From cb87b701545fb988c9f05b2150ef7fa161e7d0b1 Mon Sep 17 00:00:00 2001 From: rezaduty Date: Mon, 28 Jul 2025 12:14:41 +0200 Subject: [PATCH 1/3] feat: integrate OSINT tools and threat intelligence capabilities Add comprehensive threat intelligence and incident response frameworks with OSINT tool integration: - Add threat intelligence collection, analysis, integration, sharing, and automation capabilities - Include incident response plan with OSINT-driven intelligence gathering procedures - Integrate 10 OSINT tools (Shodan, VirusTotal, URLScan.io, Maltego, etc.) with proper UUIDs - Update dependency references to use descriptive names instead of UUIDs - Fix implementation URLs and documentation links for consistency This extends the DevSecOps maturity model with actionable threat intelligence practices and standardized OSINT tooling for improved security operations and incident response capabilities. --- .../default/InformationGathering/Logging.yaml | 395 ++++++++ .../TestAndVerification/Consolidation.yaml | 11 +- src/assets/YAML/default/implementations.yaml | 71 +- src/assets/YAML/generated/generated.yaml | 899 +++++++++++++++++- 4 files changed, 1332 insertions(+), 44 deletions(-) diff --git a/src/assets/YAML/default/InformationGathering/Logging.yaml b/src/assets/YAML/default/InformationGathering/Logging.yaml index 54ef2cf..7a62579 100755 --- a/src/assets/YAML/default/InformationGathering/Logging.yaml +++ b/src/assets/YAML/default/InformationGathering/Logging.yaml @@ -195,3 +195,398 @@ Information Gathering: isImplemented: false evidence: "" comments: "" + Threat Intelligence: + Threat Intelligence Collection: + uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + description: | + Systematic collection of threat intelligence from diverse sources including: + - OSINT platforms (Shodan, VirusTotal, URLScan.io, PublicWWW) + - Dark web monitoring (leak databases, underground forums) + - Social media intelligence (Twitter/X, Telegram, Discord) + - Technical indicators (DNS, certificates, IP reputation) + - Vulnerability databases (CVE, NVD, exploit-db) + - Government and industry threat reports + risk: Without systematic threat intelligence collection, organizations cannot proactively identify emerging threats, ongoing campaigns, or indicators of compromise targeting their industry sector or technology stack. + measure: | + Implement automated and manual collection processes using: + - OSINT tools for reconnaissance detection (domain monitoring, certificate transparency) + - Social media monitoring for brand mentions and threat actor discussions + - Dark web monitoring for leaked credentials and company mentions + - Threat feed aggregation from commercial and open sources + - Regular assessment of attack surface exposure via search engines + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: + - Logging of security events + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/urlscan-io + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/censys + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + isImplemented: false + evidence: "" + comments: "" + Threat Intelligence Analysis: + uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 + description: | + Analysis and contextualization of collected intelligence data including: + - Indicator enrichment and validation using multiple sources + - Attribution analysis linking threats to known actor groups + - Campaign tracking across multiple attack vectors + - Threat landscape assessment for organizational risk + - False positive reduction through cross-referencing + - Timeline analysis of threat actor activities + risk: Raw threat intelligence without proper analysis leads to alert fatigue, missed critical threats, and inability to prioritize security responses effectively. + measure: | + Establish analytical workflows that include: + - Multi-source indicator verification and scoring + - Threat actor profiling and campaign attribution + - Industry-specific threat landscape analysis + - Integration with internal security events for correlation + - Regular threat briefings for stakeholders with actionable recommendations + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 3 + dependsOn: + - Threat Intelligence Collection + - Correlation of security events + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Threat Intelligence Integration: + uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 + description: | + Tactical integration of threat intelligence into security infrastructure: + - SIEM rule creation based on IOCs and behavioral patterns + - Automated blocking of malicious IPs, domains, and file hashes + - DNS sinkholing for known malicious domains + - Email security enhancement with threat indicators + - Endpoint detection rules based on YARA signatures + - Network monitoring alerts for suspicious communications + risk: Threat intelligence that remains isolated from security controls provides no operational value and allows known threats to successfully compromise systems. + measure: | + Deploy automated integration mechanisms: + - STIX/TAXII feeds integrated into security tools + - Custom APIs for threat intelligence platform integration + - Automated IOC blocking across network and endpoint security + - Regular validation of integrated indicators for effectiveness + - Threat hunting queries based on intelligence analysis + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + dependsOn: + - Threat Intelligence Analysis + - Centralized application logging + - Centralized system logging + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 13.1.1 + - 16.1.2 + iso27001-2022: + - 8.22 + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Threat Intelligence Sharing: + uuid: d4e5f6g7-h8i9-0123-defg-456789012345 + description: | + Strategic participation in threat intelligence ecosystems including: + - Industry-specific threat sharing groups (FS-ISAC, H-ISAC) + - Government programs (US-CERT, NCSC, national CERTs) + - Commercial threat intelligence platforms + - Open source intelligence communities + - Vendor security communities and user groups + - Regional cybersecurity alliances + risk: Isolation from threat intelligence sharing communities results in delayed threat awareness, reduced collective defense capabilities, and missed opportunities for early warning of targeted campaigns. + measure: | + Establish formal sharing relationships through: + - Membership in relevant industry sharing organizations + - Bilateral threat intelligence sharing agreements + - Automated sharing via STIX/TAXII protocols + - Regular participation in threat briefings and working groups + - Sanitized indicator sharing while protecting sensitive sources + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Threat Intelligence Analysis + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/publicwww + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + isImplemented: false + evidence: "" + comments: "" + Automated Threat Intelligence: + uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 + description: | + Advanced automation of threat intelligence operations including: + - Automated OSINT collection from multiple sources simultaneously + - Machine learning-based threat classification and scoring + - Dynamic IOC generation from malware analysis sandboxes + - Automated attribution analysis using behavior clustering + - Real-time threat landscape monitoring and alerting + - Intelligent threat hunting based on predictive analytics + risk: Manual threat intelligence processes create operational bottlenecks, introduce human error, and cannot scale to address the volume of modern threat data, resulting in delayed threat detection and response. + measure: | + Deploy enterprise threat intelligence platforms with: + - Multi-source automated data collection and normalization + - Machine learning algorithms for threat pattern recognition + - Automated indicator extraction and validation workflows + - Integration with SOAR platforms for response automation + - Predictive threat modeling based on historical attack patterns + - Automated reporting and briefing generation for stakeholders + difficultyOfImplementation: + knowledge: 5 + time: 4 + resources: 4 + usefulness: 5 + level: 5 + dependsOn: + - Threat Intelligence Integration + - Correlation of security events + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Incident Response: + Incident Response Plan: + uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 + description: | + Comprehensive incident response plan incorporating OSINT-driven intelligence gathering: + - Pre-defined incident classification matrix with response procedures + - OSINT collection protocols for threat actor attribution and campaign analysis + - Integration with threat intelligence platforms for context enrichment + - Communication templates for internal teams and external stakeholders + - Legal and regulatory compliance requirements for different incident types + - Evidence preservation procedures for digital forensics and legal proceedings + risk: Without a documented incident response plan that includes intelligence gathering procedures, organizations respond reactively, miss attribution opportunities, and fail to understand the broader threat landscape context. + measure: | + Develop comprehensive incident response documentation including: + - Playbooks for common incident types with OSINT collection steps + - Role-based access controls and escalation procedures + - Integration points with threat intelligence and OSINT tools + - Regular plan testing through tabletop exercises and simulations + - Post-incident review processes for continuous improvement + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + - 16.1.5 + iso27001-2022: + - 5.24 + - 5.28 + isImplemented: false + evidence: "" + comments: "" + Incident Detection and Classification: + uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + description: | + Advanced incident detection enhanced with OSINT capabilities: + - Multi-source indicator correlation from internal logs and external intelligence + - Automated enrichment of security alerts with threat context + - Social media monitoring for brand mentions and potential targeting + - Dark web monitoring for organization-specific threats and leaked data + - Threat actor tracking to identify campaign patterns and attribution + - Geolocation analysis of attack sources and infrastructure + risk: Basic incident detection without external intelligence context results in missed sophisticated attacks, delayed attribution, and inability to understand attack campaigns targeting the organization. + measure: | + Deploy enhanced detection capabilities with: + - SIEM integration with multiple threat intelligence feeds + - Automated OSINT enrichment of security alerts and indicators + - Social media and dark web monitoring for early threat detection + - Machine learning algorithms for anomaly detection and pattern recognition + - Threat hunting programs guided by external intelligence and industry reports + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + dependsOn: + - Incident Response Plan + - Correlation of security events + - Alerting + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.27 + isImplemented: false + evidence: "" + comments: "" + Incident Containment and Eradication: + uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 + description: | + OSINT-enhanced containment and eradication procedures: + - Threat infrastructure mapping using passive DNS and certificate analysis + - Attack campaign tracking to identify additional compromised systems + - IOC generation and sharing for community defense + - Attribution analysis to understand threat actor methods and motivations + - Infrastructure takedown coordination with hosting providers and registrars + - Real-time threat landscape monitoring during incident response + risk: Containment efforts without external intelligence context may miss related infrastructure, fail to prevent reinfection, and allow threat actors to continue operations against other targets. + measure: Establish procedures to contain security incidents, eliminate the root cause, and remove malicious artifacts while preserving evidence for investigation. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + dependsOn: + - Incident Detection and Classification + - Threat Intelligence Integration + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.5 + iso27001-2022: + - 5.28 + isImplemented: false + evidence: "" + comments: "" + Incident Recovery and Post-Incident Analysis: + uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 + description: | + Intelligence-driven recovery and analysis processes: + - Threat landscape analysis to identify ongoing risks and similar campaigns + - Attribution reporting with indicators for threat intelligence sharing + - Vulnerability assessment based on attack methods and exploitation techniques + - Industry threat briefings to warn of similar attacks against peer organizations + - Long-term monitoring for threat actor return or infrastructure reuse + - Integration of lessons learned into threat detection and prevention systems + risk: Recovery efforts without comprehensive threat analysis leave organizations vulnerable to similar attacks and fail to contribute to community defense through intelligence sharing. + measure: Implement recovery procedures to restore normal operations and conduct post-incident analysis to identify lessons learned and implement improvements to prevent similar incidents. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Incident Containment and Eradication + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.6 + - 16.1.7 + iso27001-2022: + - 5.29 + - 5.30 + isImplemented: false + evidence: "" + comments: "" + Incident Response Training and Testing: + uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 + description: | + Comprehensive training program incorporating OSINT and threat intelligence: + - Hands-on OSINT training for incident responders and analysts + - Threat intelligence platform training for indicator enrichment and analysis + - Tabletop exercises based on real-world attack campaigns and threat actor TTPs + - Red team exercises incorporating current threat intelligence and attack methods + - Cross-functional training between security operations and threat intelligence teams + - Regular updates on emerging threats, tools, and investigation techniques + risk: Training programs that don't incorporate current threat intelligence and OSINT capabilities leave teams unprepared for sophisticated attacks and limit their ability to conduct effective threat attribution and campaign analysis. + measure: Conduct regular incident response training for team members and perform tabletop exercises, simulations, and drills to test and improve incident response procedures. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + dependsOn: + - Incident Response Plan + - Incident Recovery and Post-Incident Analysis + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + iso27001-2022: + - 5.24 + isImplemented: false + evidence: "" + comments: "" diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml index 5de7094..ef71495 100755 --- a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml +++ b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml @@ -21,9 +21,8 @@ Test and Verification: - The number of network hops required to reach the asset (recommended) - Authentication requirements for access (recommended) dependsOn: - - uuid:44f2c8a9-4aaa-4c72-942d-63f78b89f385 # Treatment of defects with severity high or higher: - #- uuid:3260a15f-2df0-4173-8790-f11de2cb525a # Access applications accessibility TODO - - uuid:2a44b708-734f-4463-b0cb-86dc46344b2f # Inventory of production components + - Treatment of defects with severity high or higher + - Inventory of production components implementation: references: samm2: @@ -196,7 +195,7 @@ Test and Verification: usefulness: 3 level: 2 dependsOn: - - uuid: c1acc8af-312e-4503-a817-a26220c993a0 # Simple false positive treatment + - Simple false positive treatment implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify @@ -340,8 +339,8 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f # Artifact-based false positive treatment - - uuid: 85ba5623-84be-4219-8892-808837be582d # Usage of a vulnerability management system + - Artifact-based false positive treatment + - Usage of a vulnerability management system implementation: references: samm2: diff --git a/src/assets/YAML/default/implementations.yaml b/src/assets/YAML/default/implementations.yaml index f24ac28..64ba84f 100755 --- a/src/assets/YAML/default/implementations.yaml +++ b/src/assets/YAML/default/implementations.yaml @@ -46,6 +46,67 @@ implementations: name: CWE-838 Inappropriate Encoding for Output Context tags: ["documentation", "cwe"] url: https://cwe.mitre.org/data/definitions/838.html + # OSINT and Threat Intelligence Tools + shodan: + uuid: ab1555aa-225a-49b0-9b74-15a5407e0722 + name: Shodan + tags: [osint, reconnaissance, threat-intelligence] + url: https://www.shodan.io/ + description: Search engine for Internet-connected devices and services for reconnaissance and threat intelligence + virustotal: + uuid: d3a10c34-9e9f-43bd-a474-269d07188efe + name: VirusTotal + tags: [threat-intelligence, malware-analysis, osint] + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and IOC validation + urlscan-io: + uuid: 3ec27730-928f-45be-a4fa-92d19c8b3d56 + name: URLScan.io + tags: [threat-intelligence, url-analysis, osint] + url: https://urlscan.io/ + description: URL and website analysis service for threat intelligence collection + publicwww: + uuid: 17d1eb75-bf05-4d05-8e55-c6233819bfdb + name: PublicWWW + tags: [osint, reconnaissance, threat-intelligence] + url: https://publicwww.com/ + description: Source code search engine for OSINT and threat intelligence gathering + censys: + uuid: d21f595e-f742-46b3-9871-0c415ab37127 + name: Censys + tags: [osint, reconnaissance, threat-intelligence] + url: https://censys.io/ + description: Internet scanning and reconnaissance platform for threat intelligence + maltego: + uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: [osint, threat-intelligence, visualization] + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat intelligence visualization + theharvester: + uuid: dc429e58-cf5b-4596-bbe2-ed0ce2bb5215 + name: theHarvester + tags: [osint, reconnaissance, email-intelligence] + url: https://github.com/laramies/theHarvester + description: OSINT tool for gathering email accounts, subdomains, hosts, and employee names + spiderfoot: + uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: [osint, reconnaissance, threat-intelligence] + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + ghunt: + uuid: 607d2158-3d17-4518-b751-61c7422be9a2 + name: GHunt + tags: [osint, google-intelligence, reconnaissance] + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + sherlock: + uuid: fc20c021-f64e-427a-93ce-11872eaec241 + name: Sherlock + tags: [osint, username-intelligence, social-media] + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool docker-content-trust: uuid: ee81f93f-8230-4cfb-a132-ae4ec61cb8e6 name: Docker Content Trust @@ -172,8 +233,8 @@ implementations: tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development description: - "[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories)\ - \ and [Practical Security Stories and Security Tasks for Agile Development Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)" + "[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development)\ + \ and [Practical Security Stories and Security Tasks for Agile Development Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)" libyear: uuid: 2fff917f-205e-4eab-2e0e-1fab8c04bf33 name: libyear @@ -247,12 +308,12 @@ implementations: uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark cis-docker-bench-for: uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark for-example-for-cont: uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont @@ -358,7 +419,7 @@ implementations: uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ sms: uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml index 22a495d..fe324cf 100644 --- a/src/assets/YAML/generated/generated.yaml +++ b/src/assets/YAML/generated/generated.yaml @@ -1527,9 +1527,9 @@ Culture and Organization: name: Don't Forget EVIL User stories tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + description: '[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development) and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' references: samm2: - D-TA-2-B @@ -1570,9 +1570,9 @@ Culture and Organization: name: Don't Forget EVIL User stories tags: [] url: https://www.owasp.org/index.php/Agile_Software_Development - description: '[Do not Forget EVIL User Stories](https://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories) + description: '[Do not Forget EVIL User Stories](https://owasp.org/www-community/Agile_Software_Development) and [Practical Security Stories and Security Tasks for Agile Development - Environments](http://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' + Environments](https://safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf)' dependsOn: - Conduction of simple threat modeling on technical level - Creation of threat modeling processes and standards @@ -1709,6 +1709,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2001,16 +2002,17 @@ Culture and Organization: [Source: OWASP SAMM 2](https://owaspsamm.org/model/governance/education-and-guidance/stream-a/) implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -2042,15 +2044,15 @@ Culture and Organization: usefulness: 4 level: 4 implementation: - - uuid: 81476121-67dd-4ba9-a67b-e78a23050c28 - name: OWASP JuiceShop - tags: [] + - uuid: 1fff917f-205e-4eab-ae0e-1fab8c04bf3a + name: OWASP Juice Shop + tags: + - training url: https://github.com/bkimminich/juice-shop - description: |- - In case you do not have the budget to hire an external security expert, an option - is to use the [OWASP JuiceShop](https://github.com/bkimminich/juice-shop) on a "hacking Friday" - - uuid: 99080ac7-60cd-46af-93a1-a53a33597cba - name: https://cheatsheetseries.owasp.org/ + description: In case you do not have the budget to hire an external security + expert, an option is to use the OWASP JuiceShop on a "hacking Friday" + - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 + name: OWASP Cheatsheet Series tags: - training - secure coding @@ -2089,6 +2091,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ dependsOn: @@ -2266,6 +2269,7 @@ Culture and Organization: - uuid: 1c3f2f7a-5031-4687-9d69-76c5178c74e1 name: OWASP Cheatsheet Series tags: + - training - secure coding url: https://cheatsheetseries.owasp.org/ references: @@ -3451,11 +3455,11 @@ Implementation: - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont tags: [] @@ -3472,7 +3476,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -3562,11 +3566,11 @@ Implementation: - uuid: edaec98d-dac7-4dfd-8ab3-42c471d5b9ff name: CIS Kubernetes Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-kubernetes-benchmark - uuid: 4dd23c4a-5a7e-4917-82cf-d00e0f04482f name: CIS Docker Bench for Security tags: [] - url: https://www.cisecurity.org/cis-benchmarks/ + url: https://www.cisecurity.org/cis-benchmarks/cis-docker-benchmark - uuid: f4d7c796-8574-4a88-ab00-98d245a115ef name: For example for Cont tags: [] @@ -3583,7 +3587,7 @@ Implementation: name: Attack Matrix Containers tags: - mitre - url: https://attack.mitre.org/matrices/enterprise/cloud/ + url: https://attack.mitre.org/matrices/enterprise/containers/ description: Attack matrix for containers - uuid: 9fbc47ad-82bc-46d1-bba9-66815ab79935 name: Attack Matrix Kubernetes @@ -3822,7 +3826,7 @@ Implementation: - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS tags: [] @@ -3873,7 +3877,7 @@ Implementation: - uuid: d5981117-9bc2-45ed-b4a4-383135dc13d8 name: YubiKey tags: [] - url: https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/ + url: https://www.yubico.com/products/ - uuid: 6151cfb3-c894-421e-83da-cac0b2bfaec8 name: SMS tags: [] @@ -4711,6 +4715,675 @@ Information Gathering: Default: false B: false C: false + Threat Intelligence: + Automated Threat Intelligence: + uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 + description: | + Advanced automation of threat intelligence operations including: + - Automated OSINT collection from multiple sources simultaneously + - Machine learning-based threat classification and scoring + - Dynamic IOC generation from malware analysis sandboxes + - Automated attribution analysis using behavior clustering + - Real-time threat landscape monitoring and alerting + - Intelligent threat hunting based on predictive analytics + risk: Manual threat intelligence processes create operational bottlenecks, introduce + human error, and cannot scale to address the volume of modern threat data, + resulting in delayed threat detection and response. + measure: | + Deploy enterprise threat intelligence platforms with: + - Multi-source automated data collection and normalization + - Machine learning algorithms for threat pattern recognition + - Automated indicator extraction and validation workflows + - Integration with SOAR platforms for response automation + - Predictive threat modeling based on historical attack patterns + - Automated reporting and briefing generation for stakeholders + difficultyOfImplementation: + knowledge: 5 + time: 4 + resources: 4 + usefulness: 5 + level: 5 + dependsOn: + - Threat Intelligence Integration + - Correlation of security events + implementation: + - uuid: 88888888-8888-8888-8888-888888888888 + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/e5f6g7h8-i9j0-1234-efgh-567890123456 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Threat Intelligence Analysis: + uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 + description: | + Analysis and contextualization of collected intelligence data including: + - Indicator enrichment and validation using multiple sources + - Attribution analysis linking threats to known actor groups + - Campaign tracking across multiple attack vectors + - Threat landscape assessment for organizational risk + - False positive reduction through cross-referencing + - Timeline analysis of threat actor activities + risk: Raw threat intelligence without proper analysis leads to alert fatigue, + missed critical threats, and inability to prioritize security responses effectively. + measure: | + Establish analytical workflows that include: + - Multi-source indicator verification and scoring + - Threat actor profiling and campaign attribution + - Industry-specific threat landscape analysis + - Integration with internal security events for correlation + - Regular threat briefings for stakeholders with actionable recommendations + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 3 + dependsOn: + - Threat Intelligence Collection + - Correlation of security events + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 88888888-8888-8888-8888-888888888888 + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: 22222222-2222-2222-2222-222222222222 + name: VirusTotal + tags: + - threat-intelligence + - malware-analysis + - osint + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and + IOC validation + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/b2c3d4e5-f6g7-8901-bcde-f23456789012 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Threat Intelligence Collection: + uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + description: | + Systematic collection of threat intelligence from diverse sources including: + - OSINT platforms (Shodan, VirusTotal, URLScan.io, PublicWWW) + - Dark web monitoring (leak databases, underground forums) + - Social media intelligence (Twitter/X, Telegram, Discord) + - Technical indicators (DNS, certificates, IP reputation) + - Vulnerability databases (CVE, NVD, exploit-db) + - Government and industry threat reports + risk: Without systematic threat intelligence collection, organizations cannot + proactively identify emerging threats, ongoing campaigns, or indicators of + compromise targeting their industry sector or technology stack. + measure: | + Implement automated and manual collection processes using: + - OSINT tools for reconnaissance detection (domain monitoring, certificate transparency) + - Social media monitoring for brand mentions and threat actor discussions + - Dark web monitoring for leaked credentials and company mentions + - Threat feed aggregation from commercial and open sources + - Regular assessment of attack surface exposure via search engines + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: + - Logging of security events + implementation: + - uuid: 11111111-1111-1111-1111-111111111111 + name: Shodan + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.shodan.io/ + description: Search engine for Internet-connected devices and services for + reconnaissance and threat intelligence + - uuid: 22222222-2222-2222-2222-222222222222 + name: VirusTotal + tags: + - threat-intelligence + - malware-analysis + - osint + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and + IOC validation + - uuid: 33333333-3333-3333-3333-333333333333 + name: URLScan.io + tags: + - threat-intelligence + - url-analysis + - osint + url: https://urlscan.io/ + description: URL and website analysis service for threat intelligence collection + - uuid: 55555555-5555-5555-5555-555555555555 + name: Censys + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://censys.io/ + description: Internet scanning and reconnaissance platform for threat intelligence + - uuid: 77777777-7777-7777-7777-777777777777 + name: theHarvester + tags: + - osint + - reconnaissance + - email-intelligence + url: https://github.com/laramies/theHarvester + description: OSINT tool for gathering email accounts, subdomains, hosts, and + employee names + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/a1b2c3d4-e5f6-7890-abcd-ef1234567890 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Threat Intelligence Integration: + uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 + description: | + Tactical integration of threat intelligence into security infrastructure: + - SIEM rule creation based on IOCs and behavioral patterns + - Automated blocking of malicious IPs, domains, and file hashes + - DNS sinkholing for known malicious domains + - Email security enhancement with threat indicators + - Endpoint detection rules based on YARA signatures + - Network monitoring alerts for suspicious communications + risk: Threat intelligence that remains isolated from security controls provides + no operational value and allows known threats to successfully compromise systems. + measure: | + Deploy automated integration mechanisms: + - STIX/TAXII feeds integrated into security tools + - Custom APIs for threat intelligence platform integration + - Automated IOC blocking across network and endpoint security + - Regular validation of integrated indicators for effectiveness + - Threat hunting queries based on intelligence analysis + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + dependsOn: + - Threat Intelligence Analysis + - Centralized application logging + - Centralized system logging + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 88888888-8888-8888-8888-888888888888 + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 13.1.1 + - 16.1.2 + iso27001-2022: + - 8.22 + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/c3d4e5f6-g7h8-9012-cdef-345678901234 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Threat Intelligence Sharing: + uuid: d4e5f6g7-h8i9-0123-defg-456789012345 + description: | + Strategic participation in threat intelligence ecosystems including: + - Industry-specific threat sharing groups (FS-ISAC, H-ISAC) + - Government programs (US-CERT, NCSC, national CERTs) + - Commercial threat intelligence platforms + - Open source intelligence communities + - Vendor security communities and user groups + - Regional cybersecurity alliances + risk: Isolation from threat intelligence sharing communities results in delayed + threat awareness, reduced collective defense capabilities, and missed opportunities + for early warning of targeted campaigns. + measure: | + Establish formal sharing relationships through: + - Membership in relevant industry sharing organizations + - Bilateral threat intelligence sharing agreements + - Automated sharing via STIX/TAXII protocols + - Regular participation in threat briefings and working groups + - Sanitized indicator sharing while protecting sensitive sources + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 3 + level: 4 + dependsOn: + - Threat Intelligence Analysis + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 44444444-4444-4444-4444-444444444444 + name: PublicWWW + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://publicwww.com/ + description: Source code search engine for OSINT and threat intelligence gathering + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.3 + iso27001-2022: + - 5.25 + - 5.26 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/d4e5f6g7-h8i9-0123-defg-456789012345 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Response: + Incident Containment and Eradication: + uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 + description: | + OSINT-enhanced containment and eradication procedures: + - Threat infrastructure mapping using passive DNS and certificate analysis + - Attack campaign tracking to identify additional compromised systems + - IOC generation and sharing for community defense + - Attribution analysis to understand threat actor methods and motivations + - Infrastructure takedown coordination with hosting providers and registrars + - Real-time threat landscape monitoring during incident response + risk: Containment efforts without external intelligence context may miss related + infrastructure, fail to prevent reinfection, and allow threat actors to continue + operations against other targets. + measure: Establish procedures to contain security incidents, eliminate the root + cause, and remove malicious artifacts while preserving evidence for investigation. + difficultyOfImplementation: + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 + level: 3 + dependsOn: + - Incident Detection and Classification + - Threat Intelligence Integration + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 88888888-8888-8888-8888-888888888888 + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.5 + iso27001-2022: + - 5.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/h8i9j0k1-l2m3-4567-hijk-890123456789 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Detection and Classification: + uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + description: | + Advanced incident detection enhanced with OSINT capabilities: + - Multi-source indicator correlation from internal logs and external intelligence + - Automated enrichment of security alerts with threat context + - Social media monitoring for brand mentions and potential targeting + - Dark web monitoring for organization-specific threats and leaked data + - Threat actor tracking to identify campaign patterns and attribution + - Geolocation analysis of attack sources and infrastructure + risk: Basic incident detection without external intelligence context results + in missed sophisticated attacks, delayed attribution, and inability to understand + attack campaigns targeting the organization. + measure: | + Deploy enhanced detection capabilities with: + - SIEM integration with multiple threat intelligence feeds + - Automated OSINT enrichment of security alerts and indicators + - Social media and dark web monitoring for early threat detection + - Machine learning algorithms for anomaly detection and pattern recognition + - Threat hunting programs guided by external intelligence and industry reports + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + dependsOn: + - Incident Response Plan + - Correlation of security events + - Alerting + implementation: + - uuid: 99999999-9999-9999-9999-999999999999 + name: GHunt + tags: + - osint + - google-intelligence + - reconnaissance + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + - uuid: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa + name: Sherlock + tags: + - osint + - username-intelligence + - social-media + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/g7h8i9j0-k1l2-3456-ghij-789012345678 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Recovery and Post-Incident Analysis: + uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 + description: | + Intelligence-driven recovery and analysis processes: + - Threat landscape analysis to identify ongoing risks and similar campaigns + - Attribution reporting with indicators for threat intelligence sharing + - Vulnerability assessment based on attack methods and exploitation techniques + - Industry threat briefings to warn of similar attacks against peer organizations + - Long-term monitoring for threat actor return or infrastructure reuse + - Integration of lessons learned into threat detection and prevention systems + risk: Recovery efforts without comprehensive threat analysis leave organizations + vulnerable to similar attacks and fail to contribute to community defense + through intelligence sharing. + measure: Implement recovery procedures to restore normal operations and conduct + post-incident analysis to identify lessons learned and implement improvements + to prevent similar incidents. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Incident Containment and Eradication + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.6 + - 16.1.7 + iso27001-2022: + - 5.29 + - 5.3 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/i9j0k1l2-m3n4-5678-ijkl-901234567890 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Response Plan: + uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 + description: | + Comprehensive incident response plan incorporating OSINT-driven intelligence gathering: + - Pre-defined incident classification matrix with response procedures + - OSINT collection protocols for threat actor attribution and campaign analysis + - Integration with threat intelligence platforms for context enrichment + - Communication templates for internal teams and external stakeholders + - Legal and regulatory compliance requirements for different incident types + - Evidence preservation procedures for digital forensics and legal proceedings + risk: Without a documented incident response plan that includes intelligence + gathering procedures, organizations respond reactively, miss attribution opportunities, + and fail to understand the broader threat landscape context. + measure: | + Develop comprehensive incident response documentation including: + - Playbooks for common incident types with OSINT collection steps + - Role-based access controls and escalation procedures + - Integration points with threat intelligence and OSINT tools + - Regular plan testing through tabletop exercises and simulations + - Post-incident review processes for continuous improvement + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 5 + level: 1 + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + - 16.1.5 + iso27001-2022: + - 5.24 + - 5.28 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/f6g7h8i9-j0k1-2345-fghi-678901234567 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Incident Response Training and Testing: + uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 + description: | + Comprehensive training program incorporating OSINT and threat intelligence: + - Hands-on OSINT training for incident responders and analysts + - Threat intelligence platform training for indicator enrichment and analysis + - Tabletop exercises based on real-world attack campaigns and threat actor TTPs + - Red team exercises incorporating current threat intelligence and attack methods + - Cross-functional training between security operations and threat intelligence teams + - Regular updates on emerging threats, tools, and investigation techniques + risk: Training programs that don't incorporate current threat intelligence and + OSINT capabilities leave teams unprepared for sophisticated attacks and limit + their ability to conduct effective threat attribution and campaign analysis. + measure: Conduct regular incident response training for team members and perform + tabletop exercises, simulations, and drills to test and improve incident response + procedures. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + dependsOn: + - Incident Response Plan + - Incident Recovery and Post-Incident Analysis + implementation: + - uuid: 66666666-6666-6666-6666-666666666666 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + - uuid: 99999999-9999-9999-9999-999999999999 + name: GHunt + tags: + - osint + - google-intelligence + - reconnaissance + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + - uuid: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa + name: Sherlock + tags: + - osint + - username-intelligence + - social-media + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.1 + iso27001-2022: + - 5.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/j0k1l2m3-n4o5-6789-jklm-012345678901 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false Monitoring: Advanced app. metrics: uuid: d03bc410-74a7-4e92-82cb-d01a020cb6bf @@ -5811,6 +6484,76 @@ Test and Verification: Default: false B: false C: false + Artifact-based false positive treatment: + uuid: 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + risk: Without artifact-specific false positive handling, teams must repeatedly + triage the same findings across different versions or deployments of the same + component, leading to inefficient use of security resources. + measure: "Implement false positive marking and temporary acceptance of findings + \nbased on specific artifacts (applications, components, or repositories).\nThis + allows teams to suppress findings for specific versions or builds\nwhile maintaining + visibility for future releases." + description: |- + Artifact-based false positive treatment enables more granular control + over finding suppression by linking decisions to specific code artifacts, + container images, or application versions. This approach helps maintain + security oversight while reducing repeated analysis overhead. + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 3 + level: 2 + dependsOn: + - Simple false positive treatment + implementation: + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp + url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. + - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 + name: Purify + tags: + - vulnerability management system + url: https://github.com/faloker/purify/ + description: | + The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various (even custom) tools. + - uuid: 500399bd-7dfc-47fd-99d8-b55cefb760a9 + name: Dependency-Track is an intelligent Component Analysis platform that + allows organizations to identify and reduce risk in the software supply + chain. Dependency-Track takes a unique and highly beneficial approach by + leveraging the capabilities of Software Bill of Materials (SBOM). + url: https://github.com/DependencyTrack/dependency-track + tags: + - sca + - inventory + - OpenSource + - Supply Chain + - vulnerability + - inventory + references: + samm2: + - I-DM-2-A + - I-DM-2-B + iso27001-2017: + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Fix based on accessibility: uuid: 0c10a7f7-f78f-49f2-943d-19fdef248fed risk: Overwhelming volume of security findings from automated testing tools. @@ -5855,6 +6598,51 @@ Test and Verification: Default: false B: false C: false + Global false positive treatment: + uuid: 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + risk: Without centralized false positive management across environments, organizations + face inconsistent security decisions, duplicated analysis efforts, and potential + security gaps when the same findings are handled differently across applications + and teams. + measure: "Implement global false positive and acceptance management that applies + \nconsistently across all applications. This enables organization-wide security + decisions and reduces redundant \nanalysis of common false positives." + description: "Global false positive treatment allows (security) teams to make + \norganization-wide decisions about specific vulnerabilities or finding \npatterns. + When a finding is marked as a false positive or temporarily \naccepted at + the global level, this decision automatically applies to \nall applications + in the specified environment, ensuring consistency \nand operational efficiency." + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 4 + level: 3 + dependsOn: + - Artifact-based false positive treatment + - Usage of a vulnerability management system + implementation: ~ + references: + samm2: + - I-DM-2-B + - I-DM-3-A + iso27001-2017: + - 16.1.3 + - 16.1.4 + - 16.1.6 + iso27001-2022: + - 6.8 + - 5.25 + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Consolidation/9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c + tags: + - false-positive + - defect-management + teamsImplemented: + Default: false + B: false + C: false Integration in development process: uuid: aaffa73f-59f6-4267-b0ab-732f3d13e90d risk: "Not integrating vulnerability handling into the development process may @@ -6045,10 +6833,14 @@ Test and Verification: usefulness: 4 level: 1 implementation: - - uuid: bb9d0f2d-f8bc-46b5-bbc7-7dbcf927191c - name: OWASP Defect Dojo - tags: [] + - uuid: 227d786c-dd76-4b81-b0b2-62389ab8f0fb + name: OWASP DefectDojo + tags: + - vulnerability management system + - owasp url: https://github.com/DefectDojo/django-DefectDojo + description: | + DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. - uuid: d2eb592d-c9b5-4c39-bff7-bb313a58e3a9 name: Purify tags: @@ -8183,11 +8975,52 @@ Test and Verification: Default: false B: false C: false - Test for stored secrets: + Test for stored secrets in build artifacts: + uuid: d5e6303c-d5c6-4d59-b258-a3b9de38a07f + risk: Stored secrets in container images or other build artifacts shouldn't + exists because they might be exposed to unauthorized parties. + measure: Test for secrets in container images and other artifacts + difficultyOfImplementation: + knowledge: 2 + time: 1 + resources: 2 + usefulness: 2 + level: 1 + implementation: + - uuid: d90fefc9-4e5d-420f-ac87-eeb165bf0ee6 + name: truffleHog + tags: [] + url: https://github.com/dxa4481/truffleHog + - uuid: 382873e2-8604-4410-ae5e-b0f5ccdee835 + name: go-pillage-registries + tags: [] + url: https://github.com/nccgroup/go-pillage-registries + references: + samm2: + - V-ST-1-A + iso27001-2017: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 9.4.3 + - 10.1.2 + iso27001-2022: + - vcs usage is not explicitly covered by ISO 27001 - too specific + - 5.17 + - 8.24 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Static + depth for infrastructure/d5e6303c-d5c6-4d59-b258-a3b9de38a07f + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Test for stored secrets in code: uuid: c6e3c812-56e2-41b0-ae01-b7afc41a004c - risk: Stored secrets in git history, in container images or directly in code - shouldn't exists because they might be exposed to unauthorized parties. - measure: Test for secrets in code, container images and history + risk: Stored secrets in git history or directly in code shouldn't exists because + they might be exposed to unauthorized parties. + measure: Test for secrets in code and git history difficultyOfImplementation: knowledge: 2 time: 1 From 85dd9457701fa68aa2cebdeb643e3f1d77b9abea Mon Sep 17 00:00:00 2001 From: rezaduty Date: Sun, 10 Aug 2025 23:06:36 +0200 Subject: [PATCH 2/3] fix uuid --- .../default/TestAndVerification/Consolidation.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml index ef71495..6c3a773 100755 --- a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml +++ b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml @@ -21,8 +21,8 @@ Test and Verification: - The number of network hops required to reach the asset (recommended) - Authentication requirements for access (recommended) dependsOn: - - Treatment of defects with severity high or higher - - Inventory of production components + - 44f2c8a9-4aaa-4c72-942d-63f78b89f385 + - 2a44b708-734f-4463-b0cb-86dc46344b2f implementation: references: samm2: @@ -195,7 +195,7 @@ Test and Verification: usefulness: 3 level: 2 dependsOn: - - Simple false positive treatment + - c1acc8af-312e-4503-a817-a26220c993a0 implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo - $ref: src/assets/YAML/default/implementations.yaml#/implementations/purify @@ -339,8 +339,8 @@ Test and Verification: usefulness: 4 level: 3 dependsOn: - - Artifact-based false positive treatment - - Usage of a vulnerability management system + - 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f + - 85ba5623-84be-4219-8892-808837be582d implementation: references: samm2: From d14f2742e897e719ed96c011c2751ebf1a717cc4 Mon Sep 17 00:00:00 2001 From: rezaduty Date: Mon, 11 Aug 2025 11:28:51 +0200 Subject: [PATCH 3/3] own activity in dimensions --- .../default/InformationGathering/Logging.yaml | 316 ++++------ .../InformationGathering/Monitoring.yaml | 96 +++ .../default/InformationGathering/TestKPI.yaml | 96 ++- .../TestAndVerification/Consolidation.yaml | 6 +- src/assets/YAML/generated/generated.yaml | 588 ++++++++---------- 5 files changed, 571 insertions(+), 531 deletions(-) diff --git a/src/assets/YAML/default/InformationGathering/Logging.yaml b/src/assets/YAML/default/InformationGathering/Logging.yaml index 7a62579..af883f6 100755 --- a/src/assets/YAML/default/InformationGathering/Logging.yaml +++ b/src/assets/YAML/default/InformationGathering/Logging.yaml @@ -196,77 +196,63 @@ Information Gathering: evidence: "" comments: "" Threat Intelligence: - Threat Intelligence Collection: + Basic OSINT Collection Integration: uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 - description: | - Systematic collection of threat intelligence from diverse sources including: - - OSINT platforms (Shodan, VirusTotal, URLScan.io, PublicWWW) - - Dark web monitoring (leak databases, underground forums) - - Social media intelligence (Twitter/X, Telegram, Discord) - - Technical indicators (DNS, certificates, IP reputation) - - Vulnerability databases (CVE, NVD, exploit-db) - - Government and industry threat reports - risk: Without systematic threat intelligence collection, organizations cannot proactively identify emerging threats, ongoing campaigns, or indicators of compromise targeting their industry sector or technology stack. - measure: | - Implement automated and manual collection processes using: - - OSINT tools for reconnaissance detection (domain monitoring, certificate transparency) - - Social media monitoring for brand mentions and threat actor discussions - - Dark web monitoring for leaked credentials and company mentions - - Threat feed aggregation from commercial and open sources - - Regular assessment of attack surface exposure via search engines + risk: >- + Development teams lack external threat context about technologies and dependencies they use, + leading to uninformed security decisions and reactive incident response. + measure: >- + Integrate basic OSINT collection into development workflows using automated tools + to gather threat intelligence about used technologies, domains, and dependencies. + Implement simple API calls to threat intelligence sources during CI/CD processes. + description: >- + Basic threat intelligence collection using API calls to public sources like VirusTotal, Shodan. + Example: `curl -H "API-Key: $VT_KEY" https://www.virustotal.com/vtapi/v2/domain/report?domain=$DOMAIN` + Automated checks during deployment for known malicious domains or IPs in configuration. difficultyOfImplementation: - knowledge: 3 + knowledge: 2 time: 2 resources: 2 usefulness: 4 - level: 2 - dependsOn: - - Logging of security events + level: 1 + dependsOn: [] implementation: - - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan - $ref: src/assets/YAML/default/implementations.yaml#/implementations/urlscan-io - $ref: src/assets/YAML/default/implementations.yaml#/implementations/censys - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester references: samm2: - - O-IM-2-A + - O-IM-1-A iso27001-2017: - 16.1.2 - - 16.1.3 iso27001-2022: - 5.25 - - 5.26 isImplemented: false evidence: "" comments: "" - Threat Intelligence Analysis: + Automated Threat Intelligence Pipeline: uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 - description: | - Analysis and contextualization of collected intelligence data including: - - Indicator enrichment and validation using multiple sources - - Attribution analysis linking threats to known actor groups - - Campaign tracking across multiple attack vectors - - Threat landscape assessment for organizational risk - - False positive reduction through cross-referencing - - Timeline analysis of threat actor activities - risk: Raw threat intelligence without proper analysis leads to alert fatigue, missed critical threats, and inability to prioritize security responses effectively. - measure: | - Establish analytical workflows that include: - - Multi-source indicator verification and scoring - - Threat actor profiling and campaign attribution - - Industry-specific threat landscape analysis - - Integration with internal security events for correlation - - Regular threat briefings for stakeholders with actionable recommendations + risk: >- + Manual threat intelligence processes cannot scale with development velocity, + resulting in delayed threat awareness and inadequate security posture. + measure: >- + Deploy automated threat intelligence pipeline integrated with development tools + to continuously monitor threat landscape and automatically enrich security data + used by development and operations teams. + description: >- + Automated OSINT collection system with scheduled jobs querying multiple threat sources. + Integration with CI/CD pipelines for dependency threat scoring. + Command: `python3 osint_collector.py --sources shodan,virustotal --format stix --output /var/log/threats/` difficultyOfImplementation: - knowledge: 4 + knowledge: 3 time: 3 - resources: 3 + resources: 2 usefulness: 4 - level: 3 + level: 2 dependsOn: - - Threat Intelligence Collection - - Correlation of security events + - a1b2c3d4-e5f6-7890-abcd-ef1234567890 # Basic OSINT Collection Integration implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot @@ -281,24 +267,19 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Threat Intelligence Integration: + Advanced Threat Intelligence Platform: uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 - description: | - Tactical integration of threat intelligence into security infrastructure: - - SIEM rule creation based on IOCs and behavioral patterns - - Automated blocking of malicious IPs, domains, and file hashes - - DNS sinkholing for known malicious domains - - Email security enhancement with threat indicators - - Endpoint detection rules based on YARA signatures - - Network monitoring alerts for suspicious communications - risk: Threat intelligence that remains isolated from security controls provides no operational value and allows known threats to successfully compromise systems. - measure: | - Deploy automated integration mechanisms: - - STIX/TAXII feeds integrated into security tools - - Custom APIs for threat intelligence platform integration - - Automated IOC blocking across network and endpoint security - - Regular validation of integrated indicators for effectiveness - - Threat hunting queries based on intelligence analysis + risk: >- + Isolated threat intelligence leads to fragmented security decision-making + across development teams and reduces organizational threat detection capabilities. + measure: >- + Implement centralized threat intelligence platform with automated enrichment, + correlation, and distribution capabilities integrated into all DevSecOps processes + and development team workflows. + description: >- + Enterprise threat intelligence platform with MISP integration, automated YARA generation, + MITRE ATT&CK mapping, and API integration with development tools. + Command: `misp-modules -l 0.0.0.0 -s --enrichment` for automated threat enrichment. difficultyOfImplementation: knowledge: 4 time: 4 @@ -306,56 +287,48 @@ Information Gathering: usefulness: 5 level: 3 dependsOn: - - Threat Intelligence Analysis - - Centralized application logging - - Centralized system logging + - b2c3d4e5-f6g7-8901-bcde-f23456789012 # Automated Threat Intelligence Pipeline implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot references: samm2: - O-IM-2-A + - O-IM-3-A iso27001-2017: - - 13.1.1 - 16.1.2 iso27001-2022: - - 8.22 - 5.25 isImplemented: false evidence: "" comments: "" - Threat Intelligence Sharing: + DevSecOps Threat Intelligence Integration: uuid: d4e5f6g7-h8i9-0123-defg-456789012345 - description: | - Strategic participation in threat intelligence ecosystems including: - - Industry-specific threat sharing groups (FS-ISAC, H-ISAC) - - Government programs (US-CERT, NCSC, national CERTs) - - Commercial threat intelligence platforms - - Open source intelligence communities - - Vendor security communities and user groups - - Regional cybersecurity alliances - risk: Isolation from threat intelligence sharing communities results in delayed threat awareness, reduced collective defense capabilities, and missed opportunities for early warning of targeted campaigns. - measure: | - Establish formal sharing relationships through: - - Membership in relevant industry sharing organizations - - Bilateral threat intelligence sharing agreements - - Automated sharing via STIX/TAXII protocols - - Regular participation in threat briefings and working groups - - Sanitized indicator sharing while protecting sensitive sources + risk: >- + Threat intelligence isolated from development processes fails to inform + secure coding practices and technology selection decisions in DevSecOps workflows. + measure: >- + Integrate threat intelligence directly into development pipelines to inform + dependency selection, security testing priorities, and deployment decisions + based on current threat landscape. + description: >- + CI/CD pipeline integration with threat intelligence APIs for dependency threat scoring, + automated vulnerability prioritization based on active campaigns, + and security gate decisions informed by current IOCs. + Command: `curl -X POST /api/threat-score -d '{"dependencies": ["library@1.0.0"]}'` difficultyOfImplementation: - knowledge: 3 - time: 2 - resources: 2 - usefulness: 3 + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 level: 4 dependsOn: - - Threat Intelligence Analysis + - c3d4e5f6-g7h8-9012-cdef-345678901234 # Advanced Threat Intelligence Platform implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego - - $ref: src/assets/YAML/default/implementations.yaml#/implementations/publicwww references: samm2: - - O-IM-2-A + - O-IM-3-A iso27001-2017: - 16.1.2 - 16.1.3 @@ -365,34 +338,27 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Automated Threat Intelligence: + Community Threat Intelligence Sharing: uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 - description: | - Advanced automation of threat intelligence operations including: - - Automated OSINT collection from multiple sources simultaneously - - Machine learning-based threat classification and scoring - - Dynamic IOC generation from malware analysis sandboxes - - Automated attribution analysis using behavior clustering - - Real-time threat landscape monitoring and alerting - - Intelligent threat hunting based on predictive analytics - risk: Manual threat intelligence processes create operational bottlenecks, introduce human error, and cannot scale to address the volume of modern threat data, resulting in delayed threat detection and response. - measure: | - Deploy enterprise threat intelligence platforms with: - - Multi-source automated data collection and normalization - - Machine learning algorithms for threat pattern recognition - - Automated indicator extraction and validation workflows - - Integration with SOAR platforms for response automation - - Predictive threat modeling based on historical attack patterns - - Automated reporting and briefing generation for stakeholders + risk: >- + Isolated threat intelligence limits organizational defensive capabilities + and prevents contribution to broader cybersecurity community resilience. + measure: >- + Establish automated threat intelligence sharing with trusted partners, + industry groups, and security communities using standardized formats + integrated with development security workflows. + description: >- + STIX/TAXII implementation for automated threat sharing, bidirectional intelligence exchange, + and community-driven threat validation within DevSecOps pipeline. + Command: `taxii2-client --collection-url https://community.misp-project.org/taxii2/ --poll` difficultyOfImplementation: - knowledge: 5 - time: 4 - resources: 4 - usefulness: 5 + knowledge: 4 + time: 3 + resources: 3 + usefulness: 3 level: 5 dependsOn: - - Threat Intelligence Integration - - Correlation of security events + - d4e5f6g7-h8i9-0123-defg-456789012345 # DevSecOps Threat Intelligence Integration implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego @@ -407,24 +373,18 @@ Information Gathering: evidence: "" comments: "" Incident Response: - Incident Response Plan: + OSINT-Enhanced IR Documentation: uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 description: | - Comprehensive incident response plan incorporating OSINT-driven intelligence gathering: - - Pre-defined incident classification matrix with response procedures - - OSINT collection protocols for threat actor attribution and campaign analysis - - Integration with threat intelligence platforms for context enrichment - - Communication templates for internal teams and external stakeholders - - Legal and regulatory compliance requirements for different incident types - - Evidence preservation procedures for digital forensics and legal proceedings - risk: Without a documented incident response plan that includes intelligence gathering procedures, organizations respond reactively, miss attribution opportunities, and fail to understand the broader threat landscape context. + Structured IR documentation with technical procedures: domain analysis via + `dig +trace $domain`, IP geolocation using `curl ipinfo.io/$ip`, + and automated evidence collection scripts with legal compliance frameworks. + risk: Without documented incident response procedures that include intelligence gathering, organizations respond reactively and miss critical attribution opportunities. measure: | - Develop comprehensive incident response documentation including: - - Playbooks for common incident types with OSINT collection steps - - Role-based access controls and escalation procedures - - Integration points with threat intelligence and OSINT tools - - Regular plan testing through tabletop exercises and simulations - - Post-incident review processes for continuous improvement + Create technical IR documentation with OSINT collection procedures, + automated evidence preservation scripts, + legal compliance checklists for evidence handling, + and structured templates for threat actor attribution. difficultyOfImplementation: knowledge: 3 time: 3 @@ -445,34 +405,24 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Incident Detection and Classification: + Real-time Threat Enrichment: uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 description: | - Advanced incident detection enhanced with OSINT capabilities: - - Multi-source indicator correlation from internal logs and external intelligence - - Automated enrichment of security alerts with threat context - - Social media monitoring for brand mentions and potential targeting - - Dark web monitoring for organization-specific threats and leaked data - - Threat actor tracking to identify campaign patterns and attribution - - Geolocation analysis of attack sources and infrastructure - risk: Basic incident detection without external intelligence context results in missed sophisticated attacks, delayed attribution, and inability to understand attack campaigns targeting the organization. + Live SIEM enrichment with external threat feeds: Splunk lookup + `| lookup threat_intel domain as query_domain OUTPUT confidence score` + for real-time IOC validation and automated alert prioritization. + risk: Incidents detected without external threat context result in delayed response and missed attribution of sophisticated attack campaigns. measure: | - Deploy enhanced detection capabilities with: - - SIEM integration with multiple threat intelligence feeds - - Automated OSINT enrichment of security alerts and indicators - - Social media and dark web monitoring for early threat detection - - Machine learning algorithms for anomaly detection and pattern recognition - - Threat hunting programs guided by external intelligence and industry reports + Deploy SIEM enrichment with real-time threat intelligence APIs, + automated IOC validation against multiple sources, + confidence scoring for threat indicators, + and contextual alert enhancement with threat actor profiles. difficultyOfImplementation: knowledge: 4 time: 3 resources: 3 usefulness: 5 level: 2 - dependsOn: - - Incident Response Plan - - Correlation of security events - - Alerting implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock @@ -487,27 +437,24 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Incident Containment and Eradication: + Infrastructure Mapping and Takedown: uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 description: | - OSINT-enhanced containment and eradication procedures: - - Threat infrastructure mapping using passive DNS and certificate analysis - - Attack campaign tracking to identify additional compromised systems - - IOC generation and sharing for community defense - - Attribution analysis to understand threat actor methods and motivations - - Infrastructure takedown coordination with hosting providers and registrars - - Real-time threat landscape monitoring during incident response + Passive DNS analysis: `dig +short -x $ip` for reverse lookups, + certificate transparency monitoring via crt.sh API, + automated hosting provider coordination for infrastructure takedown. risk: Containment efforts without external intelligence context may miss related infrastructure, fail to prevent reinfection, and allow threat actors to continue operations against other targets. - measure: Establish procedures to contain security incidents, eliminate the root cause, and remove malicious artifacts while preserving evidence for investigation. + measure: + Deploy OSINT-enhanced containment with threat infrastructure mapping, + attack campaign tracking via shared IOCs, + automated takedown coordination scripts, + and evidence preservation workflows. difficultyOfImplementation: knowledge: 4 time: 4 resources: 3 usefulness: 5 level: 3 - dependsOn: - - Incident Detection and Classification - - Threat Intelligence Integration implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot @@ -521,26 +468,24 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Incident Recovery and Post-Incident Analysis: + Attribution Analysis and IOC Sharing: uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 description: | - Intelligence-driven recovery and analysis processes: - - Threat landscape analysis to identify ongoing risks and similar campaigns - - Attribution reporting with indicators for threat intelligence sharing - - Vulnerability assessment based on attack methods and exploitation techniques - - Industry threat briefings to warn of similar attacks against peer organizations - - Long-term monitoring for threat actor return or infrastructure reuse - - Integration of lessons learned into threat detection and prevention systems + Threat landscape analysis with MITRE ATT&CK mapping: `attack-navigator --layer techniques.json` + for TTP visualization, automated attribution reporting via REST APIs, + and vulnerability assessment integration with attack vector analysis. risk: Recovery efforts without comprehensive threat analysis leave organizations vulnerable to similar attacks and fail to contribute to community defense through intelligence sharing. - measure: Implement recovery procedures to restore normal operations and conduct post-incident analysis to identify lessons learned and implement improvements to prevent similar incidents. + measure: + Deploy recovery workflows with threat landscape analysis tools, + attribution reporting with IOC generation for community sharing, + vulnerability assessment based on attack TTPs, + and long-term threat actor monitoring. difficultyOfImplementation: knowledge: 3 time: 3 resources: 2 usefulness: 4 level: 3 - dependsOn: - - Incident Containment and Eradication implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego references: @@ -555,27 +500,24 @@ Information Gathering: isImplemented: false evidence: "" comments: "" - Incident Response Training and Testing: + Tactical OSINT Training Program: uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 description: | - Comprehensive training program incorporating OSINT and threat intelligence: - - Hands-on OSINT training for incident responders and analysts - - Threat intelligence platform training for indicator enrichment and analysis - - Tabletop exercises based on real-world attack campaigns and threat actor TTPs - - Red team exercises incorporating current threat intelligence and attack methods - - Cross-functional training between security operations and threat intelligence teams - - Regular updates on emerging threats, tools, and investigation techniques - risk: Training programs that don't incorporate current threat intelligence and OSINT capabilities leave teams unprepared for sophisticated attacks and limit their ability to conduct effective threat attribution and campaign analysis. - measure: Conduct regular incident response training for team members and perform tabletop exercises, simulations, and drills to test and improve incident response procedures. + Skills-based OSINT training: `recon-ng -w domain_enum -m recon/domains-hosts/brute_hosts` + for reconnaissance techniques, threat hunt simulation exercises, + and cross-team collaboration workshops with scenario-based learning. + risk: Teams without current OSINT skills cannot effectively investigate incidents, conduct threat attribution, or leverage external intelligence for proactive defense. + measure: + Conduct technical OSINT training with hands-on tool usage, + threat hunting simulation exercises, + incident response tabletop scenarios, + and skills assessment with certification tracking. difficultyOfImplementation: knowledge: 3 time: 3 resources: 3 usefulness: 4 level: 4 - dependsOn: - - Incident Response Plan - - Incident Recovery and Post-Incident Analysis implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego - $ref: src/assets/YAML/default/implementations.yaml#/implementations/ghunt diff --git a/src/assets/YAML/default/InformationGathering/Monitoring.yaml b/src/assets/YAML/default/InformationGathering/Monitoring.yaml index 510ef8f..a2bd081 100755 --- a/src/assets/YAML/default/InformationGathering/Monitoring.yaml +++ b/src/assets/YAML/default/InformationGathering/Monitoring.yaml @@ -432,3 +432,99 @@ Information Gathering: isImplemented: false evidence: "" comments: "" + OSINT Feed Integration Monitoring: + uuid: a9b8c7d6-e5f4-3210-9876-543210fedcba + description: | + Monitor threat intelligence feed health: `curl -s $FEED_URL | jq '.status'` + for feed availability, API rate limit tracking, and data freshness validation + with automated alerting on stale indicators or feed failures. + risk: Unreliable threat intelligence feeds result in outdated IOCs, missed threats, and degraded security posture without visibility into feed health. + measure: | + Deploy monitoring for threat feed availability, API quota usage, + data freshness validation, IOC update frequency, + and automated alerting on feed degradation or stale intelligence. + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + - 16.1.2 + iso27001-2022: + - 8.6 + - 5.25 + isImplemented: false + evidence: "" + comments: "" + Threat Actor Tracking Metrics: + uuid: b8c7d6e5-f4g3-2109-8765-432109edcbaf + description: | + Campaign attribution metrics with geolocation tracking: `geoiplookup $attacker_ip` + for source analysis, TTPs frequency mapping, and infrastructure reuse patterns + with MITRE ATT&CK technique correlation and timeline analysis. + risk: Without threat actor tracking metrics, organizations cannot identify persistent threats, campaign patterns, or attribution links to previous attacks. + measure: | + Implement metrics for threat actor campaign tracking, + geographic attack pattern analysis, TTP frequency mapping, + infrastructure reuse detection, and attribution confidence scoring + with trend analysis and early warning indicators. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 4 + level: 4 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + - 16.1.4 + iso27001-2022: + - 5.25 + - 5.27 + isImplemented: false + evidence: "" + comments: "" + OSINT Collection Performance Metrics: + uuid: c7d6e5f4-g3h2-1098-7654-321098dcbaef + description: | + OSINT tool performance monitoring: `time theHarvester -d $domain -b all` + for collection speed, data quality scoring, source coverage analysis, + and automated performance benchmarking with SLA compliance tracking. + risk: Poor OSINT collection performance leads to incomplete intelligence gathering, delayed threat detection, and reduced incident response effectiveness. + measure: | + Deploy performance monitoring for OSINT collection tools, + data quality scoring mechanisms, source coverage analysis, + collection speed benchmarking, and automated SLA compliance + tracking with performance optimization recommendations. + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 12.1.3 + iso27001-2022: + - 8.6 + isImplemented: false + evidence: "" + comments: "" diff --git a/src/assets/YAML/default/InformationGathering/TestKPI.yaml b/src/assets/YAML/default/InformationGathering/TestKPI.yaml index fe45bcf..9975fb1 100644 --- a/src/assets/YAML/default/InformationGathering/TestKPI.yaml +++ b/src/assets/YAML/default/InformationGathering/TestKPI.yaml @@ -90,7 +90,7 @@ Information Gathering: usefulness: 3 level: 2 dependsOn: - - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 #Automated PRs for patches implementation: [] references: samm2: @@ -151,8 +151,8 @@ Information Gathering: usefulness: 3 level: 4 dependsOn: - - uuid:86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR - - uuid:8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches + - 86d490b9-d798-4a5b-a011-ab9688014c46 # Patching mean time to resolution via PR + - 8ae0b92c-10e0-4602-ba22-7524d6aed488 # Automated PRs for patches implementation: [] references: samm2: @@ -175,7 +175,7 @@ Information Gathering: resources: 1 usefulness: 3 dependsOn: - - Usage of a vulnerability management system + - 4a7b6c5d-8e9f-1234-5678-abcdef123456 # Usage of a vulnerability management system level: 3 implementation: - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo @@ -227,4 +227,92 @@ Information Gathering: - vulnerability-mgmt - metrics - vmm-measurements + OSINT Threat Intelligence Coverage: + uuid: e4f3g2h1-i0j9-8765-4321-098765fedcba + risk: |- + Without measuring OSINT threat intelligence coverage, organizations lack visibility into external threat landscape affecting their assets, leading to blind spots in threat awareness. + measure: |- + Track percentage of organizational assets (domains, IPs, applications) covered by OSINT threat intelligence feeds and monitoring tools. Measure weekly. + description: |- + Implement KPIs for OSINT coverage using tools like Shodan for infrastructure exposure, VirusTotal for domain/IP reputation, and URLScan.io for web application threats. + Command: `curl -H "API-Key: $VT_KEY" "https://www.virustotal.com/vtapi/v2/domain/report?domain=$DOMAIN" | jq '.detected_urls | length'` + difficultyOfImplementation: + knowledge: 3 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/shodan + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/virustotal + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/urlscan + references: + samm2: + - I-DM-1-A + iso27001-2022: + - 5.23 + - 5.25 + tags: + - osint + - threat-intelligence + - metrics + OSINT Data Quality Score: + uuid: f5g4h3i2-j1k0-9876-5432-109876edcbaf + risk: |- + Poor quality OSINT data leads to false positives, missed threats, and inefficient security operations, undermining threat detection capabilities. + measure: |- + Calculate OSINT data quality score based on accuracy, timeliness, and relevance of collected intelligence. Measure data source reliability monthly. + description: |- + Evaluate OSINT sources for false positive rates, time-to-detection metrics, and threat relevance scoring using automated validation. + Flow: Data Collection → Validation → Scoring → Quality Metrics → Remediation + difficultyOfImplementation: + knowledge: 3 + time: 3 + resources: 2 + usefulness: 3 + level: 3 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/maltego + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/spiderfoot + references: + samm2: + - I-DM-2-A + iso27001-2022: + - 5.12 + - 5.25 + tags: + - osint + - data-quality + - metrics + OSINT Response Time Metrics: + uuid: g6h5i4j3-k2l1-0987-6543-210987fedcba + risk: |- + Slow response to OSINT-identified threats increases exposure window and potential for successful attacks against organizational assets. + measure: |- + Measure time from OSINT threat detection to initial response action. Track mean time to response (MTTR) for different threat severities weekly. + description: |- + Implement automated workflows measuring time between OSINT alert generation and security team response using SIEM integration. + Metrics: Detection Time + Analysis Time + Response Time = Total MTTR + difficultyOfImplementation: + knowledge: 2 + time: 2 + resources: 2 + usefulness: 4 + level: 2 + dependsOn: [] + implementation: + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/theharvester + - $ref: src/assets/YAML/default/implementations.yaml#/implementations/sherlock + references: + samm2: + - I-DM-3-A + iso27001-2022: + - 5.24 + - 5.26 + tags: + - osint + - incident-response + - metrics diff --git a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml index 6c3a773..dc68235 100755 --- a/src/assets/YAML/default/TestAndVerification/Consolidation.yaml +++ b/src/assets/YAML/default/TestAndVerification/Consolidation.yaml @@ -369,9 +369,9 @@ Test and Verification: resources: 2 usefulness: 2 dependsOn: - - uuid:f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV - - uuid:6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion - - uuid:185d5a74-19dc-4422-be07-44ea35226783 # Office Hours + - f2f0f274-c1a0-4501-92fe-7fc4452bc8ad # EPSS/CISA KEV + - 6217fe11-5ed7-4cf4-9de4-555bcfa6fe87 # Each team has a security champion + - 185d5a74-19dc-4422-be07-44ea35226783 # Office Hours level: 3 description: |- For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended. diff --git a/src/assets/YAML/generated/generated.yaml b/src/assets/YAML/generated/generated.yaml index fe324cf..097f267 100644 --- a/src/assets/YAML/generated/generated.yaml +++ b/src/assets/YAML/generated/generated.yaml @@ -4716,173 +4716,26 @@ Information Gathering: B: false C: false Threat Intelligence: - Automated Threat Intelligence: - uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 - description: | - Advanced automation of threat intelligence operations including: - - Automated OSINT collection from multiple sources simultaneously - - Machine learning-based threat classification and scoring - - Dynamic IOC generation from malware analysis sandboxes - - Automated attribution analysis using behavior clustering - - Real-time threat landscape monitoring and alerting - - Intelligent threat hunting based on predictive analytics - risk: Manual threat intelligence processes create operational bottlenecks, introduce - human error, and cannot scale to address the volume of modern threat data, - resulting in delayed threat detection and response. - measure: | - Deploy enterprise threat intelligence platforms with: - - Multi-source automated data collection and normalization - - Machine learning algorithms for threat pattern recognition - - Automated indicator extraction and validation workflows - - Integration with SOAR platforms for response automation - - Predictive threat modeling based on historical attack patterns - - Automated reporting and briefing generation for stakeholders - difficultyOfImplementation: - knowledge: 5 - time: 4 - resources: 4 - usefulness: 5 - level: 5 - dependsOn: - - Threat Intelligence Integration - - Correlation of security events - implementation: - - uuid: 88888888-8888-8888-8888-888888888888 - name: SpiderFoot - tags: - - osint - - reconnaissance - - threat-intelligence - url: https://www.spiderfoot.net/ - description: Automated OSINT reconnaissance tool for threat intelligence gathering - - uuid: 66666666-6666-6666-6666-666666666666 - name: Maltego - tags: - - osint - - threat-intelligence - - visualization - url: https://www.maltego.com/ - description: OSINT and forensics application for link analysis and threat - intelligence visualization - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 16.1.2 - iso27001-2022: - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat - Intelligence/e5f6g7h8-i9j0-1234-efgh-567890123456 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Threat Intelligence Analysis: - uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 - description: | - Analysis and contextualization of collected intelligence data including: - - Indicator enrichment and validation using multiple sources - - Attribution analysis linking threats to known actor groups - - Campaign tracking across multiple attack vectors - - Threat landscape assessment for organizational risk - - False positive reduction through cross-referencing - - Timeline analysis of threat actor activities - risk: Raw threat intelligence without proper analysis leads to alert fatigue, - missed critical threats, and inability to prioritize security responses effectively. - measure: | - Establish analytical workflows that include: - - Multi-source indicator verification and scoring - - Threat actor profiling and campaign attribution - - Industry-specific threat landscape analysis - - Integration with internal security events for correlation - - Regular threat briefings for stakeholders with actionable recommendations - difficultyOfImplementation: - knowledge: 4 - time: 3 - resources: 3 - usefulness: 4 - level: 3 - dependsOn: - - Threat Intelligence Collection - - Correlation of security events - implementation: - - uuid: 66666666-6666-6666-6666-666666666666 - name: Maltego - tags: - - osint - - threat-intelligence - - visualization - url: https://www.maltego.com/ - description: OSINT and forensics application for link analysis and threat - intelligence visualization - - uuid: 88888888-8888-8888-8888-888888888888 - name: SpiderFoot - tags: - - osint - - reconnaissance - - threat-intelligence - url: https://www.spiderfoot.net/ - description: Automated OSINT reconnaissance tool for threat intelligence gathering - - uuid: 22222222-2222-2222-2222-222222222222 - name: VirusTotal - tags: - - threat-intelligence - - malware-analysis - - osint - url: https://www.virustotal.com/ - description: Malware and URL analysis service for threat intelligence and - IOC validation - references: - samm2: - - O-IM-2-A - iso27001-2017: - - 16.1.2 - iso27001-2022: - - 5.25 - openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat - Intelligence/b2c3d4e5-f6g7-8901-bcde-f23456789012 - comments: "" - tags: - - none - teamsImplemented: - Default: false - B: false - C: false - Threat Intelligence Collection: + Automated OSINT Collection Pipeline: uuid: a1b2c3d4-e5f6-7890-abcd-ef1234567890 - description: | - Systematic collection of threat intelligence from diverse sources including: - - OSINT platforms (Shodan, VirusTotal, URLScan.io, PublicWWW) - - Dark web monitoring (leak databases, underground forums) - - Social media intelligence (Twitter/X, Telegram, Discord) - - Technical indicators (DNS, certificates, IP reputation) - - Vulnerability databases (CVE, NVD, exploit-db) - - Government and industry threat reports + description: "Automated collection system using cron jobs to query APIs (shodan.io, + virustotal.com) \nwith domain monitoring: `curl -H \"API-Key: $VT_KEY\" https://www.virustotal.com/vtapi/v2/domain/report`\nRSS + feed parsing via Python feedparser and data normalization into JSON/STIX format.\n" risk: Without systematic threat intelligence collection, organizations cannot proactively identify emerging threats, ongoing campaigns, or indicators of compromise targeting their industry sector or technology stack. measure: | - Implement automated and manual collection processes using: - - OSINT tools for reconnaissance detection (domain monitoring, certificate transparency) - - Social media monitoring for brand mentions and threat actor discussions - - Dark web monitoring for leaked credentials and company mentions - - Threat feed aggregation from commercial and open sources - - Regular assessment of attack surface exposure via search engines + Deploy cron-scheduled Python scripts with API calls to threat sources, + RSS feed monitoring, certificate transparency logs via crt.sh API, + and automated IOC extraction with regex patterns for IP/domain/hash identification. difficultyOfImplementation: knowledge: 3 time: 2 resources: 2 usefulness: 4 level: 2 - dependsOn: - - Logging of security events implementation: - - uuid: 11111111-1111-1111-1111-111111111111 + - uuid: ab1555aa-225a-49b0-9b74-15a5407e0722 name: Shodan tags: - osint @@ -4891,7 +4744,7 @@ Information Gathering: url: https://www.shodan.io/ description: Search engine for Internet-connected devices and services for reconnaissance and threat intelligence - - uuid: 22222222-2222-2222-2222-222222222222 + - uuid: d3a10c34-9e9f-43bd-a474-269d07188efe name: VirusTotal tags: - threat-intelligence @@ -4900,7 +4753,7 @@ Information Gathering: url: https://www.virustotal.com/ description: Malware and URL analysis service for threat intelligence and IOC validation - - uuid: 33333333-3333-3333-3333-333333333333 + - uuid: 3ec27730-928f-45be-a4fa-92d19c8b3d56 name: URLScan.io tags: - threat-intelligence @@ -4908,7 +4761,7 @@ Information Gathering: - osint url: https://urlscan.io/ description: URL and website analysis service for threat intelligence collection - - uuid: 55555555-5555-5555-5555-555555555555 + - uuid: d21f595e-f742-46b3-9871-0c415ab37127 name: Censys tags: - osint @@ -4916,7 +4769,7 @@ Information Gathering: - threat-intelligence url: https://censys.io/ description: Internet scanning and reconnaissance platform for threat intelligence - - uuid: 77777777-7777-7777-7777-777777777777 + - uuid: dc429e58-cf5b-4596-bbe2-ed0ce2bb5215 name: theHarvester tags: - osint @@ -4944,37 +4797,81 @@ Information Gathering: Default: false B: false C: false - Threat Intelligence Integration: + ML-Powered Threat Classification: + uuid: e5f6g7h8-i9j0-1234-efgh-567890123456 + description: | + Enterprise TIP with scikit-learn ML models for IOC classification. + API: `POST /ml/classify` with feature vectors for threat scoring, + automated sandbox integration, and predictive campaign analysis using time-series data. + risk: Manual threat intelligence processes create operational bottlenecks, introduce + human error, and cannot scale to address the volume of modern threat data, + resulting in delayed threat detection and response. + measure: | + Deploy enterprise TIP with ML algorithms for pattern recognition, + automated IOC extraction from sandbox reports, + predictive analytics for campaign forecasting, + and SOAR integration with confidence-scored threat indicators. + difficultyOfImplementation: + knowledge: 5 + time: 4 + resources: 4 + usefulness: 5 + level: 5 + implementation: + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-2-A + iso27001-2017: + - 16.1.2 + iso27001-2022: + - 5.25 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/e5f6g7h8-i9j0-1234-efgh-567890123456 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + SIEM IOC Integration Gateway: uuid: c3d4e5f6-g7h8-9012-cdef-345678901234 description: | - Tactical integration of threat intelligence into security infrastructure: - - SIEM rule creation based on IOCs and behavioral patterns - - Automated blocking of malicious IPs, domains, and file hashes - - DNS sinkholing for known malicious domains - - Email security enhancement with threat indicators - - Endpoint detection rules based on YARA signatures - - Network monitoring alerts for suspicious communications + Automated IOC blocker using STIX/TAXII feeds with API calls to security tools. + Example: `POST /api/firewall/blocklist` with JSON payload containing IOCs, + DNS sinkholing via `/dns/blocklist`, and YARA rule deployment to endpoints. risk: Threat intelligence that remains isolated from security controls provides no operational value and allows known threats to successfully compromise systems. measure: | - Deploy automated integration mechanisms: - - STIX/TAXII feeds integrated into security tools - - Custom APIs for threat intelligence platform integration - - Automated IOC blocking across network and endpoint security - - Regular validation of integrated indicators for effectiveness - - Threat hunting queries based on intelligence analysis + Deploy automated integration scripts with REST API calls to firewalls, + DNS servers, and SIEM platforms for IOC blocking, + threat hunting query generation, and validation of indicator effectiveness. difficultyOfImplementation: knowledge: 4 time: 4 resources: 3 usefulness: 5 level: 3 - dependsOn: - - Threat Intelligence Analysis - - Centralized application logging - - Centralized system logging implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -4983,7 +4880,7 @@ Information Gathering: url: https://www.maltego.com/ description: OSINT and forensics application for link analysis and threat intelligence visualization - - uuid: 88888888-8888-8888-8888-888888888888 + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c name: SpiderFoot tags: - osint @@ -5010,36 +4907,28 @@ Information Gathering: Default: false B: false C: false - Threat Intelligence Sharing: + STIX/TAXII Community Exchange: uuid: d4e5f6g7-h8i9-0123-defg-456789012345 description: | - Strategic participation in threat intelligence ecosystems including: - - Industry-specific threat sharing groups (FS-ISAC, H-ISAC) - - Government programs (US-CERT, NCSC, national CERTs) - - Commercial threat intelligence platforms - - Open source intelligence communities - - Vendor security communities and user groups - - Regional cybersecurity alliances + Automated STIX/TAXII server with industry feeds: `taxii2-client --discovery-url` + for feed discovery, bilateral IOC sharing via REST API endpoints, + and TLP compliance validation using JSON schema validation. risk: Isolation from threat intelligence sharing communities results in delayed threat awareness, reduced collective defense capabilities, and missed opportunities for early warning of targeted campaigns. measure: | - Establish formal sharing relationships through: - - Membership in relevant industry sharing organizations - - Bilateral threat intelligence sharing agreements - - Automated sharing via STIX/TAXII protocols - - Regular participation in threat briefings and working groups - - Sanitized indicator sharing while protecting sensitive sources + Deploy TAXII server with automated feed synchronization, + industry consortium integration (FS-ISAC, H-ISAC), + data sanitization pipelines for attribution protection, + and bilateral sharing agreements with automated compliance checks. difficultyOfImplementation: knowledge: 3 time: 2 resources: 2 usefulness: 3 level: 4 - dependsOn: - - Threat Intelligence Analysis implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5048,7 +4937,7 @@ Information Gathering: url: https://www.maltego.com/ description: OSINT and forensics application for link analysis and threat intelligence visualization - - uuid: 44444444-4444-4444-4444-444444444444 + - uuid: 17d1eb75-bf05-4d05-8e55-c6233819bfdb name: PublicWWW tags: - osint @@ -5075,33 +4964,27 @@ Information Gathering: Default: false B: false C: false - Incident Response: - Incident Containment and Eradication: - uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 + Threat Intelligence Platform: + uuid: b2c3d4e5-f6g7-8901-bcde-f23456789012 description: | - OSINT-enhanced containment and eradication procedures: - - Threat infrastructure mapping using passive DNS and certificate analysis - - Attack campaign tracking to identify additional compromised systems - - IOC generation and sharing for community defense - - Attribution analysis to understand threat actor methods and motivations - - Infrastructure takedown coordination with hosting providers and registrars - - Real-time threat landscape monitoring during incident response - risk: Containment efforts without external intelligence context may miss related - infrastructure, fail to prevent reinfection, and allow threat actors to continue - operations against other targets. - measure: Establish procedures to contain security incidents, eliminate the root - cause, and remove malicious artifacts while preserving evidence for investigation. + Centralized TIP with MISP integration: `misp-modules -l 0.0.0.0 -s` for enrichment, + automated YARA rule generation from samples, + MITRE ATT&CK mapping with `/attributes/restSearch` API for correlation. + risk: Raw threat intelligence without centralized analysis leads to alert fatigue + and inability to prioritize security responses effectively. + measure: | + Deploy MISP platform with automated enrichment APIs, + YARA rule generation workflows, + MITRE ATT&CK technique mapping, + and multi-source indicator correlation with confidence scoring. difficultyOfImplementation: knowledge: 4 - time: 4 + time: 3 resources: 3 - usefulness: 5 + usefulness: 4 level: 3 - dependsOn: - - Incident Detection and Classification - - Threat Intelligence Integration implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5110,7 +4993,7 @@ Information Gathering: url: https://www.maltego.com/ description: OSINT and forensics application for link analysis and threat intelligence visualization - - uuid: 88888888-8888-8888-8888-888888888888 + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c name: SpiderFoot tags: - osint @@ -5118,16 +5001,25 @@ Information Gathering: - threat-intelligence url: https://www.spiderfoot.net/ description: Automated OSINT reconnaissance tool for threat intelligence gathering + - uuid: d3a10c34-9e9f-43bd-a474-269d07188efe + name: VirusTotal + tags: + - threat-intelligence + - malware-analysis + - osint + url: https://www.virustotal.com/ + description: Malware and URL analysis service for threat intelligence and + IOC validation references: samm2: - - O-IM-3-A + - O-IM-2-A iso27001-2017: - - 16.1.5 + - 16.1.2 iso27001-2022: - - 5.28 + - 5.25 openCRE: - - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident - Response/h8i9j0k1-l2m3-4567-hijk-890123456789 + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Threat + Intelligence/b2c3d4e5-f6g7-8901-bcde-f23456789012 comments: "" tags: - none @@ -5135,54 +5027,27 @@ Information Gathering: Default: false B: false C: false - Incident Detection and Classification: - uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + Incident Response: + Attribution Analysis and IOC Sharing: + uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 description: | - Advanced incident detection enhanced with OSINT capabilities: - - Multi-source indicator correlation from internal logs and external intelligence - - Automated enrichment of security alerts with threat context - - Social media monitoring for brand mentions and potential targeting - - Dark web monitoring for organization-specific threats and leaked data - - Threat actor tracking to identify campaign patterns and attribution - - Geolocation analysis of attack sources and infrastructure - risk: Basic incident detection without external intelligence context results - in missed sophisticated attacks, delayed attribution, and inability to understand - attack campaigns targeting the organization. - measure: | - Deploy enhanced detection capabilities with: - - SIEM integration with multiple threat intelligence feeds - - Automated OSINT enrichment of security alerts and indicators - - Social media and dark web monitoring for early threat detection - - Machine learning algorithms for anomaly detection and pattern recognition - - Threat hunting programs guided by external intelligence and industry reports + Threat landscape analysis with MITRE ATT&CK mapping: `attack-navigator --layer techniques.json` + for TTP visualization, automated attribution reporting via REST APIs, + and vulnerability assessment integration with attack vector analysis. + risk: Recovery efforts without comprehensive threat analysis leave organizations + vulnerable to similar attacks and fail to contribute to community defense + through intelligence sharing. + measure: Deploy recovery workflows with threat landscape analysis tools, attribution + reporting with IOC generation for community sharing, vulnerability assessment + based on attack TTPs, and long-term threat actor monitoring. difficultyOfImplementation: - knowledge: 4 + knowledge: 3 time: 3 - resources: 3 - usefulness: 5 - level: 2 - dependsOn: - - Incident Response Plan - - Correlation of security events - - Alerting + resources: 2 + usefulness: 4 + level: 3 implementation: - - uuid: 99999999-9999-9999-9999-999999999999 - name: GHunt - tags: - - osint - - google-intelligence - - reconnaissance - url: https://github.com/mxrch/GHunt - description: OSINT tool for Google accounts and services investigation - - uuid: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa - name: Sherlock - tags: - - osint - - username-intelligence - - social-media - url: https://github.com/sherlock-project/sherlock - description: Social media username OSINT investigation tool - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5195,12 +5060,14 @@ Information Gathering: samm2: - O-IM-3-A iso27001-2017: - - 16.1.4 + - 16.1.6 + - 16.1.7 iso27001-2022: - - 5.27 + - 5.29 + - 5.3 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident - Response/g7h8i9j0-k1l2-3456-ghij-789012345678 + Response/i9j0k1l2-m3n4-5678-ijkl-901234567890 comments: "" tags: - none @@ -5208,32 +5075,26 @@ Information Gathering: Default: false B: false C: false - Incident Recovery and Post-Incident Analysis: - uuid: i9j0k1l2-m3n4-5678-ijkl-901234567890 + Infrastructure Mapping and Takedown: + uuid: h8i9j0k1-l2m3-4567-hijk-890123456789 description: | - Intelligence-driven recovery and analysis processes: - - Threat landscape analysis to identify ongoing risks and similar campaigns - - Attribution reporting with indicators for threat intelligence sharing - - Vulnerability assessment based on attack methods and exploitation techniques - - Industry threat briefings to warn of similar attacks against peer organizations - - Long-term monitoring for threat actor return or infrastructure reuse - - Integration of lessons learned into threat detection and prevention systems - risk: Recovery efforts without comprehensive threat analysis leave organizations - vulnerable to similar attacks and fail to contribute to community defense - through intelligence sharing. - measure: Implement recovery procedures to restore normal operations and conduct - post-incident analysis to identify lessons learned and implement improvements - to prevent similar incidents. + Passive DNS analysis: `dig +short -x $ip` for reverse lookups, + certificate transparency monitoring via crt.sh API, + automated hosting provider coordination for infrastructure takedown. + risk: Containment efforts without external intelligence context may miss related + infrastructure, fail to prevent reinfection, and allow threat actors to continue + operations against other targets. + measure: Deploy OSINT-enhanced containment with threat infrastructure mapping, + attack campaign tracking via shared IOCs, automated takedown coordination + scripts, and evidence preservation workflows. difficultyOfImplementation: - knowledge: 3 - time: 3 - resources: 2 - usefulness: 4 + knowledge: 4 + time: 4 + resources: 3 + usefulness: 5 level: 3 - dependsOn: - - Incident Containment and Eradication implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5242,18 +5103,24 @@ Information Gathering: url: https://www.maltego.com/ description: OSINT and forensics application for link analysis and threat intelligence visualization + - uuid: 659e9838-4a79-45a1-ac1f-6b9964a5d21c + name: SpiderFoot + tags: + - osint + - reconnaissance + - threat-intelligence + url: https://www.spiderfoot.net/ + description: Automated OSINT reconnaissance tool for threat intelligence gathering references: samm2: - O-IM-3-A iso27001-2017: - - 16.1.6 - - 16.1.7 + - 16.1.5 iso27001-2022: - - 5.29 - - 5.3 + - 5.28 openCRE: - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident - Response/i9j0k1l2-m3n4-5678-ijkl-901234567890 + Response/h8i9j0k1-l2m3-4567-hijk-890123456789 comments: "" tags: - none @@ -5261,26 +5128,19 @@ Information Gathering: Default: false B: false C: false - Incident Response Plan: + OSINT-Enhanced IR Documentation: uuid: f6g7h8i9-j0k1-2345-fghi-678901234567 - description: | - Comprehensive incident response plan incorporating OSINT-driven intelligence gathering: - - Pre-defined incident classification matrix with response procedures - - OSINT collection protocols for threat actor attribution and campaign analysis - - Integration with threat intelligence platforms for context enrichment - - Communication templates for internal teams and external stakeholders - - Legal and regulatory compliance requirements for different incident types - - Evidence preservation procedures for digital forensics and legal proceedings - risk: Without a documented incident response plan that includes intelligence - gathering procedures, organizations respond reactively, miss attribution opportunities, - and fail to understand the broader threat landscape context. + description: "Structured IR documentation with technical procedures: domain + analysis via\n`dig +trace $domain`, IP geolocation using `curl ipinfo.io/$ip`, + \nand automated evidence collection scripts with legal compliance frameworks.\n" + risk: Without documented incident response procedures that include intelligence + gathering, organizations respond reactively and miss critical attribution + opportunities. measure: | - Develop comprehensive incident response documentation including: - - Playbooks for common incident types with OSINT collection steps - - Role-based access controls and escalation procedures - - Integration points with threat intelligence and OSINT tools - - Regular plan testing through tabletop exercises and simulations - - Post-incident review processes for continuous improvement + Create technical IR documentation with OSINT collection procedures, + automated evidence preservation scripts, + legal compliance checklists for evidence handling, + and structured templates for threat actor attribution. difficultyOfImplementation: knowledge: 3 time: 3 @@ -5288,7 +5148,7 @@ Information Gathering: usefulness: 5 level: 1 implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5316,33 +5176,87 @@ Information Gathering: Default: false B: false C: false - Incident Response Training and Testing: + Real-time Threat Enrichment: + uuid: g7h8i9j0-k1l2-3456-ghij-789012345678 + description: "Live SIEM enrichment with external threat feeds: Splunk lookup + \n`| lookup threat_intel domain as query_domain OUTPUT confidence score`\nfor + real-time IOC validation and automated alert prioritization.\n" + risk: Incidents detected without external threat context result in delayed response + and missed attribution of sophisticated attack campaigns. + measure: | + Deploy SIEM enrichment with real-time threat intelligence APIs, + automated IOC validation against multiple sources, + confidence scoring for threat indicators, + and contextual alert enhancement with threat actor profiles. + difficultyOfImplementation: + knowledge: 4 + time: 3 + resources: 3 + usefulness: 5 + level: 2 + implementation: + - uuid: 607d2158-3d17-4518-b751-61c7422be9a2 + name: GHunt + tags: + - osint + - google-intelligence + - reconnaissance + url: https://github.com/mxrch/GHunt + description: OSINT tool for Google accounts and services investigation + - uuid: fc20c021-f64e-427a-93ce-11872eaec241 + name: Sherlock + tags: + - osint + - username-intelligence + - social-media + url: https://github.com/sherlock-project/sherlock + description: Social media username OSINT investigation tool + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 + name: Maltego + tags: + - osint + - threat-intelligence + - visualization + url: https://www.maltego.com/ + description: OSINT and forensics application for link analysis and threat + intelligence visualization + references: + samm2: + - O-IM-3-A + iso27001-2017: + - 16.1.4 + iso27001-2022: + - 5.27 + openCRE: + - https://www.opencre.org/rest/v1/standard/DevSecOps+Maturity+Model+(DSOMM)/Incident + Response/g7h8i9j0-k1l2-3456-ghij-789012345678 + comments: "" + tags: + - none + teamsImplemented: + Default: false + B: false + C: false + Tactical OSINT Training Program: uuid: j0k1l2m3-n4o5-6789-jklm-012345678901 description: | - Comprehensive training program incorporating OSINT and threat intelligence: - - Hands-on OSINT training for incident responders and analysts - - Threat intelligence platform training for indicator enrichment and analysis - - Tabletop exercises based on real-world attack campaigns and threat actor TTPs - - Red team exercises incorporating current threat intelligence and attack methods - - Cross-functional training between security operations and threat intelligence teams - - Regular updates on emerging threats, tools, and investigation techniques - risk: Training programs that don't incorporate current threat intelligence and - OSINT capabilities leave teams unprepared for sophisticated attacks and limit - their ability to conduct effective threat attribution and campaign analysis. - measure: Conduct regular incident response training for team members and perform - tabletop exercises, simulations, and drills to test and improve incident response - procedures. + Skills-based OSINT training: `recon-ng -w domain_enum -m recon/domains-hosts/brute_hosts` + for reconnaissance techniques, threat hunt simulation exercises, + and cross-team collaboration workshops with scenario-based learning. + risk: Teams without current OSINT skills cannot effectively investigate incidents, + conduct threat attribution, or leverage external intelligence for proactive + defense. + measure: Conduct technical OSINT training with hands-on tool usage, threat hunting + simulation exercises, incident response tabletop scenarios, and skills assessment + with certification tracking. difficultyOfImplementation: knowledge: 3 time: 3 resources: 3 usefulness: 4 level: 4 - dependsOn: - - Incident Response Plan - - Incident Recovery and Post-Incident Analysis implementation: - - uuid: 66666666-6666-6666-6666-666666666666 + - uuid: 712eb583-2d3d-44f6-bb01-f32b72dc7942 name: Maltego tags: - osint @@ -5351,7 +5265,7 @@ Information Gathering: url: https://www.maltego.com/ description: OSINT and forensics application for link analysis and threat intelligence visualization - - uuid: 99999999-9999-9999-9999-999999999999 + - uuid: 607d2158-3d17-4518-b751-61c7422be9a2 name: GHunt tags: - osint @@ -5359,7 +5273,7 @@ Information Gathering: - reconnaissance url: https://github.com/mxrch/GHunt description: OSINT tool for Google accounts and services investigation - - uuid: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa + - uuid: fc20c021-f64e-427a-93ce-11872eaec241 name: Sherlock tags: - osint