ATTACK-Force-Graph

• Generate and visualize MITRE's ATTACK data in a 3D force-directed graph with a UI made specifically for the ATTACK data

DEMO:

• View Demo (GitHub Pages)

Preview:

TODO:

• [ ] Add affiliation template
• [ ] Add speciality template
• [ ] Add attacks/ targets template
• [ ] Optimize time complexity for certain sections

What?

• Generate JSON force-graph data nodes and links from the MITRE ATTACK Framework based on your preferences. (graph_generator.py)

• Use that data to visualize your results with a UI tailored around the ATTACK data. (frontend directory)

• The JSON data generated is formatted for use with @vasturiano's awesome various force-directed graph projects. (Tested and works on both 2D and 3D versions)

• At the moment you can do the following combinations:

  1. Group -> Group Tools -> Group Tool Techniques:
     • Each group (APT) node will be linked to the corresponding tools/ software the group uses along.
     • Total node connections: (group * n group tools * n tool techniques)
  2. Group -> Group Tools/ Software:
     • Links just the tools without fetching tool techniques data
     • Total node connections: (group * n group tools)
  3. Groups Only
     • A node for each group will be generated but no links. (What would you link a group to?!)
     • Total node connections: 0
  4. Other
     • You can generate standalone nodes of groups or group tools/ software.

Why?

• Draw conclusions and spot patterns fast thanks to the power of data visualization.
• Present compelling data stakeholders can easily understand and interact with.
• Force-directed graphs are seriously... :sunglasses: cool

How?

• The graph generator script uses @Cyb3rWard0g's ATTACK-Python-Client to build the ATTACK graph data. Having used MITRE's STIX... just use Roberto's package.
  • Lift requests are network requests and can be time-consuming. Efficiency improvements planned after the main portion is done.
• The 3D graph in the UI is the 3D version of vasturiano's awesome JS force-directed graphs.

Example Demos

• Full ATTACK data demo with UI

• Graphs Only:
  • Example 0: Only Group Nodes
  • Example 1: Group -> Tool(s)
  • Example 2: Group -> Group Tool(s) -> Tool Technique(s)
  • Example 3 - ALL Group -> Tools -> Techniques (1MB of JSON Data)

Examples

Data Preview

• NOTE: Specific values are not part of the MITRE ATTACK Framework:

  • Group: affiliation - This is subjective and can be problematic, so it is up to your assessment to evaluate which group is affiliated with whom.
  • Group: targets - Work-in-progress for defaults but hard to maintain over time given that it is not part of the ATTACK framework.
  • Group: speciality - Work-in-progress and is much easier to maintain.

• val - This is can be used to determine how big you want a node element to be.

  • For groups: The val is based on the number of tools the group uses
  • For tools: The val is based on the number of techniques the tool makes possible
  • For techniques: Set to None by default, leaving it up to you

Group Node

"id": "MITRE GROUP ID HERE. EX: G0005",
"type": "group",
"val": 2,
"attributes": {
    "name": "Cool Group/ APT Name Here",
    "aliases": [
        "Group alias",
        "Operation Golden Kitty",
    ],
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
    "affiliation": "You have to assign this value yourself, read the NOTE above :)", 
    "targets": ["Also you have to", "set this. Read NOTE above"],
    "speciality": ["set this based on your assessment", "Read NOTE above"],
    "tools": {
        "tool_id_here": "tool_name_here",
        "S0225": "sqlmap",
    },
    "techniques": {
        "technique_id_here": "technique_name_here",
        "T1566.003": "Spearphishing via Service",
    }
}

Tool Node

"id": "MITRE Software ID HERE. EX: S0084",
"type": "tool",
"val": 1
"attributes": {
    "name": "tool_name_here",
    "aliases": [],
    "labels": [
        "tool"
    ],
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
    "platforms": [
        "Linux",
        ...
    ],
    "techniques": {
        "T1190": "Exploit Public-Facing Application"
    }
}

Technique Node

• val is set to None by default, you can set it to length of platforms or whatever your preference is.

"id": "MITRE Technique ID HERE. EX: T1190",
"type": "technique",
"val": null,
"attributes": {
    "name": "Exploit Public-Facing Application",
    "chain_phase": "initial-access",
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc.",
    "detection": "Cleaned detection. Do not use `get_desc()` if you want raw detection paragraph...",
    "is_subtype": false,
    "platforms": [
        "Windows",
        ...
    ]
}