From 9741e922f6c632f4644095811829c2bd410efcac Mon Sep 17 00:00:00 2001
From: Forrest <61887649+forrestcarver@users.noreply.github.com>
Date: Thu, 29 Feb 2024 09:08:03 -0600
Subject: [PATCH] Fixing three inline hyperlinks
---
docs/gettingstarted.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/gettingstarted.rst b/docs/gettingstarted.rst
index 8be8a7c..9813667 100644
--- a/docs/gettingstarted.rst
+++ b/docs/gettingstarted.rst
@@ -53,9 +53,9 @@ In Threat-Informed Defense, all those functions can be threat-informed to varyin
* **Identify**: Inform understanding of risk and risk measurement based on an informed understanding of particular adversaries that are known to target a specific industry, geographical area, or technology by leveraging the `ATT&CK Workbench `_ or `Sightings `_.
* **Protect**: Prioritizing patch deployment based on the probability that a relevant adversary will exploit the related vulnerability on an organization’s systems is an example of threat-informed protection. An excellent example of threat informed protection is the `Exploit Prediction Scoring System (EPSS) `_ which prioritizes vulnerabilities based on the probability that they will be exploited based on real-world exploitation information.
-* **Detect**: Detection is greatly enhanced by being threat informed. Without a knowledge of the threat, detection must rely on statistical deviations from a baseline, or on allow-listing. Unfortunately, most networks have such large variation in their baseline activity that it is relatively easy for adversaries to “hide” in the noise, and difficult for analysts to filter out false positives. Most detection is already threat-informed to some extent by at least leveraging feeds of “known-malicious” indicators of compromise such as domain names or malware signatures, which are easier for an adversary to change compared to TTPs. To improve those detections, a more advanced threat-informed defense would leverage deep insight into the underlying and difficult-to-avoid behaviors that are core to malicious activity. This concept is well-documented in SpecterOps’ `Capability Abstraction blog series `_, MITRE’s 'TTP-Based Hunting `_, and the Center’s `Summiting the Pyramid `_ work.
+* **Detect**: Detection is greatly enhanced by being threat informed. Without a knowledge of the threat, detection must rely on statistical deviations from a baseline, or on allow-listing. Unfortunately, most networks have such large variation in their baseline activity that it is relatively easy for adversaries to “hide” in the noise, and difficult for analysts to filter out false positives. Most detection is already threat-informed to some extent by at least leveraging feeds of “known-malicious” indicators of compromise such as domain names or malware signatures, which are easier for an adversary to change compared to TTPs. To improve those detections, a more advanced threat-informed defense would leverage deep insight into the underlying and difficult-to-avoid behaviors that are core to malicious activity. This concept is well-documented in SpecterOps’ `Capability Abstraction blog series `_, MITRE’s `TTP-Based Hunting `_, and the Center’s `Summiting the Pyramid `_ work.
* **Respond**: Responders who understand adversary campaigns and behaviors more deeply can uncover the broader picture of malicious activity in their network and take more effective responsive action. For example, a quick isolation response to the first piece of malware discovered might only alert the adversary to being discovered and cause them to adjust accordingly and evade further detection, whereas a broader understanding of the adversary’s intentions, capabilities, and previous campaigns might lead the responders to investigate further, discover other likely targets within the network, identify crucial chokepoints in the adversary’s intrusion, and take a more decisive action in evicting the adversary.
-* **Recover**: Organizations can validate their backup and recovery plans by testing themselves against realistic adversary tradecraft using the 'Adversary Emulation Library `_ or 'Micro Emulation Plans `_. These are particularly valuable for testing recovery in ransomware scenarios
+* **Recover**: Organizations can validate their backup and recovery plans by testing themselves against realistic adversary tradecraft using the `Adversary Emulation Library `_ or `Micro Emulation Plans `_. These are particularly valuable for testing recovery in ransomware scenarios
The CSF is primarily focused on an understanding of the systems being defended and general best-practices for cybersecurity. A Threat-Informed Defense complements that with knowledge of adversary tactics, techniques, procedures, tools, tradecraft, and intentions. This Threat-Informed Defense model is not intended to replace frameworks such as the CSF but to document how to incorporate threat information into the relevant components of a full cybersecurity program. For that reason, a high score in this model indicates that threat knowledge is being optimally utilized to guide defensive investments and actions.