as techniques and sub-techniques. Defending 
 OT with ATT&CK leverages the knowledgebase and its underlying data model to 
 produce a collection of ATT&CK techniques tailored to OT environments.
 
 Initially, ATT&CK was focused on the Windows enterprise environment. Later versions 
-integrated macOS and Linux into what is commonly known as “ATT&CK for Enterprise”. 
+integrated macOS and Linux into what is commonly known as ATT&CK for Enterprise. 
 With broader adoption and numerous contributions from the cybersecurity community, 
 ATT&CK eventually added Mobile and ICS technology domains.
 
@@ -39,16 +42,25 @@ particular environment or architecture. To that end, this project defines a refe
 architecture and a corresponding attack surface, then creates mappings of relevant 
 techniques from multiple matrices to provide a single, convenient collection of resources.
 
-Get Started
+Prior research into communicating adversary behaviors facing OT networks was conducted by 
+`Mandiant Threat Intelligence and MITRE <https://cloud.google.com/blog/topics/threat-intelligence/gestalt-mitre-attack-ics/>`_. The analyis included techniques contained in 
+ATT&CK for Enterprise and ATT&CK for ICS, represented in a hybrid view of the complexity of events 
+across the OT Targeted Attack Lifecycle. The figure below reflects the differences and overlaps 
+between ATT&CK for Enterprise and ATT&CK for ICS.
+
+.. image:: ./_static/enterprise_ics.png
+
+Get Involved
 -----------
 
-The mappings between ATT&CK for Enterprise and ATT&CK for ICS techniques provide 
-an understanding of the attack surface and threat model for the various assets 
-within an IT/OT hybrid architecture and environment. To get started using the 
-Defeinding OT with ATT&CK, review the following resources:
+This project provides the community with resources for understanding of the attack surface 
+and threat model for various assets within a hybrid IT/OT architecture and environment. There are 
+several ways that you can get involved with this project and help advance threat-informed defense:
+
+* **Use the project resources.** Visit the :doc:`architecture` and :doc:`collection` to learn how the project resources are constituted and how you can use them.
+
+* **Apply the methodology.** The Defending OT resources are usable as-is, but you can also learn how to create your own customized collections by following the :doc:`methodology`.
+
+* **Build and share your own collections.** Use `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_  to build your own collections. You can use custom collections privately or publish them to benefit the community.
 
-    reference architecture
-    process
-    mappings
-    use cases
-    exercise
+* **Tell us what you think.** Let us know how you're using the project and what ideas you have to improve it. Please see the `guidance for contributors <https://github.com/center-for-threat-informed-defense/defending-ot-with-attack/blob/main/CONTRIBUTING.md>`_ if are you interested in contributing or reporting issues.