rules
rules copied to clipboard
falcosecurity
Proposal: Mitre Att&ck Checker library for Falco Rules
Motivation
The rules must be both syntactically and grammatically correct and should evaluate to true during successful end-to-end tests. Furthermore, it needs to accurately detect the intended cyber threats, specifically the Tactics, Techniques, and Procedures (TTPs), against the Mitre ATT&CK framework. Both the community and the Falco experts will benefit from the falco mitre checker module to audit the default rules or custom rules against the STIX2 data from Mitre CTI.
Feature
Develop a library to check the compliance of the Falco rules against the Mitre ATT&CK Framework. This library will provide to Falco experts and Falco users a way to check default and custom rules for Mitre ATT&CK extra tags. The library will use STIX from the OASIS standards. Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI) :
Leveraging STIX, the library will fetch the ATT&CK® STIX Data from MITRE ATT&CK repositories using the python-stix2 library implemented by OASIS:
The choice of a library is motivated by the packaging of a python code to integrate it into wider Falco implementations. More precisely, the library can be used :
- by the rules_overview_generator.py script
- Falco users and experts to check their falco rules files
- Other falco components that need to check the validity of rules files
Design Choice
To benefit from python-stix2, the library will be developed in Python 3.11 according to the last stable version released on this date.
The library should take as inputs one or more Falco rules files and run a validity checker implementation on each file.
The library could be named mitre_checker and could be located in the build directory :
.
├── build
├── checker
├── mitre_checker
└── registry
The implementation consists in :
- Fetching the
enterprise-matrixSTIX2 data from the Mitre CTI repository - load the data in memory
- load the falco rules in memory
- look for the falco rules that contains extra tags that concerns mitre information. These tags should contain
mitre_<mitre-phase-name>(backward compatible) and/or<technique id>(backward compatible). - verify the validity of the relation between the technique and the mitre phase if a
<technique id>is detected in the extra tags.
Expected Output
The library should provide an in-memory report, in form of a model, which gather information about errors in the falco rules files that concern Mitre ATT&CK extra tags. The report can be dumped to be stored on disk (optional).
Packaging
The library can be packaged in a wheel file in the first place. In this way, it could be pushed in public pypi repositories. Otherwise, a developper can easily install it in any python environment or build it again from scratch.
Extra packaging like a binary file or a container can be considered for further integrations.
Alternatives
Mitre ATT&CK framework is growing as a 'de facto' standard for TTPs knowledge and studies. I do not know another framework to consider it as an alternative.
Mitre CTI sharing chose STIX2 standard to maintain its Mitre ATT&CK data. A known alternative is OpenCTI but it has to be considered as a set of tools based on STIX2 rather than an alternative to STIX.
Additional context
This initiative was discussed from the issue #84, in wip: #76 and during discussions on slack.
