diff --git a/src/assets/YAML/default/InformationGathering/Logging.yaml b/src/assets/YAML/default/InformationGathering/Logging.yaml index 54ef2cf..af883f6 100755 --- a/src/assets/YAML/default/InformationGathering/Logging.yaml +++ b/src/assets/YAML/default/InformationGathering/Logging.yaml @@ -195,3 +195,340 @@ Information Gathering: isImplemented: false evidence: "" comments: "" + Threat Intelligence: + Basic OSINT Collection Integration: + uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + risk: >- + Development teams lack external threat context about technologies and dependencies they use, + leading to uninformed security decisions and reactive incident response. + measure: >- + Integrate basic OSINT collection into development workflows using automated tools + to gather threat intelligence about used technologies, domains, and dependencies. + Implement simple API calls to threat intelligence sources during CI/CD processes. + description: >- + Basic threat intelligence collection using API calls to public sources like VirusTotal, Shodan. + Example: `curl -H "API-Key: $VT_KEY" https://www.virustotal.com/vtapi/v2/domain/report?domain=$DOMAIN` + Automated checks during deployment for known malicious domains or IPs in configuration. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 1 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/urlscan-io + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/censys + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + references: + samm2: + - O-IM-1-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Automated Threat Intelligence Pipeline: + uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 + risk: >- + Manual threat intelligence processes cannot scale with development velocity, + resulting in delayed threat awareness and inadequate security posture. + measure: >- + Deploy automated threat intelligence pipeline integrated with development tools + to continuously monitor threat landscape and automatically enrich security data + used by development and operations teams. + description: >- + Automated OSINT collection system with scheduled jobs querying multiple threat sources. + Integration with CI/CD pipelines for dependency threat scoring. + Command: `python3 osint_collector.py --sources shodan,virustotal --format stix --output /var/log/threats/` + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: + - a1b2c3d4-e5f6-7890-abcd-ef1234567890 # Basic OSINT Collection Integration + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Advanced Threat Intelligence Platform: + uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 + risk: >- + Isolated threat intelligence leads to fragmented security decision-making + across development teams and reduces organizational threat detection capabilities. + measure: >- + Implement centralized threat intelligence platform with automated enrichment, + correlation, and distribution capabilities integrated into all DevSecOps processes + and development team workflows. + description: >- + Enterprise threat intelligence platform with MISP integration, automated YARA generation, + MITRE ATT&CK mapping, and API integration with development tools. + Command: `misp-modules -l 0.0.0.0 -s --enrichment` for automated threat enrichment. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + dependsOn: + - b2c3d4e5-f6g7-8901-bcde-f23456789012 # Automated Threat Intelligence Pipeline + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + - O-IM-3-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + DevSecOps Threat Intelligence Integration: + uuid: d4e5f6g7-h8i9-0123-defg-456789012345 + risk: >- + Threat intelligence isolated from development processes fails to inform + secure coding practices and technology selection decisions in DevSecOps workflows. + measure: >- + Integrate threat intelligence directly into development pipelines to inform + dependency selection, security testing priorities, and deployment decisions + based on current threat landscape. + description: >- + CI/CD pipeline integration with threat intelligence APIs for dependency threat scoring, + automated vulnerability prioritization based on active campaigns, + and security gate decisions informed by current IOCs. + Command: `curl -X POST /api/threat-score -d '{"dependencies": ["library@1.0.0"]}'` + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + dependsOn: + - c3d4e5f6-g7h8-9012-cdef-345678901234 # Advanced Threat Intelligence Platform + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + isImplemented: false + evidence: "" + comments: "" + Community Threat Intelligence Sharing: + uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 + risk: >- + Isolated threat intelligence limits organizational defensive capabilities + and prevents contribution to broader cybersecurity community resilience. + measure: >- + Establish automated threat intelligence sharing with trusted partners, + industry groups, and security communities using standardized formats + integrated with development security workflows. + description: >- + STIX/TAXII implementation for automated threat sharing, bidirectional intelligence exchange, + and community-driven threat validation within DevSecOps pipeline. + Command: `taxii2-client --collection-url https://community.misp-project.org/taxii2/ --poll` + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 3 + level: 5 + dependsOn: + - d4e5f6g7-h8i9-0123-defg-456789012345 # DevSecOps Threat Intelligence Integration + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Incident Response: + OSINT-Enhanced IR Documentation: + uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 + description: | + Structured IR documentation with technical procedures: domain analysis via + `dig +trace $domain`, IP geolocation using `curl ipinfo.io/$ip`, + and automated evidence collection scripts with legal compliance frameworks. + risk: Without documented incident response procedures that include intelligence gathering, organizations respond reactively and miss critical attribution opportunities. + measure: | + Create technical IR documentation with OSINT collection procedures, + automated evidence preservation scripts, + legal compliance checklists for evidence handling, + and structured templates for threat actor attribution. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + - 16.1.5 + iso27001-2022: + - 5.24 + - 5.28 + isImplemented: false + evidence: "" + comments: "" + Real-time Threat Enrichment: + uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + description: | + Live SIEM enrichment with external threat feeds: Splunk lookup + `| lookup threat_intel domain as query_domain OUTPUT confidence score` + for real-time IOC validation and automated alert prioritization. + risk: Incidents detected without external threat context result in delayed response and missed attribution of sophisticated attack campaigns. + measure: | + Deploy SIEM enrichment with real-time threat intelligence APIs, + automated IOC validation against multiple sources, + confidence scoring for threat indicators, + and contextual alert enhancement with threat actor profiles. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.27 + isImplemented: false + evidence: "" + comments: "" + Infrastructure Mapping and Takedown: + uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 + description: | + Passive DNS analysis: `dig +short -x $ip` for reverse lookups, + certificate transparency monitoring via crt.sh API, + automated hosting provider coordination for infrastructure takedown. + risk: Containment efforts without external intelligence context may miss related infrastructure, fail to prevent reinfection, and allow threat actors to continue operations against other targets. + measure: + Deploy OSINT-enhanced containment with threat infrastructure mapping, + attack campaign tracking via shared IOCs, + automated takedown coordination scripts, + and evidence preservation workflows. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.5 + iso27001-2022: + - 5.28 + isImplemented: false + evidence: "" + comments: "" + Attribution Analysis and IOC Sharing: + uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 + description: | + Threat landscape analysis with MITRE ATT&CK mapping: `attack-navigator --layer techniques.json` + for TTP visualization, automated attribution reporting via REST APIs, + and vulnerability assessment integration with attack vector analysis. + risk: Recovery efforts without comprehensive threat analysis leave organizations vulnerable to similar attacks and fail to contribute to community defense through intelligence sharing. + measure: + Deploy recovery workflows with threat landscape analysis tools, + attribution reporting with IOC generation for community sharing, + vulnerability assessment based on attack TTPs, + and long-term threat actor monitoring. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.6 + - 16.1.7 + iso27001-2022: + - 5.29 + - 5.30 + isImplemented: false + evidence: "" + comments: "" + Tactical OSINT Training Program: + uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 + description: | + Skills-based OSINT training: `recon-ng -w domain_enum -m recon/domains-hosts/brute_hosts` + for reconnaissance techniques, threat hunt simulation exercises, + and cross-team collaboration workshops with scenario-based learning. + risk: Teams without current OSINT skills cannot effectively investigate incidents, conduct threat attribution, or leverage external intelligence for proactive defense. + measure: + Conduct technical OSINT training with hands-on tool usage, + threat hunting simulation exercises, + incident response tabletop scenarios, + and skills assessment with certification tracking. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + iso27001-2022: + - 5.24 + isImplemented: false + evidence: "" + comments: "" diff --git a/src/assets/YAML/default/InformationGathering/Monitoring.yaml b/src/assets/YAML/default/InformationGathering/Monitoring.yaml index 510ef8f..a2bd081 100755 --- a/src/assets/YAML/default/InformationGathering/Monitoring.yaml +++ b/src/assets/YAML/default/InformationGathering/Monitoring.yaml @@ -432,3 +432,99 @@ Information Gathering: isImplemented: false evidence: "" comments: "" + OSINT Feed Integration Monitoring: + uuid: a9b8c7d6-e5f4-3210-9876-543210fedcba + description: | + Monitor threat intelligence feed health: `curl -s $FEED_URL | jq '.status'` + for feed availability, API rate limit tracking, and data freshness validation + with automated alerting on stale indicators or feed failures. + risk: Unreliable threat intelligence feeds result in outdated IOCs, missed threats, and degraded security posture without visibility into feed health. + measure: | + Deploy monitoring for threat feed availability, API quota usage, + data freshness validation, IOC update frequency, + and automated alerting on feed degradation or stale intelligence. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + - 16.1.2 + iso27001-2022: + - 8.6 + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Threat Actor Tracking Metrics: + uuid: b8c7d6e5-f4g3-2109-8765-432109edcbaf + description: | + Campaign attribution metrics with geolocation tracking: `geoiplookup $attacker_ip` + for source analysis, TTPs frequency mapping, and infrastructure reuse patterns + with MITRE ATT&CK technique correlation and timeline analysis. + risk: Without threat actor tracking metrics, organizations cannot identify persistent threats, campaign patterns, or attribution links to previous attacks. + measure: | + Implement metrics for threat actor campaign tracking, + geographic attack pattern analysis, TTP frequency mapping, + infrastructure reuse detection, and attribution confidence scoring + with trend analysis and early warning indicators. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.4 + iso27001-2022: + - 5.25 + - 5.27 + isImplemented: false + evidence: "" + comments: "" + OSINT Collection Performance Metrics: + uuid: c7d6e5f4-g3h2-1098-7654-321098dcbaef + description: | + OSINT tool performance monitoring: `time theHarvester -d $domain -b all` + for collection speed, data quality scoring, source coverage analysis, + and automated performance benchmarking with SLA compliance tracking. + risk: Poor OSINT collection performance leads to incomplete intelligence gathering, delayed threat detection, and reduced incident response effectiveness. + measure: | + Deploy performance monitoring for OSINT collection tools, + data quality scoring mechanisms, source coverage analysis, + collection speed benchmarking, and automated SLA compliance + tracking with performance optimization recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + isImplemented: false + evidence: "" + comments: "" diff --git a/src/assets/YAML/default/InformationGathering/TestKPI.yaml b/src/assets/YAML/default/InformationGathering/TestKPI.yaml index fe45bcf..9975fb1 100644 --- a/src/assets/YAML/default/InformationGathering/TestKPI.yaml +++ b/src/assets/YAML/default/InformationGathering/TestKPI.yaml @@ -90,7 +90,7 @@ Information Gathering: usefulness: 3 level: 2 dependsOn: - - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches implementation: [] references: samm2: @@ -151,8 +151,8 @@ Information Gathering: usefulness: 3 level: 4 dependsOn: - - uuid:86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR - - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches + - 86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches implementation: [] references: samm2: @@ -175,7 +175,7 @@ Information Gathering: resources: 1 usefulness: 3 dependsOn: - - Usage of a vulnerability management system + - 4a7b6c5d-8e9f-1234-5678-abcdef123456 # Usage of a vulnerability management system level: 3 implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo @@ -227,4 +227,92 @@ Information Gathering: - vulnerability-mgmt - metrics - vmm-measurements + OSINT Threat Intelligence Coverage: + uuid: e4f3g2h1-i0j9-8765-4321-098765fedcba + risk: |- + Without measuring OSINT threat intelligence coverage, organizations lack visibility into external threat landscape affecting their assets, leading to blind spots in threat awareness. + measure: |- + Track percentage of organizational assets (domains, IPs, applications) covered by OSINT threat intelligence feeds and monitoring tools. Measure weekly. + description: |- + Implement KPIs for OSINT coverage using tools like Shodan for infrastructure exposure, VirusTotal for domain/IP reputation, and URLScan.io for web application threats. + Command: `curl -H "API-Key: $VT_KEY" "https://www.virustotal.com/vtapi/v2/domain/report?domain=$DOMAIN" | jq '.detected_urls | length'` + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/urlscan + references: + samm2: + - I-DM-1-A + iso27001-2022: + - 5.23 + - 5.25 + tags: + - osint + - threat-intelligence + - metrics + OSINT Data Quality Score: + uuid: f5g4h3i2-j1k0-9876-5432-109876edcbaf + risk: |- + Poor quality OSINT data leads to false positives, missed threats, and inefficient security operations, undermining threat detection capabilities. + measure: |- + Calculate OSINT data quality score based on accuracy, timeliness, and relevance of collected intelligence. Measure data source reliability monthly. + description: |- + Evaluate OSINT sources for false positive rates, time-to-detection metrics, and threat relevance scoring using automated validation. + Flow: Data Collection → Validation → Scoring → Quality Metrics → Remediation + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - I-DM-2-A + iso27001-2022: + - 5.12 + - 5.25 + tags: + - osint + - data-quality + - metrics + OSINT Response Time Metrics: + uuid: g6h5i4j3-k2l1-0987-6543-210987fedcba + risk: |- + Slow response to OSINT-identified threats increases exposure window and potential for successful attacks against organizational assets. + measure: |- + Measure time from OSINT threat detection to initial response action. Track mean time to response (MTTR) for different threat severities weekly. + description: |- + Implement automated workflows measuring time between OSINT alert generation and security team response using SIEM integration. + Metrics: Detection Time + Analysis Time + Response Time = Total MTTR + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + references: + samm2: + - I-DM-3-A + iso27001-2022: + - 5.24 + - 5.26 + tags: + - osint + - incident-response + - metrics diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml index 5de7094..dc68235 100755 --- a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml +++ b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml @@ -21,9 +21,8 @@ Test and Verification: - The number of network hops required to reach the asset (recommended) - Authentication requirements for access (recommended) dependsOn: - - uuid:44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher: - #- uuid:3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO - - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components + - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: references: samm2: @@ -196,7 +195,7 @@ Test and Verification: usefulness: 3 level: 2 dependsOn: - - uuid: c1acc8af-312e-4503-a817-a26220c993a0 # Simple false positive treatment + - c1acc8af-312e-4503-a817-a26220c993a0 implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify @@ -340,8 +339,8 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f # Artifact-based false positive treatment - - uuid: 85ba5623-84be-4219-8892-808837be582d # Usage of a vulnerability management system + - 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + - 85ba5623-84be-4219-8892-808837be582d implementation: references: samm2: @@ -370,9 +369,9 @@ Test and Verification: resources: 2 usefulness: 2 dependsOn: - - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV - - uuid:6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion - - uuid:185d5a74-19dc-4422-be07-44ea35226783 # Office Hours + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV + - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion + - 185d5a74-19dc-4422-be07-44ea35226783 # Office Hours level: 3 description: |- For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended. diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml index f24ac28..64ba84f 100755 --- a/src/assets/YAML/default/implementations.yaml +++ b/src/assets/YAML/default/implementations.yaml @@ -46,6 +46,67 @@ implementations: name: CWE-838 Inappropriate Encoding for Output Context tags: ["documentation", "cwe"] url: https://cwe.mitre.org/data/definitions/838.html + # OSINT and Threat Intelligence Tools + shodan: + uuid: ab1555aa-225a-49b0-9b74-15a5407e0722 + name: Shodan + tags: [osint, reconnaissance, threat-intelligence] + url: https://www.shodan.io/ + description: Search engine for Internet-connected devices and services for reconnaissance and threat intelligence + virustotal: + uuid: d3a10c34-9e9f-43bd-a474-269d07188efe + name: VirusTotal + tags: [threat-intelligence, malware-analysis, osint] + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and IOC validation + urlscan-io: + uuid: 3ec27730-928f-45be-a4fa-92d19c8b3d56 + name: URLScan.io + tags: [threat-intelligence, url-analysis, osint] + url: https://urlscan.io/ + description: URL and website analysis service for threat intelligence collection + publicwww: + uuid: 17d1eb75-bf05-4d05-8e55-c6233819bfdb + name: PublicWWW + tags: [osint, reconnaissance, threat-intelligence] + url: https://publicwww.com/ + description: Source code search engine for OSINT and threat intelligence gathering + censys: + uuid: d21f595e-f742-46b3-9871-0c415ab37127 + name: Censys + tags: [osint, reconnaissance, threat-intelligence] + url: https://censys.io/ + description: Internet scanning and reconnaissance platform for threat intelligence + maltego: + uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: [osint, threat-intelligence, visualization] + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat intelligence visualization + theharvester: + uuid: dc429e58-cf5b-4596-bbe2-ed0ce2bb5215 + name: theHarvester + tags: [osint, reconnaissance, email-intelligence] + url: https://github.com/laramies/theHarvester + description: OSINT tool for gathering email accounts, subdomains, hosts, and employee names + spiderfoot: + uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: [osint, reconnaissance, threat-intelligence] + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + ghunt: + uuid: 607d2158-3d17-4518-b751-61c7422be9a2 + name: GHunt + tags: [osint, google-intelligence, reconnaissance] + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + sherlock: + uuid: fc20c021-f64e-427a-93ce-11872eaec241 + name: Sherlock + tags: [osint, username-intelligence, social-media] + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool docker-content-trust: uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6 name: Docker Content Trust @@ -172,8 +233,8 @@ implementations: tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development description: - "[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)\ - \ and [Practical Security Stories and Security Tasks for Agile Development Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)" + "[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development)\ + \ and [Practical Security Stories and Security Tasks for Agile Development Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)" libyear: uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 name: libyear @@ -247,12 +308,12 @@ implementations: uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark cis-docker-bench-for: uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark for-example-for-cont: uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont @@ -358,7 +419,7 @@ implementations: uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ sms: uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml index 22a495d..097f267 100644 --- a/src/assets/YAML/generated/generated.yaml +++ b/src/assets/YAML/generated/generated.yaml @@ -1527,9 +1527,9 @@ Culture and Organization: name: Don't Forget EVIL User stories tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + description: '[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development) and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' references: samm2: - D-TA-2-B @@ -1570,9 +1570,9 @@ Culture and Organization: name: Don't Forget EVIL User stories tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + description: '[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development) and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' dependsOn: - Conduction of simple threat modeling on technical level - Creation of threat modeling processes and standards @@ -1709,6 +1709,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2001,16 +2002,17 @@ Culture and Organization: [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2042,15 +2044,15 @@ Culture and Organization: usefulness: 4 level: 4 implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" - - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba - name: https://cheatsheetseries.owasp.org/ + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series tags: - training - secure coding @@ -2089,6 +2091,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ dependsOn: @@ -2266,6 +2269,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -3451,11 +3455,11 @@ Implementation: - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont tags: [] @@ -3472,7 +3476,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -3562,11 +3566,11 @@ Implementation: - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont tags: [] @@ -3583,7 +3587,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -3822,7 +3826,7 @@ Implementation: - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS tags: [] @@ -3873,7 +3877,7 @@ Implementation: - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS tags: [] @@ -4711,6 +4715,589 @@ Information Gathering: Default: false B: false C: false + Threat Intelligence: + Automated OSINT Collection Pipeline: + uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + description: "Automated collection system using cron jobs to query APIs (shodan.io, + virustotal.com) \nwith domain monitoring: `curl -H \"API-Key: $VT_KEY\" https://www.virustotal.com/vtapi/v2/domain/report`\nRSS + feed parsing via Python feedparser and data normalization into JSON/STIX format.\n" + risk: Without systematic threat intelligence collection, organizations cannot + proactively identify emerging threats, ongoing campaigns, or indicators of + compromise targeting their industry sector or technology stack. + measure: | + Deploy cron-scheduled Python scripts with API calls to threat sources, + RSS feed monitoring, certificate transparency logs via crt.sh API, + and automated IOC extraction with regex patterns for IP/domain/hash identification. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + implementation: + - uuid: ab1555aa-225a-49b0-9b74-15a5407e0722 + name: Shodan + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.shodan.io/ + description: Search engine for Internet-connected devices and services for + reconnaissance and threat intelligence + - uuid: d3a10c34-9e9f-43bd-a474-269d07188efe + name: VirusTotal + tags: + - threat-intelligence + - malware-analysis + - osint + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and + IOC validation + - uuid: 3ec27730-928f-45be-a4fa-92d19c8b3d56 + name: URLScan.io + tags: + - threat-intelligence + - url-analysis + - osint + url: https://urlscan.io/ + description: URL and website analysis service for threat intelligence collection + - uuid: d21f595e-f742-46b3-9871-0c415ab37127 + name: Censys + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://censys.io/ + description: Internet scanning and reconnaissance platform for threat intelligence + - uuid: dc429e58-cf5b-4596-bbe2-ed0ce2bb5215 + name: theHarvester + tags: + - osint + - reconnaissance + - email-intelligence + url: https://github.com/laramies/theHarvester + description: OSINT tool for gathering email accounts, subdomains, hosts, and + employee names + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/a1b2c3d4-e5f6-7890-abcd-ef1234567890 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + ML-Powered Threat Classification: + uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 + description: | + Enterprise TIP with scikit-learn ML models for IOC classification. + API: `POST /ml/classify` with feature vectors for threat scoring, + automated sandbox integration, and predictive campaign analysis using time-series data. + risk: Manual threat intelligence processes create operational bottlenecks, introduce + human error, and cannot scale to address the volume of modern threat data, + resulting in delayed threat detection and response. + measure: | + Deploy enterprise TIP with ML algorithms for pattern recognition, + automated IOC extraction from sandbox reports, + predictive analytics for campaign forecasting, + and SOAR integration with confidence-scored threat indicators. + difficultyOfImplementation: + knowledge: 5 + time: 4 + resources: 4 + usefulness: 5 + level: 5 + implementation: + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/e5f6g7h8-i9j0-1234-efgh-567890123456 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + SIEM IOC Integration Gateway: + uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 + description: | + Automated IOC blocker using STIX/TAXII feeds with API calls to security tools. + Example: `POST /api/firewall/blocklist` with JSON payload containing IOCs, + DNS sinkholing via `/dns/blocklist`, and YARA rule deployment to endpoints. + risk: Threat intelligence that remains isolated from security controls provides + no operational value and allows known threats to successfully compromise systems. + measure: | + Deploy automated integration scripts with REST API calls to firewalls, + DNS servers, and SIEM platforms for IOC blocking, + threat hunting query generation, and validation of indicator effectiveness. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 13.1.1 + - 16.1.2 + iso27001-2022: + - 8.22 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/c3d4e5f6-g7h8-9012-cdef-345678901234 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + STIX/TAXII Community Exchange: + uuid: d4e5f6g7-h8i9-0123-defg-456789012345 + description: | + Automated STIX/TAXII server with industry feeds: `taxii2-client --discovery-url` + for feed discovery, bilateral IOC sharing via REST API endpoints, + and TLP compliance validation using JSON schema validation. + risk: Isolation from threat intelligence sharing communities results in delayed + threat awareness, reduced collective defense capabilities, and missed opportunities + for early warning of targeted campaigns. + measure: | + Deploy TAXII server with automated feed synchronization, + industry consortium integration (FS-ISAC, H-ISAC), + data sanitization pipelines for attribution protection, + and bilateral sharing agreements with automated compliance checks. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 3 + level: 4 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 17d1eb75-bf05-4d05-8e55-c6233819bfdb + name: PublicWWW + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://publicwww.com/ + description: Source code search engine for OSINT and threat intelligence gathering + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/d4e5f6g7-h8i9-0123-defg-456789012345 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Threat Intelligence Platform: + uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 + description: | + Centralized TIP with MISP integration: `misp-modules -l 0.0.0.0 -s` for enrichment, + automated YARA rule generation from samples, + MITRE ATT&CK mapping with `/attributes/restSearch` API for correlation. + risk: Raw threat intelligence without centralized analysis leads to alert fatigue + and inability to prioritize security responses effectively. + measure: | + Deploy MISP platform with automated enrichment APIs, + YARA rule generation workflows, + MITRE ATT&CK technique mapping, + and multi-source indicator correlation with confidence scoring. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 3 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: d3a10c34-9e9f-43bd-a474-269d07188efe + name: VirusTotal + tags: + - threat-intelligence + - malware-analysis + - osint + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and + IOC validation + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/b2c3d4e5-f6g7-8901-bcde-f23456789012 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Response: + Attribution Analysis and IOC Sharing: + uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 + description: | + Threat landscape analysis with MITRE ATT&CK mapping: `attack-navigator --layer techniques.json` + for TTP visualization, automated attribution reporting via REST APIs, + and vulnerability assessment integration with attack vector analysis. + risk: Recovery efforts without comprehensive threat analysis leave organizations + vulnerable to similar attacks and fail to contribute to community defense + through intelligence sharing. + measure: Deploy recovery workflows with threat landscape analysis tools, attribution + reporting with IOC generation for community sharing, vulnerability assessment + based on attack TTPs, and long-term threat actor monitoring. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.6 + - 16.1.7 + iso27001-2022: + - 5.29 + - 5.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/i9j0k1l2-m3n4-5678-ijkl-901234567890 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Infrastructure Mapping and Takedown: + uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 + description: | + Passive DNS analysis: `dig +short -x $ip` for reverse lookups, + certificate transparency monitoring via crt.sh API, + automated hosting provider coordination for infrastructure takedown. + risk: Containment efforts without external intelligence context may miss related + infrastructure, fail to prevent reinfection, and allow threat actors to continue + operations against other targets. + measure: Deploy OSINT-enhanced containment with threat infrastructure mapping, + attack campaign tracking via shared IOCs, automated takedown coordination + scripts, and evidence preservation workflows. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.5 + iso27001-2022: + - 5.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/h8i9j0k1-l2m3-4567-hijk-890123456789 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + OSINT-Enhanced IR Documentation: + uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 + description: "Structured IR documentation with technical procedures: domain + analysis via\n`dig +trace $domain`, IP geolocation using `curl ipinfo.io/$ip`, + \nand automated evidence collection scripts with legal compliance frameworks.\n" + risk: Without documented incident response procedures that include intelligence + gathering, organizations respond reactively and miss critical attribution + opportunities. + measure: | + Create technical IR documentation with OSINT collection procedures, + automated evidence preservation scripts, + legal compliance checklists for evidence handling, + and structured templates for threat actor attribution. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + - 16.1.5 + iso27001-2022: + - 5.24 + - 5.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/f6g7h8i9-j0k1-2345-fghi-678901234567 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Real-time Threat Enrichment: + uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + description: "Live SIEM enrichment with external threat feeds: Splunk lookup + \n`| lookup threat_intel domain as query_domain OUTPUT confidence score`\nfor + real-time IOC validation and automated alert prioritization.\n" + risk: Incidents detected without external threat context result in delayed response + and missed attribution of sophisticated attack campaigns. + measure: | + Deploy SIEM enrichment with real-time threat intelligence APIs, + automated IOC validation against multiple sources, + confidence scoring for threat indicators, + and contextual alert enhancement with threat actor profiles. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + implementation: + - uuid: 607d2158-3d17-4518-b751-61c7422be9a2 + name: GHunt + tags: + - osint + - google-intelligence + - reconnaissance + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + - uuid: fc20c021-f64e-427a-93ce-11872eaec241 + name: Sherlock + tags: + - osint + - username-intelligence + - social-media + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/g7h8i9j0-k1l2-3456-ghij-789012345678 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Tactical OSINT Training Program: + uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 + description: | + Skills-based OSINT training: `recon-ng -w domain_enum -m recon/domains-hosts/brute_hosts` + for reconnaissance techniques, threat hunt simulation exercises, + and cross-team collaboration workshops with scenario-based learning. + risk: Teams without current OSINT skills cannot effectively investigate incidents, + conduct threat attribution, or leverage external intelligence for proactive + defense. + measure: Conduct technical OSINT training with hands-on tool usage, threat hunting + simulation exercises, incident response tabletop scenarios, and skills assessment + with certification tracking. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 607d2158-3d17-4518-b751-61c7422be9a2 + name: GHunt + tags: + - osint + - google-intelligence + - reconnaissance + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + - uuid: fc20c021-f64e-427a-93ce-11872eaec241 + name: Sherlock + tags: + - osint + - username-intelligence + - social-media + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + iso27001-2022: + - 5.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/j0k1l2m3-n4o5-6789-jklm-012345678901 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false Monitoring: Advanced app. metrics: uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf @@ -5811,6 +6398,76 @@ Test and Verification: Default: false B: false C: false + Artifact-based false positive treatment: + uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + risk: Without artifact-specific false positive handling, teams must repeatedly + triage the same findings across different versions or deployments of the same + component, leading to inefficient use of security resources. + measure: "Implement false positive marking and temporary acceptance of findings + \nbased on specific artifacts (applications, components, or repositories).\nThis + allows teams to suppress findings for specific versions or builds\nwhile maintaining + visibility for future releases." + description: |- + Artifact-based false positive treatment enables more granular control + over finding suppression by linking decisions to specific code artifacts, + container images, or application versions. This approach helps maintain + security oversight while reducing repeated analysis overhead. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple false positive treatment + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + references: + samm2: + - I-DM-2-A + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Fix based on accessibility: uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed risk: Overwhelming volume of security findings from automated testing tools. @@ -5855,6 +6512,51 @@ Test and Verification: Default: false B: false C: false + Global false positive treatment: + uuid: 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + risk: Without centralized false positive management across environments, organizations + face inconsistent security decisions, duplicated analysis efforts, and potential + security gaps when the same findings are handled differently across applications + and teams. + measure: "Implement global false positive and acceptance management that applies + \nconsistently across all applications. This enables organization-wide security + decisions and reduces redundant \nanalysis of common false positives." + description: "Global false positive treatment allows (security) teams to make + \norganization-wide decisions about specific vulnerabilities or finding \npatterns. + When a finding is marked as a false positive or temporarily \naccepted at + the global level, this decision automatically applies to \nall applications + in the specified environment, ensuring consistency \nand operational efficiency." + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Artifact-based false positive treatment + - Usage of a vulnerability management system + implementation: ~ + references: + samm2: + - I-DM-2-B + - I-DM-3-A + iso27001-2017: + - 16.1.3 + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 6.8 + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Integration in development process: uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d risk: "Not integrating vulnerability handling into the development process may @@ -6045,10 +6747,14 @@ Test and Verification: usefulness: 4 level: 1 implementation: - - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c - name: OWASP Defect Dojo - tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 name: Purify tags: @@ -8183,11 +8889,52 @@ Test and Verification: Default: false B: false C: false - Test for stored secrets: + Test for stored secrets in build artifacts: + uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f + risk: Stored secrets in container images or other build artifacts shouldn't + exists because they might be exposed to unauthorized parties. + measure: Test for secrets in container images and other artifacts + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog + tags: [] + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries + tags: [] + url: https://github.com/nccgroup/go-pillage-registries + references: + samm2: + - V-ST-1-A + iso27001-2017: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 + iso27001-2022: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/d5e6303c-d5c6-4d59-b258-a3b9de38a07f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for stored secrets in code: uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c - risk: Stored secrets in git history, in container images or directly in code - shouldn't exists because they might be exposed to unauthorized parties. - measure: Test for secrets in code, container images and history + risk: Stored secrets in git history or directly in code shouldn't exists because + they might be exposed to unauthorized parties. + measure: Test for secrets in code and git history difficultyOfImplementation: knowledge: 2 time: 1