[ { "UID":"CTI.1.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Depth of Threat Intelligence", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Threat", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"What level of intelligence (relative to the Pyramid of Pain) is being used to track adversaries?", "Question Tooltip":null, "Level Description":"Ephemeral IOCs", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":3, "Complexity":1, "Points":1.0 }, { "UID":"CTI.1.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Depth of Threat Intelligence", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Threat", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"What level of intelligence (relative to the Pyramid of Pain) is being used to track adversaries?", "Question Tooltip":null, "Level Description":"Tools used by adversaries", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":1, "Points":1.0 }, { "UID":"CTI.1.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Depth of Threat Intelligence", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Threat", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"What level of intelligence (relative to the Pyramid of Pain) is being used to track adversaries?", "Question Tooltip":null, "Level Description":"Techniques and Tactics used by adversaries", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":2.0 }, { "UID":"CTI.1.4", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Depth of Threat Intelligence", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Threat", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"What level of intelligence (relative to the Pyramid of Pain) is being used to track adversaries?", "Question Tooltip":null, "Level Description":"Low-variance adversary behaviors and observables", "Level Tooltip":null, "Level ID":4, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":2.0 }, { "UID":"CTI.2.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Relevance of Threat Intelligence", "Component ID":2, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How much does the threat intelligence relate to your organization?", "Question Tooltip":null, "Level Description":"Generic or freely available reporting", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"CTI.2.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Relevance of Threat Intelligence", "Component ID":2, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How much does the threat intelligence relate to your organization?", "Question Tooltip":null, "Level Description":"Industry-specific reporting", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":1, "Points":1.0 }, { "UID":"CTI.2.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Relevance of Threat Intelligence", "Component ID":2, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How much does the threat intelligence relate to your organization?", "Question Tooltip":null, "Level Description":"In-house or organizationally-specific reporting", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":1.0 }, { "UID":"CTI.3.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Operational Integration of Threat Intelligence", "Component ID":3, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Access, Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Prioritization, Validation, Mobilization", "Question":"To what extent is threat intelligence integrated across your organization?", "Question Tooltip":null, "Level Description":"Reviewed by individuals or siloed teams", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"CTI.3.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Operational Integration of Threat Intelligence", "Component ID":3, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Access, Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Prioritization, Validation, Mobilization", "Question":"To what extent is threat intelligence integrated across your organization?", "Question Tooltip":null, "Level Description":"Integrated across different security teams", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":1.0 }, { "UID":"CTI.3.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Operational Integration of Threat Intelligence", "Component ID":3, "Component Weight":0.25, "CTI CMM V1.2 Mapping":"Access, Risk", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Prioritization, Validation, Mobilization", "Question":"To what extent is threat intelligence integrated across your organization?", "Question Tooltip":null, "Level Description":"Contextualized and made actionable across entire organization", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":2.0 }, { "UID":"CTI.4.0", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Incorporation of CTI", "Component ID":4, "Component Weight":0.07, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How frequently are you incorporating threat intelligence into your organization’s workflows?", "Question Tooltip":null, "Level Description":"Never", "Level Tooltip":null, "Level ID":0, "Question Type":"Radio Buttons", "Impact":0, "Complexity":0, "Points":0.0 }, { "UID":"CTI.4.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Incorporation of CTI", "Component ID":4, "Component Weight":0.07, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How frequently are you incorporating threat intelligence into your organization’s workflows?", "Question Tooltip":null, "Level Description":"Intermittently", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":0.0 }, { "UID":"CTI.4.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Incorporation of CTI", "Component ID":4, "Component Weight":0.07, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How frequently are you incorporating threat intelligence into your organization’s workflows?", "Question Tooltip":null, "Level Description":"Monthly", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"CTI.4.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Incorporation of CTI", "Component ID":4, "Component Weight":0.07, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How frequently are you incorporating threat intelligence into your organization’s workflows?", "Question Tooltip":null, "Level Description":"Weekly", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":2.0 }, { "UID":"CTI.4.4", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Incorporation of CTI", "Component ID":4, "Component Weight":0.07, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How frequently are you incorporating threat intelligence into your organization’s workflows?", "Question Tooltip":null, "Level Description":"Daily", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"CTI.5.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Recency of CTI", "Component ID":5, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How recent is the threat intelligence you use?", "Question Tooltip":null, "Level Description":"Unsure", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":0, "Complexity":0, "Points":0.0 }, { "UID":"CTI.5.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Recency of CTI", "Component ID":5, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How recent is the threat intelligence you use?", "Question Tooltip":null, "Level Description":"Within the past year", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"CTI.5.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Recency of CTI", "Component ID":5, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How recent is the threat intelligence you use?", "Question Tooltip":null, "Level Description":"Within the past month", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":2, "Complexity":1, "Points":2.0 }, { "UID":"CTI.5.4", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Recency of CTI", "Component ID":5, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How recent is the threat intelligence you use?", "Question Tooltip":null, "Level Description":"Within the past week", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":1, "Points":3.0 }, { "UID":"CTI.6.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Speed of CTI Dissemination", "Component ID":6, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How quickly is new threat intelligence - either internally created or externally sourced - processed and disseminated within your organization?", "Question Tooltip":null, "Level Description":"Not disseminated", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":0.0 }, { "UID":"CTI.6.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Speed of CTI Dissemination", "Component ID":6, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How quickly is new threat intelligence - either internally created or externally sourced - processed and disseminated within your organization?", "Question Tooltip":null, "Level Description":"Within a month", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":0.0 }, { "UID":"CTI.6.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Speed of CTI Dissemination", "Component ID":6, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How quickly is new threat intelligence - either internally created or externally sourced - processed and disseminated within your organization?", "Question Tooltip":null, "Level Description":"Within a week", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":1.0 }, { "UID":"CTI.6.4", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"Speed of CTI Dissemination", "Component ID":6, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"How quickly is new threat intelligence - either internally created or externally sourced - processed and disseminated within your organization?", "Question Tooltip":null, "Level Description":"Within a day", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"CTI.7.0", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"CTI Driven Decision Making", "Component ID":7, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"To what extent is CTI incorporated into decision making?", "Question Tooltip":null, "Level Description":"CTI is not considered", "Level Tooltip":null, "Level ID":0, "Question Type":"Radio Buttons", "Impact":0, "Complexity":0, "Points":0.0 }, { "UID":"CTI.7.1", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"CTI Driven Decision Making", "Component ID":7, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"To what extent is CTI incorporated into decision making?", "Question Tooltip":null, "Level Description":"CTI is considered, but not a driving factor", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"CTI.7.2", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"CTI Driven Decision Making", "Component ID":7, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"To what extent is CTI incorporated into decision making?", "Question Tooltip":null, "Level Description":"CTI is strongly weighted for cybersecurity decisions", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":2.0 }, { "UID":"CTI.7.3", "Dimension":"Cyber Threat Intelligence", "Dimension ID":"CTI", "Dimension Weight":0.35, "Component":"CTI Driven Decision Making", "Component ID":7, "Component Weight":0.06, "CTI CMM V1.2 Mapping":"Asset, Situation, Response", "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Prioritization", "Question":"To what extent is CTI incorporated into decision making?", "Question Tooltip":null, "Level Description":"CTI is strongly weighted for cybersecurity and business decisions", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":6.0 }, { "UID":"DM.1.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Data Collection", "Component ID":1, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA, T.2 (NDR), T.3 (EDR), T.4 (SOAR), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent is data collected, stored, and accessible?", "Question Tooltip":null, "Level Description":"Logs are collected and stored for at least 90 days", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":2.0 }, { "UID":"DM.1.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Data Collection", "Component ID":1, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA, T.2 (NDR), T.3 (EDR), T.4 (SOAR), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent is data collected, stored, and accessible?", "Question Tooltip":null, "Level Description":"Logs are tagged for indexing", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":1, "Points":2.0 }, { "UID":"DM.1.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Data Collection", "Component ID":1, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA, T.2 (NDR), T.3 (EDR), T.4 (SOAR), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent is data collected, stored, and accessible?", "Question Tooltip":null, "Level Description":"Logs are collected from multiple sensor types", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":2.0 }, { "UID":"DM.2.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Risk Assessments", "Component ID":2, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"B.4 (Governance), S.6 (Vulnerability Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent are risk assessments performed and operationally useful to your organization?", "Question Tooltip":null, "Level Description":"Perform formal risk assessments at least annually", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":1.0 }, { "UID":"DM.2.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Risk Assessments", "Component ID":2, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"B.4 (Governance), S.6 (Vulnerability Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent are risk assessments performed and operationally useful to your organization?", "Question Tooltip":null, "Level Description":"Results are used operationally, with measures taken to harden security posture based on findings", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":2.0 }, { "UID":"DM.2.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Risk Assessments", "Component ID":2, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"B.4 (Governance), S.6 (Vulnerability Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent are risk assessments performed and operationally useful to your organization?", "Question Tooltip":null, "Level Description":"Assessment is focused on metrics and assets tailored to the organization’s need, informed by CTI team", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":4.0 }, { "UID":"DM.3.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Attack Surface Scoping", "Component ID":3, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.7 (Log Management), T.3 (EDR), Pr.2 (Operationsand Facilities), T.1 (SIEM\/UEBA), T.2 (NDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent is your attack surface mapped out, understood and prioritized?", "Question Tooltip":null, "Level Description":"No mapping of attack surfaces", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":0, "Complexity":0, "Points":0.0 }, { "UID":"DM.3.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Attack Surface Scoping", "Component ID":3, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.7 (Log Management), T.3 (EDR), Pr.2 (Operationsand Facilities), T.1 (SIEM\/UEBA), T.2 (NDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent is your attack surface mapped out, understood and prioritized?", "Question Tooltip":null, "Level Description":"Attack surfaces are mapped", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"DM.3.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Attack Surface Scoping", "Component ID":3, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.7 (Log Management), T.3 (EDR), Pr.2 (Operationsand Facilities), T.1 (SIEM\/UEBA), T.2 (NDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent is your attack surface mapped out, understood and prioritized?", "Question Tooltip":null, "Level Description":"Attack surfaces are mapped and periodically reviewed", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":2.0 }, { "UID":"DM.3.4", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Attack Surface Scoping", "Component ID":3, "Component Weight":0.08, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.7 (Log Management), T.3 (EDR), Pr.2 (Operationsand Facilities), T.1 (SIEM\/UEBA), T.2 (NDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Scoping, Discovery, Prioritization", "Question":"To what extent is your attack surface mapped out, understood and prioritized?", "Question Tooltip":null, "Level Description":"Attack surfaces are mapped and prioritized periodically", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"DM.4.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rules", "Component ID":4, "Component Weight":0.12, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"Pr.5 (Detection Engineering & Validation)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation, Mobilization", "Question":"How does your organization manage detection rules?", "Question Tooltip":null, "Level Description":"Import rules from external source", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":1, "Points":1.0 }, { "UID":"DM.4.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rules", "Component ID":4, "Component Weight":0.12, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"Pr.5 (Detection Engineering & Validation)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation, Mobilization", "Question":"How does your organization manage detection rules?", "Question Tooltip":null, "Level Description":"Tune imported detection rules", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":2.0 }, { "UID":"DM.4.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rules", "Component ID":4, "Component Weight":0.12, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"Pr.5 (Detection Engineering & Validation)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation, Mobilization", "Question":"How does your organization manage detection rules?", "Question Tooltip":null, "Level Description":"Detection rules are correlated with attack surfaces", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":2.0 }, { "UID":"DM.4.4", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rules", "Component ID":4, "Component Weight":0.12, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"Pr.5 (Detection Engineering & Validation)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation, Mobilization", "Question":"How does your organization manage detection rules?", "Question Tooltip":null, "Level Description":"Detection rules are implemented based on business priorities", "Level Tooltip":null, "Level ID":4, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"DM.5.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rule Metadata", "Component ID":5, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA), T.2 (NDR), T.3 (EDR), Pr.4 (Use Case Management), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"What metadata are your detection rules annotated with that can help contextualize their alerts?", "Question Tooltip":null, "Level Description":"Behavioral description", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":0.5 }, { "UID":"DM.5.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rule Metadata", "Component ID":5, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA), T.2 (NDR), T.3 (EDR), Pr.4 (Use Case Management), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"What metadata are your detection rules annotated with that can help contextualize their alerts?", "Question Tooltip":null, "Level Description":"Quantitative metrics", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":0.5 }, { "UID":"DM.5.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rule Metadata", "Component ID":5, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA), T.2 (NDR), T.3 (EDR), Pr.4 (Use Case Management), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"What metadata are your detection rules annotated with that can help contextualize their alerts?", "Question Tooltip":null, "Level Description":"Frameworks and other standardizations", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":0.5 }, { "UID":"DM.5.4", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Detection Rule Metadata", "Component ID":5, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.1 (SIEM\/UEBA), T.2 (NDR), T.3 (EDR), Pr.4 (Use Case Management), S.7 (Log Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"What metadata are your detection rules annotated with that can help contextualize their alerts?", "Question Tooltip":null, "Level Description":"Associated malware, threat groups, or campaigns", "Level Tooltip":null, "Level ID":4, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":0.5 }, { "UID":"DM.6.0", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Propagation between CTI and Detections", "Component ID":6, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.1 (Security Monitoring), S.4 (Threat Intelligence)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How long does it take on average to ingest new intelligence into your detection ruleset?", "Question Tooltip":null, "Level Description":"New intelligence is not ingested", "Level Tooltip":null, "Level ID":0, "Question Type":"Radio Buttons", "Impact":0, "Complexity":0, "Points":0.0 }, { "UID":"DM.6.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Propagation between CTI and Detections", "Component ID":6, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.1 (Security Monitoring), S.4 (Threat Intelligence)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How long does it take on average to ingest new intelligence into your detection ruleset?", "Question Tooltip":null, "Level Description":"Within a month", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"DM.6.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Propagation between CTI and Detections", "Component ID":6, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.1 (Security Monitoring), S.4 (Threat Intelligence)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How long does it take on average to ingest new intelligence into your detection ruleset?", "Question Tooltip":null, "Level Description":"Within a week", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":1.0 }, { "UID":"DM.6.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Propagation between CTI and Detections", "Component ID":6, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.1 (Security Monitoring), S.4 (Threat Intelligence)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How long does it take on average to ingest new intelligence into your detection ruleset?", "Question Tooltip":null, "Level Description":"Within a day", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":3, "Complexity":2, "Points":3.0 }, { "UID":"DM.6.4", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Propagation between CTI and Detections", "Component ID":6, "Component Weight":0.09, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.1 (Security Monitoring), S.4 (Threat Intelligence)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How long does it take on average to ingest new intelligence into your detection ruleset?", "Question Tooltip":null, "Level Description":"Within an hour", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":5.0 }, { "UID":"DM.7.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Response", "Component ID":7, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization respond to an active threat?", "Question Tooltip":null, "Level Description":"Reactive to alerts, containment-focused", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":5.0 }, { "UID":"DM.7.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Response", "Component ID":7, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization respond to an active threat?", "Question Tooltip":null, "Level Description":"Playbook-enabled, some automation for lower-level or repeated threats", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":1.0 }, { "UID":"DM.7.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Response", "Component ID":7, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization respond to an active threat?", "Question Tooltip":null, "Level Description":"Responsive actions are informed by knowledge of likely threat actors and expected TTPs", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"DM.8.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Recovery and Forensics", "Component ID":8, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization recover from adverse incidents?", "Question Tooltip":null, "Level Description":"Ad-hoc or informal digital forensics capabilities", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":3, "Complexity":2, "Points":0.5 }, { "UID":"DM.8.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Recovery and Forensics", "Component ID":8, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization recover from adverse incidents?", "Question Tooltip":null, "Level Description":"Documented and standardized forensic processes in place", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":1.0 }, { "UID":"DM.8.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Incident Recovery and Forensics", "Component ID":8, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.2 (Security Incident Management)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Mobilization", "Question":"How does your organization recover from adverse incidents?", "Question Tooltip":null, "Level Description":"Threat intelligence feeds are used to link forensic findings to specific threat actors\/groups", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":3, "Complexity":1, "Points":3.0 }, { "UID":"DM.9.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Threat Hunting", "Component ID":9, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.5 (Threat Hunting)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation", "Question":"How does your organization actively search out threat actors?", "Question Tooltip":null, "Level Description":"Ad-hoc or informal threat hunts triggered by observed activity", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":0.5 }, { "UID":"DM.9.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Threat Hunting", "Component ID":9, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.5 (Threat Hunting)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation", "Question":"How does your organization actively search out threat actors?", "Question Tooltip":null, "Level Description":"Hunts are conducted based on known\/reported relevant vulnerabilities", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":2, "Points":1.5 }, { "UID":"DM.9.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Threat Hunting", "Component ID":9, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"S.5 (Threat Hunting)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":"Validation", "Question":"How does your organization actively search out threat actors?", "Question Tooltip":null, "Level Description":"Formal threat hunts are proactively conducted based on knowledge of likely adversary behaviors", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":1, "Points":3.0 }, { "UID":"DM.10.1", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Deception", "Component ID":10, "Component Weight":0.05, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.3 (EDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent does your organization seek to deceive future threats and keep them from useable\/valuable data as defined in MITRE Engage?", "Question Tooltip":null, "Level Description":"Some lures or pocket litter", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":1, "Complexity":2, "Points":1.0 }, { "UID":"DM.10.2", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Deception", "Component ID":10, "Component Weight":0.05, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.3 (EDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent does your organization seek to deceive future threats and keep them from useable\/valuable data as defined in MITRE Engage?", "Question Tooltip":null, "Level Description":"Disinformation spread", "Level Tooltip":"As discussed in NIST SP 800-160 Vol 2, this refers to intentionally spreading disinformation to adversaries (e.g., posting false information about a system to public forums, creating decoy accounts and credentials).", "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":2.0 }, { "UID":"DM.10.3", "Dimension":"Defensive Measures", "Dimension ID":"DM", "Dimension Weight":0.4, "Component":"Deception", "Component ID":10, "Component Weight":0.05, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":"T.3 (EDR)", "Red Team CMM V1 Mapping":null, "CTEM Mapping":null, "Question":"To what extent does your organization seek to deceive future threats and keep them from useable\/valuable data as defined in MITRE Engage?", "Question Tooltip":null, "Level Description":"Full-scale honeynet", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":3.0 }, { "UID":"TE.1.1", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Focus", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"What is the focus of your organization’s testing?", "Question Tooltip":null, "Level Description":"Testing is compliance-focused, e.g. security control assessment", "Level Tooltip":"Security control assessments evaluate whether security controls are functioning as intended.", "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":1, "Points":1.0 }, { "UID":"TE.1.2", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Focus", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"What is the focus of your organization’s testing?", "Question Tooltip":null, "Level Description":"Testing is IOC-focused, e.g. vulnerability assessment, commodity tools", "Level Tooltip":"Commodity tools are off-the-shelf solutions that enable pen testing or red team activities using software that is well-known and easily detected.", "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":1.0 }, { "UID":"TE.1.3", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Focus", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"What is the focus of your organization’s testing?", "Question Tooltip":null, "Level Description":"Testing is behavior-focused, executing a single procedure of ATT&CK techniques", "Level Tooltip":"Most ATT&CK techniques have multiple procedures that accomplish the same behavior. For example, Scheduled Tasks can be accomplished through both schtasks.exe and the Task Scheduler.", "Level ID":3, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":2.0 }, { "UID":"TE.1.4", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Focus", "Component ID":1, "Component Weight":0.25, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"What is the focus of your organization’s testing?", "Question Tooltip":null, "Level Description":"Testing is behavior-focused, executing multiple procedures of a technique, perhaps using custom tooling", "Level Tooltip":null, "Level ID":4, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"TE.2.1", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Planning", "Component ID":2, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"How are tests planned within your organization?", "Question Tooltip":"Refer to Continuous Threat Exposure Management (CTEM) for deeper insight into aligning testing to the most impactful and likely threats.", "Level Description":"Testing is designed to discover detection gaps and validate coverage for your attack surface", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":1.0 }, { "UID":"TE.2.2", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Planning", "Component ID":2, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"How are tests planned within your organization?", "Question Tooltip":"Refer to Continuous Threat Exposure Management (CTEM) for deeper insight into aligning testing to the most impactful and likely threats.", "Level Description":"Testing methodology is informed and prioritized by the threats and risks most relevant to your organization", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":2, "Points":1.0 }, { "UID":"TE.2.3", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Planning", "Component ID":2, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"How are tests planned within your organization?", "Question Tooltip":"Refer to Continuous Threat Exposure Management (CTEM) for deeper insight into aligning testing to the most impactful and likely threats.", "Level Description":"Testing is collaboratively planned with defenders, to include security response and remediation components", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":1.0 }, { "UID":"TE.2.4", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Planning", "Component ID":2, "Component Weight":0.1, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy", "CTEM Mapping":"Validation", "Question":"How are tests planned within your organization?", "Question Tooltip":"Refer to Continuous Threat Exposure Management (CTEM) for deeper insight into aligning testing to the most impactful and likely threats.", "Level Description":"Testing is linked to organizational metrics or key performance indicators (KPIs) to measure effectiveness in discovering gaps, validating coverage, and performing incident response and remediation", "Level Tooltip":"Example KPIs: time to initial access, time to detection, time from initial access to lateral movement, number of vulnerabilities identified, % of detection evasion, % of recommendations remediated", "Level ID":4, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":1.0 }, { "UID":"TE.3.1", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Relevance", "Component ID":3, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy, Knowledge Sharing, Metrics", "CTEM Mapping":"Validation", "Question":"How quickly is new CTI incorporated into your testing?", "Question Tooltip":null, "Level Description":"Not CTI Driven or only relying on outdated CTI", "Level Tooltip":null, "Level ID":1, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":0.0 }, { "UID":"TE.3.2", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Relevance", "Component ID":3, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy, Knowledge Sharing, Metrics", "CTEM Mapping":"Validation", "Question":"How quickly is new CTI incorporated into your testing?", "Question Tooltip":null, "Level Description":"Within a month", "Level Tooltip":null, "Level ID":2, "Question Type":"Radio Buttons", "Impact":1, "Complexity":1, "Points":1.0 }, { "UID":"TE.3.3", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Relevance", "Component ID":3, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy, Knowledge Sharing, Metrics", "CTEM Mapping":"Validation", "Question":"How quickly is new CTI incorporated into your testing?", "Question Tooltip":null, "Level Description":"Within a week", "Level Tooltip":null, "Level ID":3, "Question Type":"Radio Buttons", "Impact":2, "Complexity":2, "Points":2.0 }, { "UID":"TE.3.4", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Relevance", "Component ID":3, "Component Weight":0.15, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Operational Planning and Selection, Work Management, Program Strategy, Knowledge Sharing, Metrics", "CTEM Mapping":"Validation", "Question":"How quickly is new CTI incorporated into your testing?", "Question Tooltip":null, "Level Description":"Within a day", "Level Tooltip":null, "Level ID":4, "Question Type":"Radio Buttons", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"TE.4.2", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Triggers", "Component ID":4, "Component Weight":0.2, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Process Continuous Improvement, Operational Approvals, Operational Planning and Selection", "CTEM Mapping":"Validation", "Question":"Are tests planned proactively or reactively? ", "Question Tooltip":null, "Level Description":"Reactive to internal security events", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":1.0 }, { "UID":"TE.4.1", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Triggers", "Component ID":4, "Component Weight":0.2, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Process Continuous Improvement, Operational Approvals, Operational Planning and Selection", "CTEM Mapping":"Validation", "Question":"Are tests planned proactively or reactively? ", "Question Tooltip":null, "Level Description":"Reactive to external security events", "Level Tooltip":null, "Level ID":2, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":1.0 }, { "UID":"TE.4.3", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Triggers", "Component ID":4, "Component Weight":0.2, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Process Continuous Improvement, Operational Approvals, Operational Planning and Selection", "CTEM Mapping":"Validation", "Question":"Are tests planned proactively or reactively? ", "Question Tooltip":null, "Level Description":"Testing is proactively planned on a periodic basis", "Level Tooltip":null, "Level ID":3, "Question Type":"Checkboxes", "Impact":2, "Complexity":3, "Points":2.0 }, { "UID":"TE.4.4", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Triggers", "Component ID":4, "Component Weight":0.2, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Process Continuous Improvement, Operational Approvals, Operational Planning and Selection", "CTEM Mapping":"Validation", "Question":"Are tests planned proactively or reactively? ", "Question Tooltip":null, "Level Description":"Testing is proactively planned on a continuous basis", "Level Tooltip":null, "Level ID":4, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":3.0 }, { "UID":"TE.5.1", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Results", "Component ID":5, "Component Weight":0.3, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Program Knowledge Sharing, People Various Relationships, Operation Reporting", "CTEM Mapping":"Mobilization", "Question":"How do test results drive improvements in defensive measures?", "Question Tooltip":null, "Level Description":"Actions are taken with internal security team to remediate individual hosts", "Level Tooltip":null, "Level ID":1, "Question Type":"Checkboxes", "Impact":2, "Complexity":1, "Points":1.0 }, { "UID":"TE.5.2", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Results", "Component ID":5, "Component Weight":0.3, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Program Knowledge Sharing, People Various Relationships, Operation Reporting", "CTEM Mapping":"Mobilization", "Question":"How do test results drive improvements in defensive measures?", "Question Tooltip":null, "Level Description":"Findings drive detection and architectural changes", "Level Tooltip":"Architectural changes improve the design of systems or networks to enhance security, e.g. strengthening key management, isolating critical subnets through network segmentation.", "Level ID":2, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":2.0 }, { "UID":"TE.5.3", "Dimension":"Test & Evaluation", "Dimension ID":"TE", "Dimension Weight":0.25, "Component":"Test Results", "Component ID":5, "Component Weight":0.3, "CTI CMM V1.2 Mapping":null, "SOC CMM V2.3.4 Mapping":null, "Red Team CMM V1 Mapping":"Program Knowledge Sharing, People Various Relationships, Operation Reporting", "CTEM Mapping":"Mobilization", "Question":"How do test results drive improvements in defensive measures?", "Question Tooltip":null, "Level Description":"Findings drive organizational or policy changes", "Level Tooltip":"Organizational decisions are made based on the results of security testing, e.g. business strategy shifts, changes in hiring or training.", "Level ID":3, "Question Type":"Checkboxes", "Impact":3, "Complexity":3, "Points":3.0 } ]