diff --git a/docs/_static/CTIDresources.jpg b/docs/_static/CTIDresources.jpg deleted file mode 100644 index ce1a262..0000000 Binary files a/docs/_static/CTIDresources.jpg and /dev/null differ diff --git a/docs/_static/fin6advemu.png b/docs/_static/fin6advemu.png index ab09bb3..1e72b01 100644 Binary files a/docs/_static/fin6advemu.png and b/docs/_static/fin6advemu.png differ diff --git a/docs/_static/m3tid-components.png b/docs/_static/m3tid-components.png new file mode 100644 index 0000000..21e8483 Binary files /dev/null and b/docs/_static/m3tid-components.png differ diff --git a/docs/_static/projects-triangle.png b/docs/_static/projects-triangle.png new file mode 100644 index 0000000..73c747d Binary files /dev/null and b/docs/_static/projects-triangle.png differ diff --git a/docs/_static/stp.png b/docs/_static/stp.png index 6fabf1c..fb15e84 100644 Binary files a/docs/_static/stp.png and b/docs/_static/stp.png differ diff --git a/docs/_static/tid.png b/docs/_static/tid.png new file mode 100755 index 0000000..00ff863 Binary files /dev/null and b/docs/_static/tid.png differ diff --git a/docs/_static/topattackttp.png b/docs/_static/topattackttp.png index 2b3adc0..c4f67ee 100644 Binary files a/docs/_static/topattackttp.png and b/docs/_static/topattackttp.png differ diff --git a/docs/components/cti.rst b/docs/components/cti.rst index 4a50c5a..2d9a900 100644 --- a/docs/components/cti.rst +++ b/docs/components/cti.rst @@ -2,69 +2,72 @@ Cyber Threat Intelligence ========================= -This section outlines the key components that have been identified for the CTI dimension as well as maturity levels within the components. These components and levels form the -basis for assessing how threat informed an organization’s CTI program is. This assessment can be conducted using the companion spreadsheet published with this white paper. - +This section outlines the key components that have been identified for the CTI dimension +as well as maturity levels within the components. These components and levels form the +basis for assessing how threat informed an organization’s CTI program is. This +assessment can be conducted using the companion spreadsheet published with this white +paper. Depth of Threat Data [#f1]_ ---------------------------- -What level of information (roughly relative to the Pyramid of Pain) is being used to track adversaries. +What level of information (roughly relative to the Pyramid of Pain) is being used to +track adversaries. 1. None -2. Ephemeral IOCs: hashes, IPs, domains: data sources an adversary can change easily  -3. Tools / Software used by adversaries: tools or software which can be swapped or modified by an adversary to evade detection  -4. Techniques and Tactics used by adversaries: the techniques and behaviors that are harder to change for an adversary -5. Low-variance adversary behaviors and associated observables: specific actions most implementations of a technique must use so it is very difficult for an adversary to change or avoid - +2. Ephemeral IOCs: hashes, IPs, domains: data sources an adversary can change easily +3. Tools / Software used by adversaries: tools or software which can be swapped or + modified by an adversary to evade detection +4. Techniques and Tactics used by adversaries: the techniques and behaviors that are + harder to change for an adversary +5. Low-variance adversary behaviors and associated observables: specific actions most + implementations of a technique must use so it is very difficult for an adversary to + change or avoid Breadth of Threat Information ----------------------------- -Complementary to the depth component score above, this component reflects roughly how many relevant Techniques are understood at that level of depth. - -1. None -2. Single Technique -3. Multiple Techniques -4. All top-priority Techniques relevant to the organization -5. All Techniques relevant to the organization [#f2]_ +Complementary to the depth component score above, this component reflects roughly how +many relevant Techniques are understood at that level of depth. +1. None +2. Single Technique +3. Multiple Techniques +4. All top-priority Techniques relevant to the organization +5. All Techniques relevant to the organization [#f2]_ Relevance of Threat Data ------------------------ -Where is the threat information coming from and how timely is it?  - -1. None -2. Generic reports or freely available reporting -3. Internal reports -4. Recent, in-depth reporting (often requires a subscription) -5. Customized briefings +Where is the threat information coming from and how timely is it? +1. None +2. Generic reports or freely available reporting +3. Internal reports +4. Recent, in-depth reporting (often requires a subscription) +5. Customized briefings Utilization of Threat Information --------------------------------- How is the threat information being used by an organization? -1. None -2. Lightly / occasionally read -3. Regularly ingested for analysis -4. Analyzed automatically [#f3]_ and/or by trained analysts -5. Contextualized in disseminated reports for other internal stakeholders to operationalize - +1. None +2. Lightly / occasionally read +3. Regularly ingested for analysis +4. Analyzed automatically [#f3]_ and/or by trained analysts +5. Contextualized in disseminated reports for other internal stakeholders to operationalize Dissemination of Threat Reporting --------------------------------- What threat information is passed along within an organization? [#f4]_ -1. None -2. Tactical reporting with highly perishable information (IOCs) -3. Tactical reporting focused on adversary behavior (TTPs) -4. Operational reporting on pertinent security trends -5. Strategic reporting on business impacts of security trends - +1. None +2. Tactical reporting with highly perishable information (IOCs) +3. Tactical reporting focused on adversary behavior (TTPs) +4. Operational reporting on pertinent security trends +5. Strategic reporting on business impacts of security trends .. rubric:: References @@ -72,5 +75,3 @@ What threat information is passed along within an organization? [#f4]_ .. [#f2] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/top-attack-techniques/ .. [#f3] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/threat-report-attck-mapper-tram/ .. [#f4] https://github.com/center-for-threat-informed-defense/cti-blueprints/wiki - - diff --git a/docs/components/dm.rst b/docs/components/dm.rst index a4c3eec..c520d05 100644 --- a/docs/components/dm.rst +++ b/docs/components/dm.rst @@ -2,7 +2,11 @@ Defensive Measures ================== -This section outlines the key components that have been identified for the Defensive Measures dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat informed an organization’s Defensive program is. This assessment can be conducted using the companion spreadsheet published with this white paper. +This section outlines the key components that have been identified for the Defensive +Measures dimension as well as maturity levels within the components. These components +and levels form the basis for assessing how threat informed an organization’s Defensive +program is. This assessment can be conducted using the companion spreadsheet published +with this white paper. Foundational Security [#f1]_ ---------------------------- @@ -11,58 +15,74 @@ The degree to which threat informs and prioritizes preventative security measure 1. None 2. Ad Hoc patching, limited asset inventory, basic security measures -3. Several mitigations and security controls [#f2]_ connected to relevant threats implemented, key attack surfaces and critical assets identified -4. Knowledge of threat informs a risk management process to prioritize a set of mitigations and controls -5. Prioritized [#f3]_ automated patching [#f4]_, attack surfaces understood, full asset inventory mapped to business operations and threats, hygiene best-practices implemented - +3. Several mitigations and security controls [#f2]_ connected to relevant threats + implemented, key attack surfaces and critical assets identified +4. Knowledge of threat informs a risk management process to prioritize a set of + mitigations and controls +5. Prioritized [#f3]_ automated patching [#f4]_, attack surfaces understood, full asset + inventory mapped to business operations and threats, hygiene best-practices + implemented Data Collection ---------------- -Is the right data being collected based on the needs identified from analysis of threat intelligence? - -1. None -2. Minimal visibility (e.g., single network sensor at network boundary) -3. Compliant with best practices for network and devices (e.g., logs collected from each device according to the manufacturer’s recommendations) -4. Threat-informed detection requirements guide sensor configuration and deployment [#f5]_ (e.g., additional Sysmon configuration driven by detection needs for ATT&CK Techniques) -5. Threat-Optimized (Sensors evaluated, configured, and deployed to meet all threat-informed detection needs) +Is the right data being collected based on the needs identified from analysis of threat +intelligence? +1. None +2. Minimal visibility (e.g., single network sensor at network boundary) +3. Compliant with best practices for network and devices (e.g., logs collected from each + device according to the manufacturer’s recommendations) +4. Threat-informed detection requirements guide sensor configuration and deployment + [#f5]_ (e.g., additional Sysmon configuration driven by detection needs for ATT&CK + Techniques) +5. Threat-Optimized (Sensors evaluated, configured, and deployed to meet all + threat-informed detection needs) Detection Engineering ------------------------ -How much are detection analytics designed, tested, and tuned to optimize precision, recall, and robustness for relevant malicious behaviors? - -1. None -2. Import rules / analytics from open repository -3. Prioritize and tune imported rules / analytics from repository -4. Testing and tuning of custom detection analytics -5. Detection analytics developed based on knowledge of low-variance behaviors, customized to reduce false positives while maintaining robust [#f6]_ recall [#f7]_ +How much are detection analytics designed, tested, and tuned to optimize precision, +recall, and robustness for relevant malicious behaviors? +1. None +2. Import rules / analytics from open repository +3. Prioritize and tune imported rules / analytics from repository +4. Testing and tuning of custom detection analytics +5. Detection analytics developed based on knowledge of low-variance behaviors, + customized to reduce false positives while maintaining robust [#f6]_ recall [#f7]_ Incident Response ------------------ -How automated, strategic, and effective are responsive measures against top-priority threats? - -1. None -2. Ad Hoc, Manual, Reactive -3. Playbook-enabled, partially automated -4. Informed by knowledge of threat actor (e.g., initial detection leads to follow-on investigation to detect other malicious actions expected in the campaign based on CTI) Proactive hunts are conducted driven by threat information rather than only alerts from existing analytics. -5. Strategic, holistic, optimized to deter future events (e.g., with an understanding of the full campaign and the adversary’s likely reaction to defensive response, the defenders take decisive and coordinated actions that effectively evict the adversary such that it is not easy for them to return) +How automated, strategic, and effective are responsive measures against top-priority +threats? +1. None +2. Ad Hoc, Manual, Reactive +3. Playbook-enabled, partially automated +4. Informed by knowledge of threat actor (e.g., initial detection leads to follow-on + investigation to detect other malicious actions expected in the campaign based on + CTI) Proactive hunts are conducted driven by threat information rather than only + alerts from existing analytics. +5. Strategic, holistic, optimized to deter future events (e.g., with an understanding of + the full campaign and the adversary’s likely reaction to defensive response, the + defenders take decisive and coordinated actions that effectively evict the adversary + such that it is not easy for them to return) Deception Operations [#f8]_ --------------------------------- -How extensive and effective are deception operations to enable defensive objectives and the collection of new threat intelligence? - -1. None -2. Sandboxing of suspicious executables (e.g., email attachment detonation before delivery) -3. 1 to several Honey* (pot, token, document…) deployed and monitored, enabling detection of malicious use and early warning -4. Honey network deployed and monitored -5. Intentional, long-term deception operations in a realistic honey network +How extensive and effective are deception operations to enable defensive objectives and +the collection of new threat intelligence? +1. None +2. Sandboxing of suspicious executables (e.g., email attachment detonation before + delivery) +3. 1 to several Honey* (pot, token, document…) deployed and monitored, enabling + detection of malicious use and early warning +4. Honey network deployed and monitored +5. Intentional, long-term deception operations in a realistic honey network .. rubric:: References @@ -74,5 +94,3 @@ How extensive and effective are deception operations to enable defensive objecti .. [#f6] https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/ .. [#f7] https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/definitions/ .. [#f8] https://engage.mitre.org/ - - diff --git a/docs/components/index.rst b/docs/components/index.rst index a929ba7..92f4005 100644 --- a/docs/components/index.rst +++ b/docs/components/index.rst @@ -2,7 +2,14 @@ Appendix A - Key Components and Maturity Levels =============================================== -Expanded definitions of Threat Informed Defense Dimensions, Components, and Levels. +.. figure:: ../_static/m3tid-components.png + :alt: Threat-Informed Defense: Dimensions and Components + :align: center + + Threat-Informed Defense: Dimensions and Components + +This appendix includes detailed definitions of the threat-informed defense dimensions +and components. .. toctree:: :maxdepth: 1 @@ -10,5 +17,3 @@ Expanded definitions of Threat Informed Defense Dimensions, Components, and Leve cti dm tne - - diff --git a/docs/components/tne.rst b/docs/components/tne.rst index 2dd3d6b..48a7846 100644 --- a/docs/components/tne.rst +++ b/docs/components/tne.rst @@ -2,67 +2,70 @@ Test & Evaluation ================== -This section outlines the key components that have been identified for the Test & Evaluation dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat informed an organization’s T&E program is. This assessment can be conducted using the companion spreadsheet published with this white paper. +This section outlines the key components that have been identified for the Test & +Evaluation dimension as well as maturity levels within the components. These components +and levels form the basis for assessing how threat informed an organization’s T&E +program is. This assessment can be conducted using the companion spreadsheet published +with this white paper. Type of Testing ---------------- -Are cybersecurity tests focused on helping defenders improve against prioritized threats? - -1. None -2. Security Control / Risk Assessment (reactive, compliance-focused) -3. Vulnerability Assessment / Penetration Test (reactive, threat-focused) -4. Adversary Emulation (proactive, threat-focused) [#f1]_ [#f2]_ -5. Purple Teaming (proactive, threat-focused, collaborative) +Are cybersecurity tests focused on helping defenders improve against prioritized +threats? +1. None +2. Security Control / Risk Assessment (reactive, compliance-focused) +3. Vulnerability Assessment / Penetration Test (reactive, threat-focused) +4. Adversary Emulation (proactive, threat-focused) [#f1]_ [#f2]_ +5. Purple Teaming (proactive, threat-focused, collaborative) Frequency of Testing ----------------------------- Do your tests keep pace with changing adversaries and defended technologies? -1. None -2. Annual -3. Semi-Annual -4. Monthly -5. Continuous - +1. None +2. Annual +3. Semi-Annual +4. Monthly +5. Continuous Test Planning ------------------------ Are tests coordinated and prioritized on the most relevant threat behaviors? -1. None -2. Ad hoc -3. Deliberately planned and scoped, informed by Threat Actor or prioritized TTPs [#f3]_ -4. Collaboratively planned with Defenders, focused on known gaps and validating coverage -5. Collaboratively planned with Defenders, linked to organizational Metrics or KPIs - +1. None +2. Ad hoc +3. Deliberately planned and scoped, informed by Threat Actor or prioritized TTPs [#f3]_ +4. Collaboratively planned with Defenders, focused on known gaps and validating coverage +5. Collaboratively planned with Defenders, linked to organizational Metrics or KPIs Test Execution --------------------------------- Does testing cover adversary TTPs in addition to traditional IOCs? -1. None -2. Scanners or other tooling, not threat-focused -3. Commodity tooling, IOC-focused -4. Commodity tooling, TTP-focused, minimum 1 implementation of a technique [#f4]_ -5. Commodity or Custom tooling, TTP-focused, multiple (including evasive [#f5]_ ) implementations of a technique - +1. None +2. Scanners or other tooling, not threat-focused +3. Commodity tooling, IOC-focused +4. Commodity tooling, TTP-focused, minimum 1 implementation of a technique [#f4]_ +5. Commodity or Custom tooling, TTP-focused, multiple (including evasive [#f5]_ ) + implementations of a technique Test Results --------------------------------- How effectively do test results cause improvements in defensive measures? -1. None -2. Results generated -3. Results generated, leadership interest, actions taken -4. Results formally tracked; findings drive detection improvements and architectural changes -5. Results formally tracked; findings drive organizational programs, hiring, training, and other significant investments - +1. None +2. Results generated +3. Results generated, leadership interest, actions taken +4. Results formally tracked; findings drive detection improvements and architectural + changes +5. Results formally tracked; findings drive organizational programs, hiring, training, + and other significant investments .. rubric:: References @@ -71,4 +74,3 @@ How effectively do test results cause improvements in defensive measures? .. [#f3] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/attack-flow/ .. [#f4] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/micro-emulation-plans/ .. [#f5] https://posts.specterops.io/reactive-progress-and-tradecraft-innovation-b616f85b6c0a - diff --git a/docs/conf.py b/docs/conf.py index 754bf57..8d939b8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -17,7 +17,7 @@ # -- Project information ----------------------------------------------------- -project = "M3TID" +project = "Measure, Maximize, Mature Threat-Informed Defense" author = "Center for Threat-Informed Defense" copyright_years = "2024" prs_numbers = "CT0105" diff --git a/docs/dimensions.rst b/docs/dimensions.rst index 9446af4..9f71352 100644 --- a/docs/dimensions.rst +++ b/docs/dimensions.rst @@ -1,40 +1,80 @@ Three Dimensions of Threat-Informed Defense -============================================= - -How can an organization implement or improve their Threat-Informed Defense? The starting point depends on the degree to which the organization currently incorporates cyber threat information. Any organization can apply threat information to their cybersecurity approach. At a minimum, the organization can take the perspective of an adversary and think about what an adversary might do to disrupt their business through cyber. Thinking this way helps to identify priorities in security and leads to a series of questions such as: What adversaries are known to target my industry or even my company? What are these adversaries capable of? How well is my organization currently prepared to mitigate, detect, or resiliently operate despite a malicious cyber-attack by such adversaries? What should my organization do next to be better prepared? The three dimensions of Threat-Informed Defense described below help organizations determine where they are in this process and recommended practices for improving. - -The goal of this project is to help any organization begin to incorporate threat in their security program. This paper provides both the understanding of *what* is Threat-Informed Defense as well as *why* Threat-Informed Defense is valuable. In addition, the best practices included in this paper provide a basis to measure the current state of leveraging threat-informed approaches in a security program, as well as how to improve a security program by implementing threat-informed best practices. In the sections that follow, the three main Dimensions of Threat-Informed Defense will be explained, as well as their key components. These components are discussed in more detail on the Key Components and Maturity Levels page, along with key best practices for each component. - -The Center has historically described Threat-Informed Defense as a continuous process in which defenders and adversaries are constantly learning and evolving. To implement an effective Threat-Informed Defense, an organization must understand the threat and implement effective defensive measures. To understand the efficacy of existing or planned defensive measures and identify defensive gaps, an organization must evaluate their current posture, as well as potential new defensive measures, against the known threats. From a Defense perspective, this process takes place in three main Dimensions: - -1. Cyber Threat Intelligence (CTI) -2. Defensive (Counter) Measures -3. Testing & Evaluation +=========================================== + +How can an organization implement or improve their threat-informed defense? The starting +point depends on the degree to which the organization currently incorporates cyber +threat information. At a minimum, the organization can take the perspective of an +adversary and think about what an adversary might do to attack their organization. +Thinking this way helps to identify priorities in security and leads to a series of +questions such as: What adversaries are known to target my industry or my organization? +What are these adversaries capable of? How well is my organization currently prepared to +mitigate, detect, or resiliently operate despite a malicious cyber-attack by such +adversaries? What should my organization do next to be better prepared? The three +dimensions of threat-informed defense described below help organizations determine where +they are in this process and recommended practices for improving. + +The goal of this project is to help any organization begin to implement threat-informed +defense in their security program, to measure their current state of implementation, and +create a plan for continually maturing the implementation. In the sections that follow, +the three dimensions of threat-informed defense are explained, as well as their key +components. These components are discussed in more detail in :doc:`components/index`. + +Threat-Informed Defense Cycle +----------------------------- + +.. figure:: _static/tid.png + :alt: Threat-Informed Defense Cycle + :align: center -These three elements are the core of implementing a quality Threat-Informed Program. Crucial to this idea of Threat-Informed Defense is this imperative of proactive defense. -An effective Threat-Informed Defense must continuously learn and evolve to optimally implement defensive measures to keep pace with new threats and technologies. + The Threat-Informed Defense Cycle +Threat-informed defense is a continuous process in which defenders and adversaries are +constantly learning and evolving. To implement an effective threat-informed defense, an +organization must understand the threat and implement effective defensive measures. To +understand the efficacy of existing or planned defensive measures and identify defensive +gaps, an organization must evaluate their current posture, as well as potential new +defensive measures, against the known threats. The three dimensions of threat-informed +defense are: -.. figure:: _static/tidcycle.png - :alt: CTID Threat-Informed Defense Cycle - :align: center +1. Cyber Threat Intelligence (CTI) +2. Defensive (Counter) Measures +3. Testing & Evaluation - CTID Threat-Informed Defense Cycle +Crucial to this idea of threat-informed defense is this imperative of proactive defense. +An effective threat-informed defense must continuously learn and evolve to optimally +implement defensive measures to keep pace with new threats and technologies. -In the sections that follow, the three main Dimensions of TID will be explained, as well as their key components. These components are discussed in more detail on the Key Components and Maturity Levels page, along with key best practices for each component. +In the sections that follow, the three main Dimensions of TID will be explained, as well +as their key components. These components are discussed in more detail on the Key +Components and Maturity Levels page, along with key best practices for each component. Cyber Threat Intelligence - Know the Adversary ---------------------------------------------- -The first major dimension of Threat-Informed Defense is Cyber Threat Intelligence, which is focused on understanding the adversary. This dimension measures how well the organization understands known behaviors of cyber adversaries; which specific adversaries are targeting its industry, technologies, or geography; and their motivations and typical objectives. Ultimately CTI programs enable organizations to produce a tailored threat model of the highest priority adversary behaviors, which ultimately informs the rest of the defensive program. Example capabilities such as the `Top 10 ATT&CK Technique Calculator `_ can help organizations with this initial tailoring based on a variety of factors. +The first dimension of threat-informed defense is Cyber Threat Intelligence (CTI), which +is focused on understanding the adversary. This dimension measures how well the +organization understands known behaviors of cyber adversaries; which specific +adversaries are targeting its industry, technologies, or geography; and their +motivations and typical objectives. Ultimately CTI programs enable organizations to +produce a tailored threat model of the highest priority adversary behaviors, which +ultimately informs the rest of the defensive program. Example capabilities such as the +`Top ATT&CK Technique Calculator +`_ can help organizations +with this initial tailoring based on a variety of factors. .. figure:: _static/topattackttp.png - :alt: CTID Top ATT&CK TTP Calculator + :alt: Top ATT&CK Techniques Calculator :align: center - CTID Top ATT&CK TTP Calculator + Top ATT&CK Techniques Calculator -The `Cyber Threat Intelligence Lifecycle `_, a product from `Recorded Future `_, consists of Direction, Collection, Processing, Analysis, and Dissemination. The components in the M3TID model exist as the inputs and outputs of the phases of the cycle. The combination of these components amount to how detailed an organization’s threat model and understanding of that threat model is. +The `Cyber Threat Intelligence Lifecycle +`_, a product from +`Recorded Future `_, consists of Direction, Collection, +Processing, Analysis, and Dissemination. The components in the M3TID model exist as the +inputs and outputs of the phases of the cycle. The combination of these components +amount to how detailed an organization’s threat model and understanding of that threat +model is. .. figure:: _static/rflifecycle.png :alt: Recorded Future Threat Intelligence Lifecycle @@ -43,7 +83,7 @@ The `Cyber Threat Intelligence Lifecycle `_ effort from the Center, which focuses on scoring and improving the quality of analytics to create detections that are more robust and core to Adversary behaviors. +--------------------------------------- + +Defensive Measures is core to the concept of threat-informed defense. Once an +organization understands the adversary, if they do not implement real change in their +organization based on what they learn, then they are not achieving the impact of +threat-informed defense. Importantly, many organizations might consider that +threat-informed defense only applies to technical defenses, but the concept should apply +across all aspects of a security program. An example of evolving defensive measures is +the Center's `Summitting the Pyramid +`_ +proejct, which uses knowledge of adversary tradecraft to create more robust cyber +detections. .. figure:: _static/stp.png - :alt: CTID Summiting the Pyramid + :alt: Summiting the Pyramid :align: center - CTID Summiting the Pyramid - + Summiting the Pyramid The key Components of Defensive Measures are: @@ -74,21 +122,37 @@ The key Components of Defensive Measures are: 4. Incident Response 5. Deception Operations -Although improvements in defenses typically result in a technical defensive measure, that does not have to mean a firewall rule or a new analytic in a SIEM. Any action taken to make a network or system more secure can benefit from insight into threats. This could be stronger polices, prioritized patching, new detections, deception operations, or additional security training. - +Although improvements in defenses typically result in a technical defensive measure, +that does not have to mean a firewall rule or a new detection rule in a SIEM. Any action +taken to make a network or system more secure can benefit from insight into threats. +This could be stronger policies, prioritized patching, new detections, deception +operations, or additional security training. Testing & Evaluation - Learn and Improve ------------------------------------------ +---------------------------------------- -Testing and Evaluation helps an organization validate and grow. By testing against adversary realistic TTPs, an organization can validate their defenses and illuminate their gaps. By continuously testing based on updated threat knowledge and new approaches to adversary TTPs, an organization maintains a realistic picture of their security posture. One example of leverage more tailored, threat-informed testing is to focus adversary emulation or purple-teaming testing on the typical behaviors and attack flow of specific, relevant adversaries. The graphic below shows the high level `FIN6 attack plan `_ taken from the Center’s `Adversary Emulation library `_. +Testing and Evaluation helps an organization validate and grow. By testing against +adversary realistic TTPs, an organization can validate their defenses and discover gaps. +By continuously testing based on updated threat knowledge and new approaches to +adversary TTPs, an organization maintains a realistic picture of their security posture. +For example, red or purple team exercises should leverage *adversary emulation*, which +means replicating the behaviors and attack flow of specific, relevant adversaries. The +graphic below shows the high level `FIN6 attack plan +`_ +taken from the Center’s `Adversary Emulation library +`_. .. figure:: _static/fin6advemu.png - :alt: CTID FIN6 Adversary Emulation Plan + :alt: FIN6 Adversary Emulation Plan :align: center + :width: 75% - CTID FIN6 Adversary Emulation Plan + FIN6 Adversary Emulation Plan -Beyond that, testing can drive product or architecture changes to improve security, inform detection engineering and incident response, validate defensive controls, as well as other areas. Testing is an important way to rehearse before any real compromise occurs. +Beyond that, testing can drive product or architecture changes to improve security, +inform detection engineering and incident response, validate defensive controls, as well +as other areas. Testing is an important way to rehearse before any real compromise +occurs. The key Components of T&E are: @@ -97,5 +161,3 @@ The key Components of T&E are: 3. Test Planning 4. Test Execution 5. Test Results - - diff --git a/docs/forward.rst b/docs/forward.rst index 76111e7..6ff076c 100644 --- a/docs/forward.rst +++ b/docs/forward.rst @@ -1,22 +1,65 @@ Moving Forward -=============== +============== -Once an organization has scored themselves with this model, they can identify key gaps to fill. The Center recommends an organization to start with any component that is currently scored as a zero because there is significant differentiated value in moving from zero to one in this model. Once an organization scores at least a one in each component (including the scores of service providers, if various portions of the Security program are out-sourced), the Center recommends that organizations work to improve the CTI and Defensive Measures scores in parallel as a priority. Testing and evaluating those components is valuable, but they must first exist to test and evaluate. Because of this, the overall score puts less weight on the Test and Evaluation dimension. +Once an organization has scored themselves with this model, they can identify key gaps +to fill. The Center recommends an organization to start with any component that is +currently scored as a zero because there is significant differentiated value in moving +from zero to one in this model. Once an organization scores at least a one in each +component (including the scores of service providers, if various portions of the +Security program are out-sourced), the Center recommends that organizations work to +improve the CTI and Defensive Measures scores in parallel as a priority. Testing and +evaluating those components is valuable, but they must first exist to test and evaluate. +Because of this, the overall score puts less weight on the Test and Evaluation +dimension. -.. figure:: _static/CTIDresources.jpg - :alt: Alignment of CTID Projects to M3TID +.. figure:: _static/projects-triangle.png + :alt: Alignment of Center Projects to M3TID :align: center - Alignment of CTID Projects to M3TID + Alignment of Center Projects to M3TID -The M3TID maturity model is meant to be a straightforward, easy to use tool for organizations to measure their current state, assess progress, and continuously refine and optimize their security posture by prioritizing based on threat-informed principles. The Center continues to provide a number of resources that reinforce or enable continuous improvement in all three of the Threat-Informed Defense Dimensions. By leveraging M3TID to understand their current maturity level and identifying areas for improvement, organizations can make targeted investments and strategic decisions to strengthen their defenses against the ever-evolving threat landscape. In the long run, this maturity model will help organizations optimize their resources, enhance their cybersecurity capabilities, and better protect their digital assets and infrastructure from potential attacks. +For more information about these projects, visit the `Center's Our Work +`__ +page. + +The M3TID maturity model is meant to be a straightforward, easy-to use tool for +organizations to measure their current state, assess progress, and continuously refine +and optimize their security posture by prioritizing based on threat-informed principles. +The Center continues to provide a number of resources that reinforce or enable +continuous improvement in all three of the threat-informed defense dimensions. By +leveraging M3TID to understand their current maturity level and identifying areas for +improvement, organizations can make targeted investments and strategic decisions to +strengthen their defenses against the ever-evolving threat landscape. In the long run, +this maturity model will help organizations optimize their resources, enhance their +cybersecurity capabilities, and better protect their digital assets and infrastructure +from potential attacks. M3TID Future Work ------------------- +----------------- -This model is intended to be a starting point which can be extended and expanded in several ways. The Center started with a breadth-first approach to framing up this space, identifying the three primary dimensions of Threat-Informed Defense and the first five components of each dimension. At this stage, a score would be the result of a qualitative self-assessment by knowledgeable practitioners in an organization, guided by the definitions of dimensions, components, and levels on the Key Components and Maturity Levels page. This framework is meant to be applicable to organizations of all sizes, and as such scoring should take into account organic “in house” capabilities as well as any capabilities delivered by 3rd party service providers like an MSP. +This model is intended to be a starting point which can be extended and expanded in +several ways. The Center started with a breadth-first approach to framing up this space, +identifying the three dimensions of threat-informed defense and the first five +components of each dimension. At this stage, a score would be the result of a +qualitative self-assessment by knowledgeable practitioners in an organization, guided by +the definitions of dimensions, components, and levels detailed in +:doc:`components/index`. This framework is meant to be applicable to organizations of +all sizes, and as such scoring should take into account organic “in house” capabilities +as well as any capabilities delivered by 3rd party service providers like an MSP. -In the future, this model could be extended to incorporate fine-grained sub-components with associated levels, more objective criteria for levels that tied to specific data sources and assessed by a 3rd party or automation, and additional components within the dimensions. The model could also be modified to improve on the quantification of levels and the scoring algorithm to better align with evidence on the relative importance of each component to bottom-line security efficacy. In the absence of such evidence, the Center needs to start by collecting data on the dimensions and components that the Center has hypothesized will prove most important based on existing research and experience. +In the future, this model could be extended to incorporate fine-grained sub-components +with associated levels, more objective criteria for levels that tied to specific data +sources and assessed by a 3rd party or automation, and additional components within the +dimensions. The model could also be modified to improve on the quantification of levels +and the scoring algorithm to better align with evidence on the relative importance of +each component to bottom-line security efficacy. In the absence of such evidence, the +Center needs to start by collecting data on the dimensions and components that the +Center has hypothesized will prove most important based on existing research and +experience. -In this initial release of M3TID, we provide a proof-of-concept spreadsheet that enables an organization to assess themselves and see the resulting scores. This may be updated to a more interactive web application in a future release of M3TID, and potentially enable more automated measurement if the M3TID framework is extended to objective, specific data sources. +In this initial release of M3TID, we provide a proof-of-concept spreadsheet that enables +an organization to assess themselves and see the resulting scores. This may be updated +to a more interactive web application in a future release of M3TID, and potentially +enable more automated measurement if the M3TID framework is extended to objective, +specific data sources. diff --git a/docs/getting-started.rst b/docs/getting-started.rst new file mode 100644 index 0000000..9ef5719 --- /dev/null +++ b/docs/getting-started.rst @@ -0,0 +1,152 @@ +Getting Started with Threat-Informed Defense +============================================ + +Why is Threat-Informed Defense Valuable? +---------------------------------------- + +Threat-informed defense enables the collective resources of all defenders to be greater +than those of any one adversary. It identifies known adversary behavior, relevant to an +organization’s threat model, and fosters a community-driven approach to enable an +organization to proactively defend, self-assess, and improve defenses against those +known threats. As a threat-informed defense program and the community mature, long-term +understanding of adversaries and their evolution enables defenders to identify how the +adversary may evolve next. Ideally a predictive approach enables defenders to prioritize +and optimize the scope of their practice and increases both cost and difficulty for the +adversary. + +Who Should Consider Threat-Informed Defense? +-------------------------------------------- + +There is real value to be had by implementing a threat-informed defense security +program. All organizations, agnostic of size, revenue, or industry can leverage +threat-informed approaches in their security programs. The goal of the M3TID project is +to provide a model that any organization could use to assess themselves and then improve +their implementation of a threat-informed defense security program. However, it is +important to note that there are key steps an organization should take to set a solid +foundational security program. + +Any organization can benefit from “thinking like an adversary” to consider how they +might be at risk from a cyber-attack and taking that into account as they design, +operate, and maintain their systems. However, to optimally implement Threat-Informed +Defense, an organization should have a functioning, foundational security program. This +type of work is typically in the realm of compliance frameworks. Whether that be `PCI +`_ , `SOC2 +`_ +, `RMF `_ , or `CMMC +`_ to list just a few, these are a starting +point for basic, foundational security and are complementary to the more threat-focused +recommendations in this model. + +These existing frameworks do several things for an organization: + +* Provide a set of standardized guidelines, best practices, and requirements for + organizations to follow to meet regulatory and industry-specific security standards. +* Focus on ensuring that organizations maintain a baseline level of security and adhere + to legal and contractual obligations. +* Offer a structured and auditable approach to security, which can help organizations + demonstrate their commitment to maintaining a secure environment. +* Typically cover a broad range of security controls, including administrative, + physical, and technical measures. + +Applying these best practices and baseline security behaviors well, on a consistent +basis, is the foundation an organization needs to implement a threat-informed defense. + +Adding the Threat-Informed Perspective +-------------------------------------- + +Threat-informed defense is not intended to replace a baseline security program but +rather threat-informed defense enhances that basline program and gives it focus. It +enables organizations to enhance their defenses proactively and adaptively against +evolving threats. By focusing on understanding adversaries' TTPs, organizations can +effectively prioritize their defensive measures and make better-informed decisions about +their security investments. + +Once the foundations are in place, threat-informed defense empowers organizations to: + +* Understand relevant adversaries' TTPs to prioritize and tailor an organization's + defensive measures. +* Proactively self assess based on real-world adversary behaviors, identifying and + mitigating gaps prior to actual intrusions. +* Enable an agile security posture by adapting defenses based on a constantly evolving + knowledge of adversaries and threat-realistic self-assessment results. + +How Does this Align with a Baseline Security Program? +----------------------------------------------------- + +Threat-informed defense is complementary to other cybersecurity programs, such as NIST’s +Cyber Security Framework (CSF). In the `NIST CSF +`_, cybersecurity functions are categorized as +belonging to one of Govern, Identify, Protect, Detect, Respond, and Recover. + +.. figure:: _static/nistcsf.png + :alt: NIST CSF 2.0 + :align: center + + NIST CSF 2.0 + +In threat-informed defense, all those functions can be threat-informed to varying +degrees and in different ways. Some specific examples for each phase of the NIST CSF are +provided below: + +Identify + Inform understanding of risk and risk measurement based on an informed understanding + of particular adversaries that are known to target a specific industry, geographical + area, or technology by leveraging the `ATT&CK Workbench + `_ + or `Sightings + `_. + +Protect + Prioritizing patch deployment based on the probability that a relevant adversary will + exploit the related vulnerability on an organization’s systems is an example of + threat-informed protection. An excellent example of threat-informed protection is the + `Exploit Prediction Scoring System (EPSS) `_ which + prioritizes vulnerabilities based on the probability that they will be exploited based + on real-world exploitation information. + +Detect + Detection is greatly enhanced by being threat-informed. Without a knowledge of the + threat, detection must rely on statistical deviations from a baseline, or on + allow-listing. Unfortunately, most networks have such large variation in their + baseline activity that it is relatively easy for adversaries to “hide” in the noise, + and difficult for analysts to filter out false positives. Most detection is already + threat-informed to some extent by at least leveraging feeds of “known-malicious” + indicators of compromise such as domain names or malware signatures, which are easier + for an adversary to change compared to TTPs. To improve those detections, a more + advanced threat-informed defense would leverage deep insight into the underlying and + difficult-to-avoid behaviors that are core to malicious activity. This concept is + well-documented in SpecterOps’ `Capability Abstraction blog series + `_, MITRE’s + `TTP-Based Hunting + `_, + and the Center’s `Summiting the Pyramid + `_ work. + +Respond + Responders who understand adversary campaigns and behaviors more deeply can uncover + the broader picture of malicious activity in their network and take more effective + responsive action. For example, a quick isolation response to the first piece of + malware discovered might only alert the adversary to being discovered and cause them + to adjust accordingly and evade further detection, whereas a broader understanding of + the adversary’s intentions, capabilities, and previous campaigns might lead the + responders to investigate further, discover other likely targets within the network, + identify crucial chokepoints in the adversary’s intrusion, and take a more decisive + action in evicting the adversary. + +Recover + Organizations can validate their backup and recovery plans by testing themselves + against realistic adversary tradecraft using the `Adversary Emulation Library + `_ + or `Micro Emulation Plans + `_. + These are particularly valuable for testing recovery in ransomware scenarios. + +The CSF is primarily focused on an understanding of the systems being defended and +general best-practices for cybersecurity. A threat-informed defense complements that +with knowledge of adversary tactics, techniques, procedures, tools, tradecraft, and +intentions. This threat-informed defense model is not intended to replace frameworks +such as the CSF but to document how to incorporate threat information into the relevant +components of a full cybersecurity program. For that reason, a high score in this model +indicates that threat knowledge is being optimally utilized to guide defensive +investments and actions. + diff --git a/docs/gettingstarted.rst b/docs/gettingstarted.rst deleted file mode 100644 index 9813667..0000000 --- a/docs/gettingstarted.rst +++ /dev/null @@ -1,61 +0,0 @@ -Getting Started with Threat-Informed Defense -============================================= - - -Why is Threat-Informed Defense Valuable? ------------------------------------------ - -The intent of Threat-Informed Defense is to enable the collective resources of the defender to be greater than those of the adversary. There is too much theoretical adversary behavior for any individual defender to cover. Threat-Informed Defense identifies known adversary behavior, relevant to an organization’s threat model, and fosters a community-driven approach to enable an organization to proactively defend, self-assess, and improve defenses against those known threats. As a Threat-Informed Defense program and the community mature, long-term understanding of adversaries and their evolution enables defenders to identify how the adversary may evolve next. Ideally a predictive approach enables defenders to prioritize and optimize the scope of their practice and increases both cost and difficulty for the adversary. - - -Who should consider Threat-Informed Defense? --------------------------------------------- - -There is real value to be had by implementing a Threat-Informed Defense security program. All organizations, agnostic of size, revenue, or industry can leverage threat-informed approaches in their security programs. The goal of the M3TID project is to provide a model that any organization could use to assess themselves and then improve their implementation of a Threat-Informed Defense security program. However, it is important to note that there are key steps an organization should take to set a solid foundational security program. - -Any organization can benefit from “thinking like an adversary” to consider how they might be at risk from a cyber-attack and taking that into account as they design, operate, and maintain their systems. However, to optimally implement Threat-Informed Defense, an organization should have a functioning, foundational security program. This type of work is typically in the realm of compliance frameworks. Whether that be `PCI `_ , `SOC2 `_ , `RMF `_ , or `CMMC `_ to list just a few, these are a starting point for basic, foundational security and are complementary to the more threat-focused recommendations in this model. - -These existing frameworks do several things for an organization: - -* Provide a set of standardized guidelines, best practices, and requirements for organizations to follow to meet regulatory and industry-specific security standards. -* Focus on ensuring that organizations maintain a baseline level of security and adhere to legal and contractual obligations. -* Offer a structured and auditable approach to security, which can help organizations demonstrate their commitment to maintaining a secure environment. -* Typically cover a broad range of security controls, including administrative, physical, and technical measures. - -Applying these best practices and baseline security behaviors well, on a consistent basis, is the foundation an organization needs to implement a Threat-Informed Defense. - - - -Adding the Threat-Informed Perspective --------------------------------------- - -Threat-Informed Defense is not intended to replace or obviate the need for a baseline security program but rather Threat-Informed Defense enhances an organization’s security program and gives it focus. Threat-Informed Defense is a crucial approach to cybersecurity that enables organizations to enhance their defenses proactively and adaptively against evolving threats. By focusing on understanding adversaries' TTPs, organizations can more effectively prioritize their defensive measures and make better-informed decisions about their security investments. - -Once the foundations are in place, Threat-Informed Defense empowers organizations to: - -* Understand relevant adversaries' TTPs to prioritize and tailor an organization's defensive measures. -* Proactively self assess based on real-world adversary behaviors, identifying and mitigating gaps prior to actual intrusions. -* Enable an agile security posture by adapting defenses based on a constantly evolving knowledge of adversaries and threat-realistic self-assessment results. - - -How does Threat-Informed Defense align with my existing Security Program? -------------------------------------------------------------------------- - -Threat-Informed Defense is complementary to other cybersecurity programs, such as NIST’s Cyber Security Framework (CSF). In the `NIST CSF `_, cybersecurity functions are categorized as belonging to one of Govern, Identify, Protect, Detect, Respond, and Recover. - -.. figure:: _static/nistcsf.png - :alt: NIST CSF 2.0 - :align: center - - NIST CSF 2.0 - -In Threat-Informed Defense, all those functions can be threat-informed to varying degrees and in different ways. Some specific examples for each phase of the NIST CSF are provided below: - -* **Identify**: Inform understanding of risk and risk measurement based on an informed understanding of particular adversaries that are known to target a specific industry, geographical area, or technology by leveraging the `ATT&CK Workbench `_ or `Sightings `_. -* **Protect**: Prioritizing patch deployment based on the probability that a relevant adversary will exploit the related vulnerability on an organization’s systems is an example of threat-informed protection. An excellent example of threat informed protection is the `Exploit Prediction Scoring System (EPSS) `_ which prioritizes vulnerabilities based on the probability that they will be exploited based on real-world exploitation information. -* **Detect**: Detection is greatly enhanced by being threat informed. Without a knowledge of the threat, detection must rely on statistical deviations from a baseline, or on allow-listing. Unfortunately, most networks have such large variation in their baseline activity that it is relatively easy for adversaries to “hide” in the noise, and difficult for analysts to filter out false positives. Most detection is already threat-informed to some extent by at least leveraging feeds of “known-malicious” indicators of compromise such as domain names or malware signatures, which are easier for an adversary to change compared to TTPs. To improve those detections, a more advanced threat-informed defense would leverage deep insight into the underlying and difficult-to-avoid behaviors that are core to malicious activity. This concept is well-documented in SpecterOps’ `Capability Abstraction blog series `_, MITRE’s `TTP-Based Hunting `_, and the Center’s `Summiting the Pyramid `_ work. -* **Respond**: Responders who understand adversary campaigns and behaviors more deeply can uncover the broader picture of malicious activity in their network and take more effective responsive action. For example, a quick isolation response to the first piece of malware discovered might only alert the adversary to being discovered and cause them to adjust accordingly and evade further detection, whereas a broader understanding of the adversary’s intentions, capabilities, and previous campaigns might lead the responders to investigate further, discover other likely targets within the network, identify crucial chokepoints in the adversary’s intrusion, and take a more decisive action in evicting the adversary. -* **Recover**: Organizations can validate their backup and recovery plans by testing themselves against realistic adversary tradecraft using the `Adversary Emulation Library `_ or `Micro Emulation Plans `_. These are particularly valuable for testing recovery in ransomware scenarios - -The CSF is primarily focused on an understanding of the systems being defended and general best-practices for cybersecurity. A Threat-Informed Defense complements that with knowledge of adversary tactics, techniques, procedures, tools, tradecraft, and intentions. This Threat-Informed Defense model is not intended to replace frameworks such as the CSF but to document how to incorporate threat information into the relevant components of a full cybersecurity program. For that reason, a high score in this model indicates that threat knowledge is being optimally utilized to guide defensive investments and actions. - diff --git a/docs/index.rst b/docs/index.rst index 560a76c..5dc9d2c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,28 +1,23 @@ -M3TID |version| -=============== +Measure, Maximize, and Mature Threat-Informed Defense |version| +=============================================================== -Background ------------ - -Globally, security practitioners, security program leaders, and Board members seek to answer the question “How secure are we?” Our research adds a complementary approach to answering that question, to be combined with traditional cybersecurity best practices and maturity models. This is a starting point for building an effective Threat-Informed Defense that enables a data-driven approach to optimizing investments. - -The Center for Threat-Informed Defense (the Center) contends that one of the most impactful ways to manage a security program is to leverage knowledge of cyber threats to prioritize the allocation of limited resources to reduce overall risk. As risk is the product of probability and impact, it is crucially important to have a thorough knowledge of actual threat actors, their capabilities, and their typical tactics, techniques, and procedures (TTPs). By understanding the adversary well, an organization can prioritize their defenses as well as pre-emptively and continuously assess themselves to identify gaps. This enables organizations to shift to a more proactive approach to security, constantly learning, assessing, and improving their security programs. The goal of this shift is to increase the cost and difficulty for the adversaries thereby increasing security. Forcing adversaries to create new tooling, find new vulnerabilities and exploits, and attempt to discover new paths into an organization’s environment drives their cost in manpower, infrastructure, and time. It also forces them to restart their attack lifecycle, creating additional opportunities for detection and response. The ultimate goal is to create a situation such that attacking is so costly and/or so difficult that it is no longer reasonable for the adversary to attack. - - -The M3TID Project ------------------ - -The Measure, Maximize, Mature Threat-Informed Defense (M3TID) project extends this concept of leveraging Threat understanding to improve a security program by working towards an actionable definition of Threat-Informed Defense (TID) and its associated key activities. The M3TID project is based on the hypothesis that applying Threat-Informed Defense will improve the efficiency of a security program and reduce organizational risk. The project captures insights and best practices for what it means to be threat-informed across a security program, expanding the dimensions of Threat-Informed Defense into key components that organizations should implement. For each of these components, the M3TID project defines discrete levels reflecting implementations of that component from least-to-most threat-informed. - -The intent of the M3TID project is that organizations, from security practitioners to executive leaders, will be able to leverage this measurement framework to better assess and understand their current position in terms of a Threat-Informed Defense security program. With this first framework for measuring the degree to which threat information is guiding security practices, the Center can start to gather the data needed to refine the model to reflect the relative importance of each of these components in contributing to bottom-line cyber risk reduction. +.. image:: _static/tid.png +The Measure, Maximize, and Mature Threat-Informed Defense (M3TID) project defines what +Threat-Informed Defense (TID) is and the key activities associated with its practice. +The project captures insights and best practices for what it means to be threat-informed +across a security program, expanding the dimensions of Threat-Informed Defense into key +components that organizations can implement. For each of these components, the project +defines specific elements of implementation maturity, which enables organizations to +assess and to understand the current and future state of their threat-informed defense +program. .. toctree:: :maxdepth: 2 :caption: Contents - whatistid - gettingstarted + what-is-tid + getting-started dimensions measuring maxmature diff --git a/docs/maxmature.rst b/docs/maxmature.rst index 0517a97..56b1595 100644 --- a/docs/maxmature.rst +++ b/docs/maxmature.rst @@ -1,72 +1,112 @@ Maximize & Mature Threat-Informed Defense -========================================== - -As an organization evaluates their current degree of incorporating threat information in their cybersecurity, they will likely identify gaps. Closing each gap comes at a cost and provides some differential benefit relative to their current posture. The Center advises that an organization considers the options for closing gaps through a portfolio analysis, taking into account that some investments may provide benefits across more than one Threat-Informed Defense component. For example, improved training of cybersecurity personnel might enable them to develop better data collection, detection engineering, and incident response solutions. A portfolio analysis approach can also help to optimize across multiple investment opportunities that have overlapping benefits. For example, adding an Endpoint Detection and Response (EDR) Tool may improve the Threat-Informed Defense score, whereas adding two similar EDR tools won’t provide double the benefit. Additionally, some investments may need to precede others. For example, a Threat Model and good CTI understanding of those threat behaviors is necessary before you can use that information to inform tailored Detection Engineering or Testing. - -The options to close gaps are likely to be in the form of people, processes, technologies, policies, and/or services. In some cases, an organization may need more people to increase capacity, or they may not have anyone yet for a particular role. In other cases, the number of people may be sufficient, but they require additional education and/or training. As with all of the components, these might be direct employees, or the staff associated with a service provider. Processes need to be in place, documented, understood, regularly implemented, and aligned with the needs of Threat-Informed Defense. For example, an organization may have skilled adversary emulators, but if no process exists to conduct regular purple teaming, those skills are not being fully utilized. Of course, technologies are key to enabling skilled staff to implement good processes. Organizations should consider how best to augment or replace existing tools to optimize their overall coverage of their prioritized Threat Model. Finally, even the best teams, processes, and tools can’t succeed if policy prohibits their effective employment. Policies need to carefully balance resource constraints, privacy, safety, efficiency, and efficacy. Cybersecurity professionals might benefit from translating the technical jargon and focus of their analysis to the policy language and business focus of the policy personnel. - +========================================= + +As an organization evaluates their current degree of incorporating threat information in +their cybersecurity, they will likely identify gaps. Closing each gap comes at a cost +and provides some differential benefit relative to their current posture. The Center +advises that an organization considers the options for closing gaps through a portfolio +analysis, taking into account that some investments may provide benefits across more +than one threat-informed defense component. For example, improved training of +cybersecurity personnel might enable them to develop better data collection, detection +engineering, and incident response solutions. A portfolio analysis approach can also +help to optimize across multiple investment opportunities that have overlapping +benefits. For example, adding an Endpoint Detection and Response (EDR) Tool may improve +the threat-informed defense score, whereas adding two similar EDR tools won’t provide +double the benefit. Additionally, some investments may need to precede others. For +example, a Threat Model and good CTI understanding of those threat behaviors is +necessary before you can use that information to inform tailored Detection Engineering +or Testing. + +The options to close gaps are likely to be in the form of people, processes, +technologies, policies, and/or services. In some cases, an organization may need more +people to increase capacity, or they may not have anyone yet for a particular role. In +other cases, the number of people may be sufficient, but they require additional +education and/or training. As with all of the components, these might be direct +employees, or the staff associated with a service provider. Processes need to be in +place, documented, understood, regularly implemented, and aligned with the needs of +threat-informed defense. For example, an organization may have skilled adversary +emulators, but if no process exists to conduct regular purple teaming, those skills are +not being fully utilized. Of course, technologies are key to enabling skilled staff to +implement good processes. Organizations should consider how best to augment or replace +existing tools to optimize their overall coverage of their prioritized threat model. +Finally, even the best teams, processes, and tools can’t succeed if policy prohibits +their effective employment. Policies need to carefully balance resource constraints, +privacy, safety, efficiency, and efficacy. Cybersecurity professionals might benefit +from translating the technical jargon and focus of their analysis to the policy language +and business focus of the policy personnel. Improvement ------------- +----------- -To illustrate the impact of leveraging the best practices in the M3TID framework to improve Threat-Informed Defense, this section will continue leveraging the same fictitious Company A from the previous section and re-assess the organization after multiple improvements were made. In this example, Company A considers the M3TID best practices and maturity levels, and determines to implement the following improvements: +To illustrate the impact of leveraging the best practices in the M3TID framework to +improve threat-informed defense, this section will continue leveraging the same +fictitious Company A from the previous section and re-assess the organization after +multiple improvements were made. In this example, Company A considers the M3TID best +practices and maturity levels, and determines to implement the following improvements: -* CTI: Subscribe to a customized threat intelligence feed. -* DM: Dedicate additional resources to developing and tuning detection analytics for identified adversary techniques. -* T&E: Institute a semi-annual adversary emulation. +* CTI: Subscribe to a customized threat intelligence feed. +* DM: Dedicate additional resources to developing and tuning detection analytics for + identified adversary techniques. +* T&E: Institute a semi-annual adversary emulation. -Those changes result in the following updated scores and the accompanying graphs: +Those changes result in the following updated scores and the accompanying graphs: .. figure:: _static/ex2scores.png :alt: Improved TID and Component Scores :align: center + :width: 80% Improved TID and Component Scores - .. figure:: _static/ex2kiviatdim.png - :alt: Kiviat Diagram: Comparison of Improved TID Dimensions + :alt: Radar Chart: Comparison of Improved TID Dimensions :align: center + :width: 80% - Kiviat Diagram: Comparison of Improved TID Dimensions - + Radar Chart: Comparison of Improved TID Dimensions .. figure:: _static/ex2kiviatall.png - :alt: Kiviat Diagram: Comparison of all Improved TID Components + :alt: Radar Chart: Comparison of all Improved TID Components :align: center + :width: 80% - Kiviat Diagram: Comparison of all Improved TID Components - + Radar Chart: Comparison of all Improved TID Components Tracking Improvement over Time ------------------------------ -One purpose of this model is to improve over time, so by an organization continually scoring themselves, they can see how their score may increase. An organization may want to consider adding a historical record tab in their scoring spreadsheet to log their changes over time. +One purpose of this model is to improve over time. Organizations should re-score +themselves perioically over time and track their evolving maturity. An organization may +want to consider adding a historical record tab in their scoring spreadsheet to log +their changes over time. .. figure:: _static/multiyearscores.png :alt: Multi-Year Overall TID and Dimension Scores :align: center + :width: 80% Multi-Year Overall TID and Dimension Scores - .. figure:: _static/kiviatovertime.png - :alt: Kiviat Diagram: Component Improvement Over Time + :alt: Radar Chart: Component Improvement Over Time :align: center + :width: 80% - Kiviat Diagram: Component Improvement Over Time - + Radar Chart: Component Improvement Over Time .. figure:: _static/lineovertime.png :alt: Line Graph: Improvement Over Time :align: center + :width: 80% Line Graph: Improvement Over Time - .. figure:: _static/barovertime.png :alt: Bar Graph: Improvement Over Time :align: center + :width: 80% Bar Graph: Improvement Over Time +These are just example charts to illustrate potential approaches to tracking +threat-informed defense maturity over time. diff --git a/docs/measuring.rst b/docs/measuring.rst index 29cbcd4..17e14ed 100644 --- a/docs/measuring.rst +++ b/docs/measuring.rst @@ -1,87 +1,117 @@ Measuring Threat-Informed Defense -================================== +================================= -Now that Threat-Informed Defense has been defined, its importance emphasized, and the three main dimensions have been covered, there are three key questions: What specific activities do I need to become Threat-Informed? How Threat-Informed is my security program now? What are the next steps I need to take to improve my level of Threat-Informed Defense? +Now that threat-informed defense has been defined, its importance emphasized, and the +three dimensions have been covered, there are three key questions: -Each of these questions lead to a need to measure Threat-Informed Defense, something that has not been done before. On the Key Components and Maturity Levels page, the three Dimensions of Threat-Informed Defense are further decomposed into an initial set of components, with measures for each component from least-to-most threat-informed. In the sections that follow the methodology to leverage those components to assess a security program are explained. The methodology is then applied to an exemplar organization for demonstration purposes. +1. What specific activities do I need to become threat-informed? +2. How threat-informed is my security program now? +3. What are the next steps I need to take to improve my level of threat-informed + defense? + +Each of these questions lead to a need to measure threat-informed defense, something +that has not been done before. On the Key Components and Maturity Levels page, the three +Dimensions of threat-informed defense are further decomposed into an initial set of +components, with measures for each component from least-to-most threat-informed. In the +sections that follow, we explain the methodology to leverage those components to assess +a security program and then apply the methodology to a hypothetical organization. Methodology ----------- -To ensure consistency, the following steps were developed to approach Threat-Informed Defense measurement: - -* Each of the Threat-Informed Defense Dimensions is decomposed into five key components. -* For each of those components, five discrete levels of maturity, from least to most threat-informed, were developed. -* Within a Threat-Informed Defense Dimension (e.g. CTI), all of its subordinate components are weighted equally. -* At the Threat-Informed Defense Dimensions level, the Dimensions themselves are weighted. +To ensure consistency, we developed the following steps for threat-informed defense +measurement: -See the Key Components and Maturity Levels page for the defined key components and maturity levels for all three dimensions of Threat-Informed Defense. These component and maturity levels form the basis for the assessment and scoring further described below. +* Each of the threat-informed defense :doc:`dimensions ` is decomposed into + five key components. +* For each of those components, we developed five discrete levels of maturity, from + least to most threat-informed. +* Within a threat-informed defense dimension (e.g. CTI), all of its subordinate + components are weighted equally. +* The dimensions themselves are also weighted. +See :doc:`components/index` for the defined key components and maturity levels for all +three dimensions of threat-informed defense. These component and maturity levels form +the basis for the assessment and scoring further described below. Weighting and Scoring --------------------- -This scoring system consists of three parts. Each of the three dimensions has five components, and each component has five levels. Scoring is accomplished primarily at the “level” portion of the framework. - -Each level has a number of points associated with it, which are “earned” if the organization satisfies the requirements of that level. These points are cumulative, so if an organization satisfies the requirements of level 1 or 2, they earn 1 point each; satisfying level 3 or 4 earns 2 points each; satisfying both level 1 and 4 earns 3 points (1+2=3 points) for that component. The score for each component can therefore range from 0 to 6. The score for a Dimension is the average of the scores for every component in that dimension. This results in Dimension scores that also range from 0 to 6. +This scoring system consists of three parts. Each of the three dimensions has five +components, and each component has five levels. Scoring is accomplished primarily at the +“level” portion of the framework. +Each level has a number of points associated with it, which are “earned” if the +organization satisfies the requirements of that level. These points are cumulative, so +if an organization satisfies the requirements of level 1 or 2, they earn 1 point each; +satisfying level 3 or 4 earns 2 points each; satisfying both level 1 and 4 earns 3 +points (1+2=3 points) for that component. The score for each component can therefore +range from 0 to 6. The score for a dimension is the average of the scores for every +component in that dimension. Overall Threat-Informed Defense Scoring ----------------------------------------- - -The total score for an organization is currently computed as a weighted sum of the Dimension scores. The logic behind this cumulative score is that taking defensive action is the most important component to a Threat-Informed Defense. The importance of CTI is greater than that of test and evaluation based on the experience of the Center and its Participants. This final formula is not meant to be extremely precise, but rather reflects the “best engineering judgment” of the M3TID team and Participants. As with most other frameworks and maturity models, each organization can, and should, tune and tailor this formula based on their needs and constraints. +--------------------------------------- +The total score for an organization is computed as a weighted sum of the dimension +scores. The logic behind this cumulative score is that taking defensive action is the +most important dimension of a threat-informed defense. The importance of CTI is greater +than that of test and evaluation based on the experience of the Center and its members. +This final formula is not meant to be extremely precise, but rather reflects the “best +engineering judgment” of the project team and participants. As with most other +frameworks and maturity models, each organization can, and should, tune and tailor this +formula based on their needs and constraints. Example Scoring --------------- -As a notional example of implementing this assessment and scoring approach, imagine a fictitious Company A. Company A has invested in their security program and met a minimum acceptable level of compliance with their industry standard. They are beginning their approach to implement Threat-Informed Defense but are doing so unevenly. Based on their current investments, the bullets below describe their current state of Threat-Informed Defense in each Dimension: +As a notional example of implementing this assessment and scoring approach, imagine a +fictitious Company A. Company A has invested in their security program and met a minimum +acceptable level of compliance with their industry standard. They are beginning their +approach to implement threat-informed defense but are doing so unevenly. Based on their +current investments, the bullets below describe their current state of threat-informed +Defense in each dimension: Company A: In-house implementation of a nascent threat-informed defense. -* CTI: The organization has CTI on IOCs and software used across multiple ATT&CK Techniques. Analysts occasionally read freely available generic reports and disseminate IOCs to the rest of the team. -* DM: Despite excellent CTI, the company has not leveraged that CTI effectively to prioritize their investments in Defensive Measures. They apply patches as needed, have identified critical assets, collect data as per standard best-practices, run a set of imported SIGMA rules, respond to alerts as needed, and do not conduct any deception operations. -* T&E: The company is only minimally investing in Testing & Evaluation, limiting their current testing to an annual purple team that is not tailored to any specific adversary or set of adversary behaviors. A report is generated. - -To aid in leveraging this methodology for assessment, this paper is being released with a Proof of Concept spreadsheet-based calculator. The screenshots below are taken from -the Results tab of that calculator. - +* CTI: The organization has CTI on IOCs and software used across multiple ATT&CK + Techniques. Analysts occasionally read freely available generic reports and + disseminate IOCs to the rest of the team. +* DM: Despite excellent CTI, the company has not leveraged that CTI effectively to + prioritize their investments in Defensive Measures. They apply patches as needed, have + identified critical assets, collect data as per standard best-practices, run a set of + imported SIGMA rules, respond to alerts as needed, and do not conduct any deception + operations. +* T&E: The company is only minimally investing in Testing & Evaluation, limiting their + current testing to an annual purple team that is not tailored to any specific + adversary or set of adversary behaviors. A report is generated. + +To aid in leveraging this methodology for assessment, this paper is being released with +a :doc:`spreadsheet calculator `. The screenshots below are taken from the +Results tab of that calculator. .. figure:: _static/ex1scores.png :alt: Overall TID and Component Scores :align: center + :width: 80% Overall TID and Component Scores - .. figure:: _static/ex1kiviatdim.png - :alt: Kiviat Diagram: Comparison of TID Dimensions + :alt: Radar Chart: Comparison of TID Dimensions :align: center + :width: 80% - Kiviat Diagram: Comparison of TID Dimensions - + Radar Chart: Comparison of TID Dimensions .. figure:: _static/ex1kiviatall.png - :alt: Kiviat Diagram: Comparison of all Key TID Components + :alt: Radar Chart: Comparison of all Key TID Components :align: center + :width: 80% - Kiviat Diagram: Comparison of all Key TID Components - - -After an organization conducts this initial assessment and understands the current status of their threat informed defensive program, the scoring and associated visualizations -highlight opportunities to improve their program. The section that follows will describe approaches to improving threat-informed defense maturity once an initial baseline is -understood. - - - -Scoring Spreadsheet -------------------- - -The scoring spreadsheet is available here for download: - -.. raw:: html + Radar Chart: Comparison of all Key TID Components -

- - Download Scoring Spreadsheet – Excel -

+After an organization conducts this initial assessment and understands the current +status of their threat informed defensive program, the scoring and associated +visualizations highlight opportunities to improve their program. The section that +follows will describe approaches to improving threat-informed defense maturity once an +initial baseline is understood. diff --git a/docs/what-is-tid.rst b/docs/what-is-tid.rst new file mode 100644 index 0000000..3dbbc22 --- /dev/null +++ b/docs/what-is-tid.rst @@ -0,0 +1,113 @@ +What is Threat-Informed Defense? +================================ + +.. epigraph:: + + Threat-Informed Defense is the systematic application of a deep understanding of + adversary tradecraft and technology to improve defenses. + + -- The Center for Threat-Informed Defense + +Overview +---------- + +Threat-informed defense is closely related to risk management as it encourages the +prioritization of defensive investments based on potential impact and the probability of +occurrence. Threat-Informed Defense differs from traditional risk management in that it +prioritizes the likelihood of a threat occurring and informs that probability from +real-world observations of actual adversary tradecraft. Informing a defensive posture +with real threat information is a way to ground the probability estimation in evidence. +To further maximize the return on threat-driven investments, Threat-Informed Defense +encourages the use of threat information that is common across adversaries and time +rather than simply reacting to easily changed indicators of malicious activity. The goal +is to leverage knowledge of real adversary behavior and probability of attacks to +provide a lens through which to prioritize security investments – whether they be in +people, processes, or technology. + +The Center for Threat-Informed Defense (the Center) contends that one of the most +impactful ways to manage a security program is to leverage knowledge of cyber threats to +prioritize the allocation of limited resources to reduce overall risk. As risk is the +product of probability and impact, it is crucially important to have a thorough +knowledge of actual threat actors, their capabilities, and their typical tactics, +techniques, and procedures (TTPs). By understanding the adversary well, an organization +can prioritize their defenses as well as pre-emptively and continuously assess +themselves to identify gaps. This enables organizations to shift to a more proactive +approach to security, constantly learning, assessing, and improving their security +programs. The goal of this shift is to increase the cost and difficulty for the +adversaries thereby increasing security. Forcing adversaries to create new tooling, find +new vulnerabilities and exploits, and attempt to discover new paths into an +organization’s environment drives their cost in manpower, infrastructure, and time. It +also forces them to restart their attack lifecycle, creating additional opportunities +for detection and response. The ultimate goal is to raise the adversary's costs enough +to deter some attacks. + +Leveraging ATT&CK +------------------------- + +There are many types of threat information and many sources from which to learn about +threats. `MITRE ATT&CK® `_ provides a convenient aggregation +of publicly reported TTPs used by adversaries and other valuable information about how +to detect and mitigate them. It has become a common way to categorize and refer to +adversary TTPs across the community, which enables more widespread and efficient +collaboration on cyber threat intelligence. By documenting adversarial activity at the +TTP level, ATT&CK helps defenders think at a level of abstraction that is concrete +enough to be actionable, but abstract enough to remain stable over time and across +adversaries. This combination of stability and actionability creates great potential for +a high return on investment when defending against those threats. + +.. figure:: _static/att&ckimg.png + :alt: MITRE ATT&CK Framework + :align: center + + ATT&CK Framework (https://attack.mitre.org) + +David Bianco famously depicted this potential with his `“Pyramid of Pain” +`_, which +illustrates how difficult it is for an adversary to evade a defense that is informed by, +and effective against, different levels of information about adversary tradecraft. In +the Pyramid of Pain, indicators such as IP addresses, hash values, and domain names are +shown to be easy for an adversary to alter and thus evade defenses that are dependent on +them. However, TTPs are positioned at the top of the pyramid, reflecting the difficulty +an adversary would have if a defender was effectively detecting and mitigating at that +level. + +.. figure:: _static/pyramidofpain.png + :alt: Pyramid of Pain + :align: center + + David Bianco's Pyramid of Pain + +Threat-Informed defense focuses on understanding the adversaries that are most relevant +to an organization, based on industry, geography, and other factors. From there, ATT&CK +allows practitioners to understand the specific behaviors associated with those +adversaries. In this way, using ATT&CK as the foundation enables practitioners to focus +their efforts on a very specific, prioritized set of adversary behaviors and those +associated TTPs, optimizing their defensive program to the most likely and most +impactful threats. + +A Continuous Process +-------------------- + +An effective threat-informed defense must keep pace with the evolving IT environment, +changing security capabilities, and threats. New versions of software and operating +systems introduce new patches to old vulnerabilities, new auditing capabilities, new +benign activities that might cause false positives, and unfortunately new attack +surfaces and unintended vulnerabilities. Security vendors and products are also +evolving. These constant updates, reconfigurations, and other changes mean that +organizations must constantly maintain awareness of their IT environment, their attack +surface, and their data collection and detection capabilities. Changes to the +environment must be accounted for to ensure that changes did not create new attack +surfaces, gaps, or otherwise invalidate current defensive capabilities. + +Of course, the adversaries are not content to stand still and are relentlessly creating +new infrastructure, tools, and exploits. Adversaries will continue to use known, +effective tradecraft as long as we remain vulnerable to it, reserving their novel +capabilities to continue their operations despite improvements in security. This +reinforces the need to proactively secure against known adversary behavior to increase +their cost to attack. These many elements of change, our own and the adversary’s, +simultaneously create a dynamic cybersecurity landscape, so defenders must work +diligently to stay current. Yesterday’s security posture assessment may already be +outdated. Understanding threat information reported from other targeted organizations +and analyzing threat behaviors at the right level of abstraction are key elements to +optimizing a defender’s ability to keep pace with, or even get ahead of, the adversary. + diff --git a/docs/whatistid.rst b/docs/whatistid.rst deleted file mode 100644 index 9bb9ecc..0000000 --- a/docs/whatistid.rst +++ /dev/null @@ -1,38 +0,0 @@ -What is Threat-Informed Defense? -================================ - -Definition ----------- - -The definition of Threat-Informed Defense is “the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses.” This approach is closely related to risk management as it encourages the prioritization of defensive investments based on potential impact and the probability of occurrence. Threat-Informed Defense differs from traditional risk management in that it prioritizes the likelihood of a threat occurring and informs that probability from real-world observations of actual adversary tradecraft. Informing a defensive posture with real threat information is a way to ground the probability estimation in evidence. To further maximize the return on threat-driven investments, Threat-Informed Defense encourages the use of threat information that is common across adversaries and time rather than simply reacting to easily changed indicators of malicious activity. The goal is to leverage knowledge of real adversary behavior and probability of attacks to provide a lens through which to prioritize security investments – whether they be in people, processes, or technology. - - -Leveraging ATT&CK -------------------------- - -There are many types of threat information and many sources from which to learn about threats. `MITRE ATT&CK® `_ provides a convenient aggregation of publicly reported TTPs used by adversaries and other valuable information about how to detect and mitigate them. It has become a common way to categorize and refer to adversary TTPs across the community, which enables more widespread and efficient collaboration on cyber threat intelligence. By documenting adversarial activity at the TTP level, ATT&CK helps defenders think about threats at a level of abstraction that is concrete enough to be actionable, while also being abstract enough to stay relatively stable over time and across adversaries. This combination of stability and actionability creates great potential for a high return on investment when defending against those threats. - -.. figure:: _static/att&ckimg.png - :alt: MITRE ATT&CK Framework - :align: center - - ATT&CK Framework - -David Bianco famously depicted this potential with his `“Pyramid of Pain” `_, which illustrates how difficult it is for an adversary to evade a defense that is informed by, and effective against, different levels of information about adversary tradecraft. In the Pyramid of Pain, indicators such as IP addresses, hash values, and domain names are shown to be easy for an adversary to alter and thus evade defenses that are dependent on them. However, TTPs are positioned at the top of the pyramid, reflecting the difficulty an adversary would have if a defender was effectively detecting and mitigating at that level. - -.. figure:: _static/pyramidofpain.png - :alt: Pyramid of Pain - :align: center - - Pyramid of Pain - -Threat-Informed Defense focuses on understanding the adversaries that are most relevant to an organization, based on industry, geography, and other factors. From there, ATT&CK allows practitioners to understand the specific behaviors associated with those adversaries. In this way, using ATT&CK as the foundation enables practitioners to focus their efforts on a very specific, prioritized set of adversary behaviors and those associated TTPs, optimizing their defensive program to those most likely or most impactful threats. - - -A Continuous Process --------------------- - -An effective Threat-Informed Defense must keep pace with the evolving IT environment, changing security capabilities, and threats. New versions of software and operating systems introduce new patches to old vulnerabilities, new auditing capabilities, new benign activities that might cause false positives, and unfortunately new attack surfaces and unintended vulnerabilities. Security vendors and products are also evolving. These constant updates, reconfigurations, and other changes mean that organizations must constantly maintain awareness of their IT environment, their attack surface, and their data collection and detection capabilities. Changes to the environment must be accounted for to ensure that changes did not create new attack surfaces, gaps, or otherwise invalidate current defensive capabilities. - -Of course, the adversaries are not content to stand still and are relentlessly creating new infrastructure, tools, exploitations, and tradecraft. Adversaries will continue to use known, effective tradecraft as long as we remain vulnerable to it, reserving their novel capabilities to continue their operations despite improvements in security. This reinforces the need to proactively secure against known adversary behavior to increase their cost to attack. These many elements of change, our own and the adversary’s, simultaneously create a dynamic cybersecurity landscape, so defenders must work diligently to stay current. Yesterday’s security posture assessment may already be outdated. Understanding threat information reported from other targeted organizations and analyzing threat behaviors at the right level of abstraction are key elements to optimizing a defender’s ability to keep pace with, or even get ahead of, the adversary. -