Add threats to catalog

[funnelfiasco]

Similar to the FINOS Common Cloud Controls, we should add a catalog of threats that we tie Baseline controls to. From there, we can validate the applicability of controls, including controls that are missing, extraneous, or misaligned.

(Assigning to Eddie for overall coordination, but there's a lot of work to share among the team)

[SecurityCRob]

love the idea. patches welcome to get this rolling. i'll tinker with it once I get the new regs mapped and proposed for merge

[eddie-knight]

Met with @funnelfiasco and @evankanderson last week to make sure that everyone is familiar with how Gemara layer2 threats are cataloged.