What is the MITRE ATT&CK framework
The MITRE ATT&CK framework is a knowledge base of adversary tactics, techniques, and common knowledge (CTK) based on real-world observations. It can be used by security professionals to understand and defend against cyberattacks [1]. The ATT&CK framework consists of Tactic and Technique; Tactic represents the high-level category of actions that an adversary might take to achieve their goal, while technique represents specific action that an adversary might take to achieve a tactic. The ATT&CK framework includes information on tactics and techniques, as well as information on the threat actors that use them. It also includes other resources such as information on malwares. Understanding the tactics and techniques that adversaries use can help security professionals develop more effective defenses against them.
What is MITRE ATT&CK® Navigator
It is a web-based tool that allows one to visualize and explore the MITRE ATT&CK® knowledge base to identify the tactics and techniques that adversaries use [2]. One can visualize adversaries' tactics and techniques by manually annotating ATT&CK matrices in MITRE ATT&CK® Navigator. Alternatively, it can be automated through python coding by using the attackcti python library [3][4] . attackcti is a python library is python module to access up-to-date ATT&CK content available in STIX via a public TAXII server. It leverages python classes and functions from the cti-python-stix2 and cti-taxii-client libraries developed by MITRE.
What is the Mitre Matrix (Enterpise) Visualizer
The Mitre Matrix Visualizer is a simple tool for automatically annotating ATT&CK enterprise matrix to visualize adversaries/malwares' tactics and techniques. It is written in python, but it does not make use of the MITRE ATT&CK® Navigator nor attackcit python library. Instead, it relies on an ATT&CK enterprise matrix excel sheet template replicating MITRE Matrix (Enterprise), and uses the openpyxl python library to highlight the ATT&CK techniques which will then be output as a separate excel sheet. As it is a simple tool, it cannot visualize sub-techniques. The author has also expanded the tool to include feature to compare the tactics and techniques of two different adversaries/malwares. He has also create GUI versions of the tools using PySimpleGUI python library. The codes can be found in this GitHub repository.
How to use the Mitre Matrix (Enterpise) Visualizer (Non GUI version) ?
1.) Download the code repository, and unzip it to your desired local directory of your machine. Take note that the ATT&CK enterprise matrix excel sheet template (mitre_matrix_template.xlsx) needs to be in the same directory as the python code in order for the tool to work.
2.) Install the following required python libraries if you do not already have them:
pandas
openpyxl
PySimpleGUI (for the GUI version of the program)
3.) You can then run the tool via commandline or IDE such as PyCharm. When you run the tool, the first thing that it will ask for is the name of the APT or malware as it will be used for the output filename.
3.) Get the MITRE ATT&CK Technique IDs. For example, you can copy the MITRE ATT&CK techniques IDs of LockBit from this site.
4.) Input the MITRE ATT&CK Technique IDs, and generate the MITRE Matrix (Enterprise) into an excel document in the same directory as the tool. The filename of the excel document will contain the name of the APT or malware input earlier as shown below.
5.) Open the output excel document and you will see a MITRE matrix (enterprise) with the techniques of the APT or malware highlighted. The excel document is hyperlink enabled, you will see the MITRE URL of respective technique when mouse over. Clicking on each cell will link you to the MITRE website where you will see more information on the respective technique.
How to use the Mitre Matrix (Enterpise) Visualizer (GUI version) ?
The steps are the same as that for the non GUI version as mentioned above except for the input method. Once the tool is launched, a GUI will appear requesting the user to browse to the MITRE ATT&CK Technique ID file as well as indicating the output file path and name. The technique id file needs to be in excel format (.xlsx) as shown in the screenshot below. In the same fashion as described for the non GUI version, the MITRE Matrix (Enterprise) will be generated into an excel document when the button "Submit for processing" is pressed.
How to use the Mitre Matrix (Enterpise) Visualizer Compare Tool ?
The steps are the same as described above except that the user now needs to input 2 sets of MITRE ATT&CK Technique IDs, and the user will observed the following in the output excel document:
The common/overlapped techniques will be highlighted in "Orange".
The first set of techniques will be highlighted in "Yellow".
The second set of techniques will be highlighted in "Green".
The output excel document filename will include the name of the 1st and 2nd APT/malware name.
Conclusion
The author creates the tools based on his organization's own use case, and wishes to share them with the rest of the cybersecurity community. The tools may or may not be useful to everyone, but they can be modified to adapt to each needs.
References
Comments