forked from rabobank-cdc/DeTTECT
-
Notifications
You must be signed in to change notification settings - Fork 0
/
navigator_layer.py
292 lines (262 loc) · 15.7 KB
/
navigator_layer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
from constants import *
def _get_base_template(name, description, platform, sorting, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param description: description
:param platform: platform
:param sorting: sorting
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = dict()
layer['name'] = name
layer['versions'] = {'navigator': '4.8', 'layer': '4.4'}
layer['domain'] = domain
layer['description'] = description
layer['filters'] = {'platforms': platform}
layer['sorting'] = sorting
layer['layout'] = {"layout": "flat", "aggregateFunction": "sum",
"showAggregateScores": True, "countUnscored": False,
"showName": True, "showID": False}
# Override layout settings with settings that are given at the CLI:
for setting_key, setting_value in layer_settings.items():
for k, v in LAYER_SETTINGS.items():
if setting_key == k and setting_value.lower() in [val.lower() for val in v] and setting_key in LAYER_LAYOUT_SETTINGS:
if setting_value.lower() in ("true", "false"):
layer['layout'][setting_key] = True if setting_value.lower() == "true" else False
else:
layer['layout'][setting_key] = setting_value.lower()
layer['hideDisable'] = False
layer['selectSubtechniquesWithParent'] = False
layer['techniques'] = []
layer['showTacticRowBackground'] = False
layer['tacticRowBackground'] = COLOR_TACTIC_ROW_BACKGRND
layer['selectTechniquesAcrossTactics'] = True
return layer
def determine_and_set_show_sub_techniques(techniques_layer):
"""
Function to determine if showSubtechniques should be set. And if so, it will be set in the layer dict.
:param techniques_layer: dict with items for the Navigator layer file
:return:
"""
# determine if technique needs to be collapsed to show sub-techniques
# show subtechniques when technique contains subtechniques:
for t in techniques_layer:
if len(t['techniqueID']) == 5:
show_sub_techniques = False
for subtech in techniques_layer:
if len(subtech['techniqueID']) == 9:
if t['techniqueID'] in subtech['techniqueID']:
show_sub_techniques = True
break
t['showSubtechniques'] = show_sub_techniques
# add technique with showSubtechnique attribute, when sub-technique is present and technique isn't:
techniques_to_add = {}
for subtech in techniques_layer:
if len(subtech['techniqueID']) == 9:
technique_present = False
# Is technique already added:
if subtech['techniqueID'][:5] in techniques_to_add.keys():
technique_present = True
# Is technique already in the techniques_layer:
else:
for t in techniques_layer:
if len(t['techniqueID']) == 5:
if t['techniqueID'] in subtech['techniqueID']:
technique_present = True
if not technique_present:
new_tech = dict()
new_tech['techniqueID'] = subtech['techniqueID'][:5]
new_tech['showSubtechniques'] = True
techniques_to_add[new_tech['techniqueID']] = new_tech
techniques_layer.extend(list(techniques_to_add.values()))
def get_layer_template_groups(name, max_count, description, platform, overlay_type, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param max_count: the sum of all count values
:param description: description
:param platform: platform
:param overlay_type: group, visibility or detection
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = _get_base_template(name, description, platform, 3, domain, layer_settings)
layer['gradient'] = {'colors': [COLOR_GRADIENT_MIN, COLOR_GRADIENT_MAX], 'minValue': 0, 'maxValue': max_count}
layer['legendItems'] = []
layer['legendItems'].append({'label': 'Tech. not often used', 'color': COLOR_GRADIENT_MIN})
layer['legendItems'].append({'label': 'Tech. used frequently', 'color': COLOR_GRADIENT_MAX})
if overlay_type in (OVERLAY_TYPE_GROUP, OVERLAY_TYPE_CAMPAIGN):
title = 'Groups' if overlay_type == OVERLAY_TYPE_GROUP else 'Campaigns'
layer['legendItems'].append({'label': f'{title} overlay: tech. in group/campaign + overlay', 'color': COLOR_GROUP_OVERLAY_MATCH})
layer['legendItems'].append({'label': f'{title} overlay: tech. in overlay', 'color': COLOR_GROUP_OVERLAY_NO_MATCH})
layer['legendItems'].append({'label': 'Src. of tech. is only software', 'color': COLOR_SOFTWARE})
layer['legendItems'].append({'label': 'Src. of tech. is group/campaign/overlay + software', 'color': COLOR_GROUP_AND_SOFTWARE})
elif overlay_type == OVERLAY_TYPE_DETECTION:
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 0: Forensics/Context', 'color': COLOR_O_0})
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 1: Basic', 'color': COLOR_O_1})
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 2: Fair', 'color': COLOR_O_2})
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 3: Good', 'color': COLOR_O_3})
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 4: Very good', 'color': COLOR_O_4})
layer['legendItems'].append({'label': 'Tech. in group/campaign + detection score 5: Excellent', 'color': COLOR_O_5})
layer['legendItems'].append({'label': 'Tech. in detection, score 0: Forensics/Context', 'color': COLOR_D_0})
layer['legendItems'].append({'label': 'Tech. in detection, score 1: Basic', 'color': COLOR_D_1})
layer['legendItems'].append({'label': 'Tech. in detection, score 2: Fair', 'color': COLOR_D_2})
layer['legendItems'].append({'label': 'Tech. in detection, score 3: Good', 'color': COLOR_D_3})
layer['legendItems'].append({'label': 'Tech. in detection, score 4: Very good', 'color': COLOR_D_4})
layer['legendItems'].append({'label': 'Tech. in detection, score 5: Excellent', 'color': COLOR_D_5})
elif overlay_type == OVERLAY_TYPE_VISIBILITY:
layer['legendItems'].append({'label': 'Tech. in group/campaign + visibility score 1: Minimal', 'color': COLOR_O_1})
layer['legendItems'].append({'label': 'Tech. in group/campaign + visibility score 2: Medium', 'color': COLOR_O_2})
layer['legendItems'].append({'label': 'Tech. in group/campaign + visibility score 3: Good', 'color': COLOR_O_3})
layer['legendItems'].append({'label': 'Tech. in group/campaign + visibility score 4: Excellent', 'color': COLOR_O_4})
layer['legendItems'].append({'label': 'Tech. in visibility, score 1: Minimal', 'color': COLOR_V_1})
layer['legendItems'].append({'label': 'Tech. in visibility, score 2: Medium', 'color': COLOR_V_2})
layer['legendItems'].append({'label': 'Tech. in visibility, score 3: Good', 'color': COLOR_V_3})
layer['legendItems'].append({'label': 'Tech. in visibility, score 4: Excellent', 'color': COLOR_V_4})
return layer
def get_layer_template_detections(name, description, platform, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param description: description
:param platform: platform
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = _get_base_template(name, description, platform, 0, domain, layer_settings)
layer['gradient'] = {'colors': [COLOR_GRADIENT_DISABLE, COLOR_GRADIENT_DISABLE], 'minValue': 0, 'maxValue': 10000}
layer['legendItems'] = \
[
{'label': 'Detection score 0: Forensics/Context', 'color': COLOR_D_0},
{'label': 'Detection score 1: Basic', 'color': COLOR_D_1},
{'label': 'Detection score 2: Fair', 'color': COLOR_D_2},
{'label': 'Detection score 3: Good', 'color': COLOR_D_3},
{'label': 'Detection score 4: Very good', 'color': COLOR_D_4},
{'label': 'Detection score 5: Excellent', 'color': COLOR_D_5}
]
return layer
def get_layer_template_data_sources(name, description, platform, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param description: description
:param platform: platform
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = _get_base_template(name, description, platform, 0, domain, layer_settings)
layer['legendItems'] = \
[
{'label': '1-25% of data sources available', 'color': COLOR_DS_25p},
{'label': '26-50% of data sources available', 'color': COLOR_DS_50p},
{'label': '51-75% of data sources available', 'color': COLOR_DS_75p},
{'label': '76-99% of data sources available', 'color': COLOR_DS_99p},
{'label': '100% of data sources available', 'color': COLOR_DS_100p}
]
return layer
def get_layer_template_visibility(name, description, platform, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param description: description
:param platform: platform
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = _get_base_template(name, description, platform, 0, domain, layer_settings)
layer['gradient'] = {'colors': [COLOR_GRADIENT_DISABLE, COLOR_GRADIENT_DISABLE], 'minValue': 0, 'maxValue': 10000}
layer['legendItems'] = \
[
{'label': 'Visibility score 1: Minimal', 'color': COLOR_V_1},
{'label': 'Visibility score 2: Medium', 'color': COLOR_V_2},
{'label': 'Visibility score 3: Good', 'color': COLOR_V_3},
{'label': 'Visibility score 4: Excellent', 'color': COLOR_V_4}
]
return layer
def get_layer_template_layered(name, description, platform, domain, layer_settings):
"""
Prepares a base template for the json layer file that can be loaded into the MITRE ATT&CK Navigator.
More information on the layer format can be found here: https://github.com/mitre/attack-navigator/blob/master/layers/
:param name: name
:param description: description
:param platform: platform
:param domain: the specified domain
:param layer_settings: settings for the Navigator layer
:return: layer template dictionary
"""
layer = _get_base_template(name, description, platform, 0, domain, layer_settings)
layer['legendItems'] = \
[
{'label': 'Visibility and detection', 'color': COLOR_OVERLAY_BOTH},
{'label': 'Visibility score 1: Minimal', 'color': COLOR_V_1},
{'label': 'Visibility score 2: Medium', 'color': COLOR_V_2},
{'label': 'Visibility score 3: Good', 'color': COLOR_V_3},
{'label': 'Visibility score 4: Excellent', 'color': COLOR_V_4},
{'label': 'Detection score 1: Basic', 'color': COLOR_D_1},
{'label': 'Detection score 2: Fair', 'color': COLOR_D_2},
{'label': 'Detection score 3: Good', 'color': COLOR_D_3},
{'label': 'Detection score 4: Very good', 'color': COLOR_D_4},
{'label': 'Detection score 5: Excellent', 'color': COLOR_D_5}
]
return layer
def make_layer_metadata_compliant(metadata):
"""
Make sure the metadata values in the Navigator layer file are compliant with the expected data structure
from the latest version on: https://github.com/mitre-attack/attack-navigator/tree/master/layers
:param metadata: list of metadata dictionaries
:return: compliant list of metadata dictionaries
"""
for md_item in metadata:
if not 'divider' in md_item.keys() and (not md_item['value'] or md_item['value'] == ''):
md_item['value'] = '-'
return metadata
def add_metadata_technique_object(technique, obj_type, metadata, count_detections):
"""
Add the metadata for a detection or visibility object as used within any type of overlay.
:param technique: technique object containing both the visibility and detection object
:param obj_type: valid values are 'detection' and 'visibility'
:param metadata: a list to which the metadata will be added
:param count_detections: option for the Navigator layer output: count detections instead of listing detections
:return: the created metadata as a list
"""
from generic import calculate_score, get_latest_comment, count_detections_in_location
if obj_type not in ['detection', 'visibility']:
raise Exception("Invalid value for 'obj_type' provided.")
metadata.append({'divider': True})
metadata.append({'name': 'Applicable to', 'value': ', '.join(set([a for v in technique[obj_type] for a in v['applicable_to']]))}) # noqa
metadata.append({'name': '' + obj_type.capitalize() + ' score', 'value': ', '.join([str(calculate_score(technique[obj_type]))])}) # noqa
if obj_type == 'detection':
location = ''
if count_detections:
location_count = {}
for applicable_to in technique['detection']:
for l in applicable_to['location']:
location_splitted = l.split(': ')
if len(location_splitted) == 2:
if location_splitted[0] not in location_count.keys():
location_count[location_splitted[0]] = 0
location_count[location_splitted[0]] += 1
else:
if 'Detections' not in location_count.keys():
location_count['Detections'] = 0
location_count['Detections'] += 1
for l, c in location_count.items():
location += f"{l}: {c}. "
else:
location = ', '.join(set([a for v in technique[obj_type] for a in v['location']]))
metadata.append({'name': '' + obj_type.capitalize() + ' location', 'value': location}) # noqa
metadata.append({'name': '' + obj_type.capitalize() + ' comment', 'value': ' | '.join(set(filter(lambda x: x != '', map(lambda k: k['comment'], technique[obj_type]))))}) # noqa
metadata.append({'name': '' + obj_type.capitalize() + ' score comment', 'value': ' | '.join(set(filter(lambda x: x != '', map(lambda i: get_latest_comment(i), technique[obj_type]))))}) # noqa
return metadata