This project is a prototype-build for representing MITRE's ATT&CK CTI data in a Graph view with relationships between various objects. The objects could be Threat Groups,Techniques used in cyber attacks OR software (tools,malware).
MITRE has published its CTI data via TAXII2.0 server in the STIXX2.0 format. In ATT&CK, there are three main concepts (excluding Tactics for now): Techniques, Groups, and Software. Most techniques also have Mitigations.
STIX 2.0 describes these as objects and uses different terminology to describe them. The following table is a mapping of ATT&CK concepts to STIX 2.0 objects:
| ATT&CK concept | STIX Object type |
|---|---|
| Technique | attack-pattern |
| Group | intrusion-set |
| Software | malware or tool |
| Mitigation | course-of-action |
| Tactic | x-mitre-tactic |
| Matrix | x-mitre-matrix |
-
Python
Python Libraries
Py2neo is a client library and toolkit for working with Neo4j from within Python applications and from the command line. I have used Py2neo python library that connects to Neo4j API to perform all Neo4j operations so that we do not need to go outof Python Application.
Logical Flow of the Scripts
- Connect with MITRE's TAXII2 Sever
- Pull the STIXX2.0 data(techniques,software,groups) from the MITRE's TAXII2 Server
- Create the objects out of the pulled data & Push them to Neo4j and build the the GraphDB
- Scrap the MITRE ATT&CK's page for a specific group that contains corrosponding software & techniques (used by that specific group)
- Create the relationships and push them to Neo4j
Note/Observations:
I believe there is some bug in g.merge() function of latest py2neo version as it does not work as expected always. Therefore, I have to use create() function in "" script instead of merge. merege() is prefered as it will not create the duplicate node if a matching node is arleady exist whereas create() will make duplicate objects.
This is just a prototype and this can be scalled up and improved to take this to the production level. This is the one of the many ways by which this database can be built and represented.I do not deny that there could be an effecient way of doing the same thing.The MITRE's CTI data can be pulled and stored in json files and then json-files can be called and loaded in neo4j using its "CYPHER"s to build the database.Once the database is built, CYPHER can be used to build the relationships as well.