Nuclear facilities and other critical infrastructure utilize a concept called Design Basis Threat. (DBT) to design, build and validate defensive measures are in place. The information security industry needs to adopt a similar approach.
I would like to introduce a project called Threat Driven Security (TDS). TDS aims to help organizations build and asses their infrastructure (and services) using a standard set of definition files.
Each of these definitions focuses on a common security threat. Each defined security threat has one or more [surfaces]() that provide an opportunity to detect malicious behavior. Along with each defined surface, one or more events can be defined which outlines metadata (e.g. log fields, etc.), description, associated techniques and one or more categorical ways of observing activity.
Again, each of these definitions are vendor agnostic ways to defining specifics around threats like where to observe, what to observe, how to observe and more.
When building secure infrastructure and services we must understand how security operations can help to protect our environments. Determine an organizations security visibility from simple description of log sources in an environment.
- Define a list of common threat scenarios / potential tabletop exercises
- Do I have visibility to detect this scenario 1. Could I have detected it earlier?
## Questions for consumer
- Product Exchange, Mail Flow Logs, User Reported Phishing Messages, and _some_ DLP Logs 1. Confidence - 4
This project aims to assist organizations with a common framework to identify their defensive visibility.
By utilizing a community sourced set of common threat definitions facing organizations we can identify different aspects (view points) of a threat in a vendor agnostic way. This allows organizations to understand gaps in their visibility so they can defend against these threats appropriately.
- Reviewing products for security auditing 1. UC: Enables organizations to validate that the products they are looking at have the minimum requirements based on definitions 2. UC: Architecture Auditing?
- TODO
- TODO
You can install Threat Driven Security via pip from PyPI:
$ pip install threat-driven-securityPlease see the Command-line Reference for details.
Contributions are very welcome. To learn more, see the Contributor Guide.
Distributed under the terms of the MIT license, Threat Driven Security is free and open source software.
If you encounter any problems, please file an issue along with a detailed description.
This project was generated from @cjolowicz's Hypermodern Python Cookiecutter template.