Merge pull request #9 from center-for-threat-informed-defense/tiffb-u…

…pdate

use cases to use_cases

docs/architecture.rst

@@ -53,12 +53,8 @@ Impacting ICS
     Understanding impact to assets, particulary in context of ICS and application of ATT&CK
     in IT and OT environments
 
-.. _asset-table:
-
-The below table provides descriptions for each of the 21 identified Defending OT with
-ATT&CK Architecture Assets. All assets can be mapped to ATT&CK for Enterprise's
-platforms and/or ATT&CK for ICS' assets. There are nine assets where ATT&CK for
-Enterprise and ATT&CK for ICS overlap.
+The below table provides descriptions for each of the 21 identified Defending OT with ATT&CK Architecture Assets. All assets were mapped to 
+ATT&CK for Enterprise's platforms and/or ATT&CK for ICS' assets. There were nine assets where ATT&CK for Enterprise and ATT&CK for ICS overlap:
 
 +--------------------------------------+---------------------------------------------------------------------------------------------------+
 + Asset Name                           + Description                                                                                       +
@@ -78,7 +74,7 @@ Enterprise and ATT&CK for ICS overlap.
 + [SaaS/M365/Google Workspace]         + third-party providers, made available to users through network connections and/or APIs.           +
 +--------------------------------------+---------------------------------------------------------------------------------------------------+
 + Container                            + A container is standard unit of virtualized software that packages up code and its dependencies   +
-+                                      + so the application runs quickly and reliably from one computing environment to another.           +
++ [Enterprise]                         + so the application runs quickly and reliably from one computing environment to another.           +
 +--------------------------------------+---------------------------------------------------------------------------------------------------+
 + Control Server                       + Control servers are typically a software platform that runs on a modern server operating system   +
 + [ICS & Enterprise]                   + (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g.,      +
@@ -175,5 +171,4 @@ Enterprise and ATT&CK for ICS overlap.
 +                                      + networks together by encapsulating all data between those networks. VPN servers typically support +
 +                                      + remote network services that are used by field VPNs to initiate the establishment of the secure   +
 +                                      + VPN tunnel between the field device and server.                                                   +
-+--------------------------------------+---------------------------------------------------------------------------------------------------+
-
++--------------------------------------+---------------------------------------------------------------------------------------------------+

docs/collection.rst

@@ -14,11 +14,18 @@ Defending OT with ATT&CK provides a defined threat collection to assist defender
 understanding which techniques adversaries could use within an IT/OT hybrid
 architecture. This includes:
 
-* Techniques that occur on enterprise systems used to manage OT.
-* Techniques on Industrial Control Systems (ICS).
+* Techniques that occur on enterprise system.
+* Techniques on Industrial Control Systems (ICS), and
 * Techniques on OT assets that run similar operating systems, protocols, and applications as enterprise IT assets.
+
+The project team applied the :doc:`methodology` and employed the flexibility and customization 
+provided by ATT&CK Workbench to develop this collection of specific adversarial risks associated 
+with the 21 Defending OT with ATT&CK :doc:`architecture` assets. The resultant threat collection
+contains a combined 692 techniques from ATT&CK for Enterprise and ATT&CK for ICS (251 techniques 
+and 441 sub-techniques).
 
-
+Download the Threat Collection
+------------------------------
 .. raw:: html
 
     <p>
@@ -34,6 +41,48 @@ architecture. This includes:
         <i class="fa fa-download"></i> Download JSON Threat Collection (8.875mb)</a>
     </p>
 
+Building the Threat Collection
+------------------------------
+
+Defending OT with ATT&CK builds upon prior work developed by the Center, including 
+`Defending IaaS with ATT&CK <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>`_ and `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_.
+
+**Defending IaaS with ATT&CK**
+
+Defending OT with ATT&CK uses the methodology and tooling created as part of the Center's 
+`Defending IaaS with ATT&CK project <https://center-for-threat-informed-defense.github.io/defending-iaas-with-attack/>`_ as a basis. The Defending IaaS project methodology provides
+steps to identify and select techniques across multiple ATT&CK matrices that align to a defined 
+attack surface, proving to be a solid foundation for developing Defending OT project resources, 
+including the threat collection.
+
+The Center developed Defending IaaS With ATT&CK project to provide the community with a 
+collection of MITRE ATT&CK® techniques tailored to the unique attack surface and threat model 
+for Infrastructure-as-a-Service (IaaS). This collection can be used to plan and evaluate security 
+controls for organizations that use IaaS based on the known adversary behaviors described by ATT&CK.
+
+**ATT&CK Workbench**
+
+The Defending OT with ATT&CK project team used `ATT&CK Workbench <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/README.md>`_ to explore and map adversarial 
+techniques, target assets, and campaigns. The team employed ATT&CK Workbench's search and 
+filter features for ATT&CK for Enterprise and ATT&CK for ICS domains, determined mapping of 
+assets to multi-domains from ATT&CK for Enterprise and ATT&CK for ICS techniques, and added 
+rationale in Workbench's note sections, to generate the shared mapping file.
+
+The Center created ATT&CK Workbench to enable users to explore, create, annotate, and share 
+extensions of MITRE ATT&CK®. ATT&CK Workbench allows users to manage and extend their own 
+local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base. ATT&CK Workbench 
+is an open source tool publicly available on `GitHub <https://github.com/center-for-threat-informed-defense/attack-workbench-frontend>`_.
+
+ATT&CK Workbench enables a number of important use cases within the ATT&CK community, such as:
+
+* **Cyber Threat Intelligence:** Take notes on techniques, groups, and other objects to collaborate within a threat intelligence team.
+
+* **Red Teaming:** Track and manage coverage of Red Team engagements the same way you track your ATT&CK coverage.
+
+* **Defensive Planning:** Stay up to date with the evolving threat landscape by downloading new releases of ATT&CK automatically.
+
+* **Collaboration with ATT&CK and the community:** Share your custom datasets with the ATT&CK community and download datasets created by others.
+
 Defending OT with ATT&CK builds upon the methodology from `Defending IaaS with ATT&CK
 <https://center-for-threat-informed-defense.github.io/defending-iaas-with-attack/>`_ and
 the tools from `ATT&CK Workbench
@@ -58,4 +107,4 @@ such as:
 * **Defensive Planning:** Stay up to date with the evolving threat landscape by
   downloading new releases of ATT&CK automatically.
 * **Collaboration with ATT&CK and the community:** Share your custom datasets with the
-  ATT&CK community and download datasets created by others.
+  ATT&CK community and download datasets created by others.

docs/index.rst

@@ -1,24 +1,26 @@
 Defending Operational Technology (OT) with ATT&CK
 =================================================
 
+Defending OT with ATT&CK provides a customized collection of `MITRE ATT&CK® <https://attack.mitre.org/>`_ techniques 
+tailored to the attack surface and threat model for OT environments. The collection of 
+threats contained in the ATT&CK knowledgebase, including historical attacks against OT,
+are used to define a reference architecture and technology domains of interest for OT. 
+The resultant collection can be used by organizations that use OT to evaluate and employ 
+security controls for real-world adversary behaviors.
+
+This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense (Center) <https://ctid.mitre-engenuity.org/>`_
+and is funded by our research participants, in futherance of our mission to advance the state 
+of the art and the state of the practice in threat-informed defense globally. This work builds upon the 
+Center's `Defending IaaS with ATT&CK <https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/defending-iaas-with-attack/>`_ project by 
+using the methodology and tooling created under that project as a basis, and provides another collection
+of resources cyber defenders can use to understand and make threat-informed decisions for techniques that 
+could be used within an IT/OT hybrid architecture and environment. 
+
 .. image:: _static/defending-ot.jpg
     :align: center
     :scale: 50%
 
 |
-
-Defending OT with ATT&CK provides a customized collection of `MITRE ATT&CK®
-<https://attack.mitre.org/>`_ techniques tailored to the attack surface and threat model
-for OT environments. The collection of threats contained in the ATT&CK knowledgebase,
-including historical attacks against OT, are used to define a reference architecture and
-technology domains of interest for OT. Organizations can use this collection to evaluate
-and deply security controls for real-world adversary behaviors against OT systems.
-
-This project is created and maintained by the `MITRE Engenuity Center for
-Threat-Informed Defense (Center) <https://ctid.mitre-engenuity.org/>`_ and is funded by
-our research participants, in futherance of our mission to advance the state of the art
-and the state of the practice in threat-informed defense globally.
-
 .. toctree::
     :maxdepth: 2
     :caption: Contents
@@ -27,14 +29,13 @@ and the state of the practice in threat-informed defense globally.
     architecture
     collection
     methodology
-    use cases
+    use_cases
     exercise
 
 Notice
 ------
 
-© 2024 MITRE Engenuity. Approved for public release. Document number(s)
-|prs_numbers|.
+© 2024 MITRE Engenuity. Approved for public release. Document number CT0121.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
 file except in compliance with the License. You may obtain a copy of the License at

docs/use cases.rst → docs/use_cases.rst

@@ -51,7 +51,7 @@ Defending OT with ATT&CK enables the following essential capabilities:
      including red teaming and penetration testing, to effectively evaluate real-world 
      risks across the attack surface.
 
-**Improved Security Architecture and Operations** 
+**Security Architecture and Operations** 
      Users can use the mapped information to more easily identify security control gaps 
      to protect systems and environments from threats, develop detections for adversary 
      activity, and plan appropriate response activities across their IT/OT environment.

make/sphinx.mk

@@ -17,3 +17,5 @@ docs-pdf: ## Generate PDF documentation.
 
 docs-server: ## Run server for local editing of docs.
 	sphinx-autobuild -b dirhtml -a "$(SOURCEDIR)" "$(BUILDDIR)"
+
+sphinx-build -M dirhtml "docs/" "docs/_build/" -W --keep-going