Website build

.gitignore

@@ -8,3 +8,5 @@ docs/_build/
 .mypy_cache/
 *.tmp
 TODO*
+.DS_Store
+

README.md

@@ -2,12 +2,11 @@
 
 <!-- TODO Put a one paragraph summary of the project here. -->
 
-Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
-exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
-dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
-Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt
-mollit anim id est laborum.
+The Measure, Maximize, Mature Threat-Informed Defense (M3TID) project extends this concept of leveraging Threat understanding to improve a security program by working towards an actionable definition of Threat-Informed Defense (TID) and its associated key activities. This project is created and maintained by the
+[MITRE Engenuity Center for Threat-Informed Defense](https://ctid.mitre-engenuity.org/)
+in futherance of our mission to advance the start of the art and and the state of the
+practice in threat-informed defense globally. The project is funded by our [research
+participants](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/m3tid/#research-participants).
 
 **Table Of Contents:**
 
@@ -29,32 +28,31 @@ Set the extension's TOC:Levels setting to "2..6"
 <!-- TODO Write one paragraph about how users should get started,
      and update the table of resources below. -->
 
-Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
-incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
-exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure
-dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
-Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt
-mollit anim id est laborum.
+To get started, read the project website. It provides an overview of the goals and methodologies and includes details on how and why to use this methodology.
+
+| Resource                                                                       | Description                                   |
+| ------------------------------------------------------------------------------ | --------------------------------------------- |
+| [Project Website](https://center-for-threat-informed-defense.github.io/m3tid/) | Complete documentation for the M3TID project. |
+| [Scoring Spreadsheet](docs/M3TIDScoringSpreadsheet.xlsx)                       | A spreadsheet for self-evaluation.            |
 
-| Resource        | Description              |
-| --------------- | ------------------------ |
-| [Resource 1](#) | Description of resource. |
-| [Resource 2](#) | Description of resource. |
-| [Resource 3](#) | Description of resource. |
 
 ## Getting Involved
 
 <!-- TODO Add some bullets telling users how to get involved. -->
 
-There are several ways that you can get involved with this project and help
-advance threat-informed defense:
+There are several ways that you can get involved with this project and help advance
+threat-informed defense:
 
-- **Way to get involved 1.** Lorem ipsum dolor sit amet, consectetur adipiscing elit,
-  sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
-- **Way to get involved 2.** Ut enim ad minim veniam, quis nostrud exercitation ullamco
-  laboris nisi ut aliquip ex ea commodo consequat.
-- **Way to get involved 3.** Duis aute irure dolor in reprehenderit in voluptate velit
-  esse cillum dolore eu fugiat nulla pariatur.
+- **Review the project model and methodology and tell us what you think.** We welcome
+  your feedback on any aspect of the project: from high-level concepts to low-level
+  technical details.
+- **Request analytics and observables.** Send your [analytic
+  requests]([/stix/attack-flow-schema-2.0.0.json](https://github.com/center-for-threat-informed-defense/m3tid/issues/new/choose))
+  to our team. As we have time, we will work them through the process and publish scores
+  and analysis.
+- **Submit your own analytics and observables.** We encourage you to use the methodology
+  to work through analytics or observables and send your results in a pull request so
+  that we can make them available to the entire community.
 
 ## Questions and Feedback
 
@@ -79,9 +77,8 @@ directly for more general inquiries.
 
 ## Notice
 
-<!-- TODO Add PRS prior to publication. -->
-
-Copyright 2023 MITRE Engenuity. Approved for public release. Document number REPLACE_WITH_PRS_NUMBER
+Copyright 2024 MITRE Engenuity. Approved for public release. Document number(s)
+REPLACE_WITH_PRS_NUMBER.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
 file except in compliance with the License. You may obtain a copy of the License at

docs/_templates/footer.html

@@ -0,0 +1,65 @@
+<footer>
+    {%- if (theme_prev_next_buttons_location == 'bottom' or theme_prev_next_buttons_location == 'both') and (next or
+    prev) %}
+    {#- Translators: This is an ARIA section label for the footer section of the page. -#}
+    <div class="rst-footer-buttons" role="navigation" aria-label="{{ _('Footer') }}">
+        {%- if prev %}
+        <a href="{{ prev.link|e }}" class="btn btn-neutral float-left" title="{{ prev.title|striptags|e }}"
+            accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> {{ _('Previous')
+            }}</a>
+        {%- endif %}
+        {%- if next %}
+        <a href="{{ next.link|e }}" class="btn btn-neutral float-right" title="{{ next.title|striptags|e }}"
+            accesskey="n" rel="next">{{ _('Next') }} <span class="fa fa-arrow-circle-right"
+                aria-hidden="true"></span></a>
+        {%- endif %}
+    </div>
+    {%- endif %}
+
+    <hr />
+
+    <div role="contentinfo">
+        {%- block contentinfo %}
+        <p>
+            {%- if show_copyright %}
+            &#169; {{ copyright_years }} MITRE Engenuity. Approved for public release.
+            Document number(s) {{ prs_numbers }}.
+            {%- endif %}
+
+            {%- if build_id and build_url %}
+            <span class="build">
+                {#- Translators: Build is a noun, not a verb -#}
+                {%- trans %}Build{% endtrans -%}
+                <a href="{{ build_url }}">{{ build_id }}</a>.
+            </span>
+            {%- elif commit %}
+            <span class="commit">
+                {#- Translators: the phrase "revision" comes from Git, referring to a commit #}
+                {%- trans %}Revision{% endtrans %} <code>{{ commit }}</code>.
+            </span>
+            {%- endif %}
+            {%- if last_updated %}
+            <span class="lastupdated">
+                {%- trans last_updated=last_updated|e %}Last updated on {{ last_updated }}.{% endtrans %}
+            </span>
+            {%- endif -%}
+
+        </p>
+        {%- endblock %}
+    </div>
+
+    {% if show_sphinx %}
+    {%- set sphinx_web = '<a href="https://www.sphinx-doc.org/">Sphinx</a>' %}
+    {%- set readthedocs_web = '<a href="https://readthedocs.org">Read the Docs</a>' %}
+    {#- Translators: the variable "sphinx_web" is a link to the Sphinx project documentation with the text "Sphinx" #}
+    {%- trans sphinx_web=sphinx_web, readthedocs_web=readthedocs_web %}Built with {{ sphinx_web }} using a{% endtrans %}
+    {#- Translators: "theme" refers to a theme for Sphinx, which alters the appearance of the generated documentation #}
+    <a href="https://github.com/readthedocs/sphinx_rtd_theme">{% trans %}theme{% endtrans %}</a>
+    {#- Translators: this is always used as "provided by Read the Docs", and should not imply Read the Docs is an author
+    of the generated documentation. #}
+    {% trans %}provided by {{ readthedocs_web }}{% endtrans %}.
+    {% endif %}
+
+    {%- block extrafooter %} {% endblock %}
+
+</footer>

docs/changelog.rst

@@ -0,0 +1,12 @@
+Changelog
+=========
+
+Measuring, Maximizing, and Maturing Threat-Informed Defense (M3TID) 1.0
+-----------------------------------------------------------------------
+
+1.0.0 -- April 11, 2024
+
+    The initial release of M3TID includes the definition of TID, 
+    the three Dimensions of TID, Components and Maturity Levels,
+    the TID measurement approach, and the proof of concept 
+    assessment tool.

docs/components/cti.rst

@@ -0,0 +1,76 @@
+=========================
+Cyber Threat Intelligence
+=========================
+
+This section outlines the key components that have been identified for the CTI dimension as well as maturity levels within the components. These components and levels form the 
+basis for assessing how threat informed an organization’s CTI program is. This assessment can be conducted using the companion spreadsheet published with this white paper.  
+
+
+Depth of Threat Data [#f1]_
+----------------------------
+
+What level of information (roughly relative to the Pyramid of Pain) is being used to track adversaries.
+
+1. None
+2. Ephemeral IOCs: hashes, IPs, domains: data sources an adversary can change easily 
+3. Tools / Software used by adversaries: tools or software which can be swapped or modified by an adversary to evade detection  
+4. Techniques and Tactics used by adversaries: the techniques and behaviors that are harder to change for an adversary 
+5. Low-variance adversary behaviors and associated observables: specific actions most implementations of a technique must use so it is very difficult for an adversary to change or avoid 
+
+
+Breadth of Threat Information
+-----------------------------
+
+Complementary to the depth component score above, this component reflects roughly how many relevant Techniques are understood at that level of depth.
+
+1. None 
+2. Single Technique 
+3. Multiple Techniques 
+4. All top-priority Techniques relevant to the organization 
+5. All Techniques relevant to the organization [#f2]_ 
+
+
+Relevance of Threat Data
+------------------------
+
+Where is the threat information coming from and how timely is it? 
+
+1. None 
+2. Generic reports or freely available reporting 
+3. Internal reports 
+4. Recent, in-depth reporting (often requires a subscription) 
+5. Customized briefings 
+
+
+Utilization of Threat Information
+---------------------------------
+
+How is the threat information being used by an organization?
+
+1. None 
+2. Lightly / occasionally read 
+3. Regularly ingested for analysis 
+4. Analyzed automatically [#f3]_ and/or by trained analysts 
+5. Contextualized in disseminated reports for other internal stakeholders to operationalize 
+
+
+Dissemination of Threat Reporting
+---------------------------------
+
+What threat information is passed along within an organization? [#f4]_
+
+1. None 
+2. Tactical reporting with highly perishable information (IOCs) 
+3. Tactical reporting focused on adversary behavior (TTPs) 
+4. Operational reporting on pertinent security trends 
+5. Strategic reporting on business impacts of security trends 
+
+
+.. rubric:: References
+
+.. [#f1] https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/levels/
+.. [#f2] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/top-attack-techniques/
+.. [#f3] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/threat-report-attck-mapper-tram/
+.. [#f4] https://github.com/center-for-threat-informed-defense/cti-blueprints/wiki
+
+

docs/components/dm.rst

@@ -0,0 +1,78 @@
+==================
+Defensive Measures
+==================
+
+This section outlines the key components that have been identified for the Defensive Measures dimension as well as maturity levels within the components. These components and levels form the basis for assessing how threat informed an organization’s Defensive program is. This assessment can be conducted using the companion spreadsheet published with this white paper.  
+
+Foundational Security [#f1]_
+----------------------------
+
+The degree to which threat informs and prioritizes preventative security measures.
+
+1. None
+2. Ad Hoc patching, limited asset inventory, basic security measures
+3. Several mitigations and security controls [#f2]_ connected to relevant threats implemented, key attack surfaces and critical assets identified
+4. Knowledge of threat informs a risk management process to prioritize a set of mitigations and controls
+5. Prioritized [#f3]_  automated patching [#f4]_, attack surfaces understood, full asset inventory mapped to business operations and threats, hygiene best-practices implemented
+
+
+Data Collection
+----------------
+
+Is the right data being collected based on the needs identified from analysis of threat intelligence?
+
+1. None 
+2. Minimal visibility (e.g., single network sensor at network boundary) 
+3. Compliant with best practices for network and devices (e.g., logs collected from each device according to the manufacturer’s recommendations) 
+4. Threat-informed detection requirements guide sensor configuration and deployment [#f5]_ (e.g., additional Sysmon configuration driven by detection needs for ATT&CK Techniques) 
+5. Threat-Optimized (Sensors evaluated, configured, and deployed to meet all threat-informed detection needs) 
+
+
+Detection Engineering
+------------------------
+
+How much are detection analytics designed, tested, and tuned to optimize precision, recall, and robustness for relevant malicious behaviors?
+
+1. None 
+2. Import rules / analytics from open repository 
+3. Prioritize and tune imported rules / analytics from repository 
+4. Testing and tuning of custom detection analytics 
+5. Detection analytics developed based on knowledge of low-variance behaviors, customized to reduce false positives while maintaining robust [#f6]_ recall [#f7]_ 
+
+
+Incident Response
+------------------
+
+How automated, strategic, and effective are responsive measures against top-priority threats?
+
+1. None 
+2. Ad Hoc, Manual, Reactive 
+3. Playbook-enabled, partially automated 
+4. Informed by knowledge of threat actor (e.g., initial detection leads to follow-on investigation to detect other malicious actions expected in the campaign based on CTI) Proactive hunts are conducted driven by threat information rather than only alerts from existing analytics.
+5. Strategic, holistic, optimized to deter future events (e.g., with an understanding of the full campaign and the adversary’s likely reaction to defensive response, the defenders take decisive and coordinated actions that effectively evict the adversary such that it is not easy for them to return)  
+
+
+Deception Operations [#f8]_
+---------------------------------
+
+How extensive and effective are deception operations to enable defensive objectives and the collection of new threat intelligence?
+
+1. None 
+2. Sandboxing of suspicious executables (e.g., email attachment detonation before delivery) 
+3. 1 to several Honey* (pot, token, document…) deployed and monitored, enabling detection of malicious use and early warning 
+4. Honey network deployed and monitored 
+5. Intentional, long-term deception operations in a realistic honey network 
+
+
+.. rubric:: References
+
+.. [#f1] https://d3fend.mitre.org/
+.. [#f2] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/nist-800-53-control-mappings/
+.. [#f3] https://www.first.org/epss/
+.. [#f4] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/mapping-attck-to-cve-for-impact/
+.. [#f5] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/atomic-data-sources/
+.. [#f6] https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/
+.. [#f7] https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/definitions/
+.. [#f8] https://engage.mitre.org/
+
+

docs/components/index.rst

@@ -0,0 +1,14 @@
+===============================================
+Appendix A - Key Components and Maturity Levels
+===============================================
+
+Expanded definitions of Threat Informed Defense Dimensions, Components, and Levels. 
+
+.. toctree::
+    :maxdepth: 1
+
+    cti
+    dm
+    tne
+
+