Merge pull request #84 from rabobank-cdc/dev-mobile

DeTT&CT mobile

.github/workflows/scripts/refresh_attack_data.py

@@ -22,15 +22,16 @@
 
 MATRIX_ENTERPRISE = 'mitre-attack'
 MATRIX_ICS = 'mitre-ics-attack'
+MATRIX_MOBILE = 'mitre-mobile-attack'
 
 WIKI_TEXT_START = ['**Content:**','- [Enterprise](#enterprise)', '- [ICS](#ics)', '', '']
 WIKI_TEXT_ENTERPRISE = ['## Enterprise', ''
     'The below mapping from data sources/data components to platforms is created on the information provided by MITRE within the [data source objects](https://attack.mitre.org/datasources/). Also, note that the below is only listing data components that are actually referenced by a technique. Therefore it does not include all data components as referenced in the [data source YAML files](https://github.com/mitre-attack/attack-datasources).',
     '']
 WIKI_TEXT_ICS = ['', '## ICS', '', '**Official platform mapping is missing**', '', 'An official mapping for ICS sources/data components to platforms is currently missing. Hence it\'s expected the below platform mapping will improve once available. The current mapping of data sources to platforms is determined in the following automated manner:',
-'- We check for every technique the listed data sources and note that down.', 
+'- We check for every technique the listed data sources and note that down.',
 '- Besides noting down the data sources, we also take note of the platforms mentioned per technique.',
-'- The above two are combined to produce the final mapping.', '', '**DeTT&CT data sources**', '', 
+'- The above two are combined to produce the final mapping.', '', '**DeTT&CT data sources**', '',
 'As we do not consider ourselves experts in the field of ICS, we have not included the DeTT&CT data sources. Any help and thus contributions on that matter are very much appreciated. *Possibly, with future developments of ATT&CK ICS, we could automate this part when Detection objects are introduced. However, it is not certain whether this will provide good results.*']
 
 class ATTACKData():
@@ -47,8 +48,10 @@ def __init__(self):
 
         self.attack_cti_techniques_enterprise = self.mitre.get_enterprise_techniques()
         self.attack_cti_techniques_ics = self.mitre.get_ics_techniques()
+        self.attack_cti_techniques_mobile = self.mitre.get_mobile_techniques()
 
         self.data_source_dict_enterprise = self._create_data_source_dict(MATRIX_ENTERPRISE)
+        self.data_source_dict_ics = self._create_data_source_dict(MATRIX_ICS)
 
         self.attack_cti_software = self.mitre.get_software()
 
@@ -63,27 +66,39 @@ def execute_refresh_json_data(self):
         data_components_ics = self._get_data_components_from_techniques(self.attack_cti_techniques_ics)
         self._update_data(data_components_ics, 'ATT&CK-ICS', FILE_DATA_SOURCES)
 
+        data_components_mobile = self._get_data_components_from_techniques(self.attack_cti_techniques_mobile)
+        self._update_data(data_components_mobile, 'ATT&CK-Mobile', FILE_DATA_SOURCES)
+
         # update 'data_source_platforms.json'
         data_components_enterprise_platform_mapping = self._get_data_components_platform_mapping_from_dict(self.data_source_dict_enterprise)
         self._update_data(data_components_enterprise_platform_mapping, 'ATT&CK-Enterprise', FILE_DATA_SOURCES_PLATFORMS)
 
         data_components_ics_platform_mapping = self._get_data_components_platform_mapping_from_techniques(self.attack_cti_techniques_ics)
         self._update_data(data_components_ics_platform_mapping, 'ATT&CK-ICS', FILE_DATA_SOURCES_PLATFORMS, skip_cli=False)
 
+        data_components_mobile_platform_mapping = self._get_data_components_platform_mapping_from_techniques(self.attack_cti_techniques_mobile)
+        self._update_data(data_components_mobile_platform_mapping, 'ATT&CK-Mobile', FILE_DATA_SOURCES_PLATFORMS, skip_cli=False)
+
         # update 'techniques.json'
         techniques_enterprise = self._get_techniques(self.attack_cti_techniques_enterprise, MATRIX_ENTERPRISE)
         self._update_data(techniques_enterprise, 'ATT&CK-Enterprise', FILE_TECHNIQUES)
 
         techniques_ics = self._get_techniques(self.attack_cti_techniques_ics, MATRIX_ICS)
         self._update_data(techniques_ics, 'ATT&CK-ICS', FILE_TECHNIQUES)
 
+        techniques_mobile = self._get_techniques(self.attack_cti_techniques_mobile, MATRIX_MOBILE)
+        self._update_data(techniques_mobile, 'ATT&CK-Mobile', FILE_TECHNIQUES)
+
         # update 'software.json'
         software_enterprise = self._get_software(self.attack_cti_techniques_enterprise, MATRIX_ENTERPRISE)
         self._update_data(software_enterprise, 'ATT&CK-Enterprise', FILE_SOFTWARE)
 
         software_ics = self._get_software(self.attack_cti_techniques_ics, MATRIX_ICS)
         self._update_data(software_ics, 'ATT&CK-ICS', FILE_SOFTWARE)
 
+        software_mobile = self._get_software(self.attack_cti_techniques_mobile, MATRIX_MOBILE)
+        self._update_data(software_mobile, 'ATT&CK-Mobile', FILE_SOFTWARE)
+
     def execute_refresh_wiki(self):
         """
         Execute all methods to refresh this Wiki page 'Data-sources-per-platform.md'
@@ -234,8 +249,11 @@ def _write_to_wiki(self, text, filename):
         :param filename: filename of the file written to disk
         :return:
         """
-        with open(FILE_PATH_WIKI + filename, 'w') as f:
-            f.write('\n'.join(text))
+        try:
+            with open(FILE_PATH_WIKI + filename, 'w') as f:
+                f.write('\n'.join(text))
+        except Exception as e:
+            print("Error writing wiki file. May be local environment? (%s)" % str(e))
 
     def _get_attack_id(self, technique, matrix):
         """
@@ -247,7 +265,7 @@ def _get_attack_id(self, technique, matrix):
         for e in technique['external_references']:
             source_name = e.get('source_name', None)
             # return source_name
-            if source_name == matrix or (matrix == 'mitre-ics-attack' and source_name == 'mitre-attack'):
+            if source_name == matrix or (matrix == 'mitre-ics-attack' and source_name == 'mitre-attack') or (matrix == 'mitre-mobile-attack' and source_name == 'mitre-attack'):
                 return e['external_id']
         return None
 
@@ -426,6 +444,9 @@ def _get_data_sources_from_cti(self, matrix):
         elif matrix == MATRIX_ICS:
             # ICS data sources are not yet in CTI, so this will not work
             data_sources = self.mitre.TC_ICS_SOURCE.query(Filter("type", "=", "x-mitre-data-source"))
+        elif matrix == MATRIX_MOBILE:
+            # Mobile data sources are not yet in CTI, so this will not work
+            data_sources = self.mitre.TC_MOBILE_SOURCE.query(Filter("type", "=", "x-mitre-data-source"))
 
         return data_sources
 
@@ -440,6 +461,9 @@ def _get_data_components_from_cti(self, matrix):
         elif matrix == MATRIX_ICS:
             # ICS data components are not yet in CTI, so this will not work
             data_components = self.mitre.TC_ICS_SOURCE.query(Filter("type", "=", "x-mitre-data-component"))
+        elif matrix == MATRIX_MOBILE:
+            # Mobile data components are not yet in CTI, so this will not work
+            data_components = self.mitre.TC_MOBILE_SOURCE.query(Filter("type", "=", "x-mitre-data-component"))
 
         return data_components
 

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.10-slim-bullseye
 
-LABEL version="1.6.0"
+LABEL version="1.7.0"
 
 # copy DeTT&CT and install the requirements
 COPY . /opt/DeTTECT

README.md

@@ -2,7 +2,7 @@
 <img src="https://github.com/rabobank-cdc/DeTTECT/wiki/images/logo.png#gh-light-mode-only" alt="DeTT&CT" width=30% height=30%>
 
 #### Detect Tactics, Techniques & Combat Threats
-Latest version: [1.6.0](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-160)
+Latest version: [1.7.0](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-170)
 
 To get started with DeTT&CT, check out one of these resources:
 - This [page](https://github.com/rabobank-cdc/DeTTECT/wiki/Getting-started) on the Wiki.
@@ -16,9 +16,9 @@ To get started with DeTT&CT, check out one of these resources:
 
 DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool (DeTT&CT CLI), YAML administration files, the [DeTT&CT Editor](https://rabobank-cdc.github.io/dettect-editor) (to create and edit the YAML administration files) and [scoring tables](https://github.com/rabobank-cdc/DeTTECT/raw/master/scoring_table.xlsx) for [detections](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#detection), [data sources](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#data-source) and [visibility](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#visibility).
 
-DeTT&CT provides the following functionality for the ATT&CK domains Enterprise and ICS:
+DeTT&CT provides the following functionality for the ATT&CK domains Enterprise, ICS and Mobile:
 
-- Administrate and score the quality of your data sources.
+- Administrate and score the quality of your data sources<super>*</super>.
 - Get insight on the visibility you have on for example endpoints.
 - Map your detection coverage.
 - Map threat actor behaviours.
@@ -27,6 +27,8 @@ DeTT&CT provides the following functionality for the ATT&CK domains Enterprise a
 
 The coloured visualisations are created with the help of MITRE's [ATT&CK™ Navigator](https://mitre-attack.github.io/attack-navigator/#comment_underline=false). *For layer files created by DeTT&CT, we recommend using this URL to the Navigator as it will make sure metadata in the layer file does not have a yellow underline: [https://mitre-attack.github.io/attack-navigator/#comment_underline=false](https://mitre-attack.github.io/attack-navigator/#comment_underline=false)*
 
+<super>*</super><i> ATT&CK has not yet implemented data sources for Mobile. This will come in a future release of ATT&CK. Once it's there, we will incorporate it in DeTT&CT.</i>
+
 ## Authors and contributions
 This project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@Bakk3rM](https://twitter.com/Bakk3rM)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubinatorz](https://twitter.com/rubinatorz/)). Feel free to contact, DMs are open. We do appreciate if you ask any question on how to use DeTT&CT by making a GitHub issue. Having the questions and answers over there will greatly help others having similar questions and challenges.
 
@@ -42,6 +44,9 @@ The following parties have supported the development of DeTT&CT in time or finan
 
   With the financial sponsorship of the CSSA, we added support for [ATT&CK ICS](https://collaborate.mitre.org/attackics/index.php/Main_Page) to DeTT&CT.
 
+- **[Dutch National Police](https://www.politie.nl/en)**. With the financial sponsorship of the Dutch National Police, we added support for ATT&CK Mobile to DeTT&CT.
+
+
 ### Work of others
 The work of others inspired some functionality within DeTT&CT:
 - Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK™ techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)).

constants.py

@@ -4,7 +4,7 @@
 
 APP_NAME = 'DeTT&CT'
 APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
-VERSION = '1.6.0'
+VERSION = '1.7.0'
 
 EXPIRE_TIME = 60 * 60 * 24
 
@@ -15,6 +15,7 @@
 DATA_TYPE_STIX_ALL_TECH = 'mitre_all_techniques'
 DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = 'mitre_all_techniques_enterprise'
 DATA_TYPE_STIX_ALL_TECH_ICS = 'mitre_all_techniques_ics'
+DATA_TYPE_STIX_ALL_TECH_MOBILE = 'mitre_all_techniques_mobile'
 DATA_TYPE_STIX_ALL_GROUPS = 'mitre_all_groups'
 DATA_TYPE_STIX_ALL_SOFTWARE = 'mitre_all_software'
 DATA_TYPE_STIX_ALL_RELATIONSHIPS = 'mitre_all_relationships'
@@ -23,7 +24,7 @@
 DATA_TYPE_STIX_ALL_ICS_MITIGATIONS = 'mitre_all_mitigations_ics'
 
 # ATT&CK matrix support:
-DETTECT_DOMAIN_SUPPORT = ['enterprise-attack', 'ics-attack']
+DETTECT_DOMAIN_SUPPORT = ['enterprise-attack', 'ics-attack', 'mobile-attack']
 
 # Group colors
 COLOR_GROUP_OVERLAY_MATCH = '#f9a825'            # orange
@@ -183,6 +184,8 @@
                  'human-machine interface': 'Human-Machine Interface', 'input/output server': 'Input/Output Server',
                  'safety instrumented system/protection relay': 'Safety Instrumented System/Protection Relay', 'none': 'None'}
 
+PLATFORMS_MOBILE = {'android': 'Android', 'ios': 'iOS'}
+
 DATA_SOURCES_ATTACK_V8 = set(['Access tokens', 'Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'AWS CloudTrail logs', 'AWS OS logs', 'Azure activity logs', 'Azure OS logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware', 'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DLL monitoring', 'DNS records', 'Domain registration', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring', 'GCP audit logs', 'Host network interface', 'Kernel drivers', 'Loaded DLLs', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device command history',
                               'Network device configuration', 'Network device logs', 'Network device run-time memory', 'Network intrusion detection system', 'Network protocol analysis', 'OAuth audit logs', 'Office 365 account logs', 'Office 365 audit logs', 'Office 365 trace logs', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring', 'Process use of network', 'Sensor health and status', 'Services', 'Social media monitoring', 'SSL/TLS certificates', 'SSL/TLS inspection', 'Stackdriver logs', 'System calls', 'Third-party application logs', 'User interface', 'VBR', 'Web application firewall logs', 'Web logs', 'Web proxy', 'Windows Error Reporting', 'Windows event logs', 'Windows Registry', 'WMI Objects'])
 
@@ -192,13 +195,17 @@
 
 DATA_SOURCES_ENTERPRISE = {}
 DATA_SOURCES_ICS = {}
+DATA_SOURCES_MOBILE = {}
 DETTECT_DATA_SOURCES_PLATFORMS_ENTERPRISE = {}
 DETTECT_DATA_SOURCES_PLATFORMS_ICS = {}
+DETTECT_DATA_SOURCES_PLATFORMS_MOBILE = {}
 with open(os.path.dirname(__file__) + '/data/data_source_platforms.json', 'r') as input_file:
     input_data = json.load(input_file)
     DATA_SOURCES_ENTERPRISE = input_data['ATT&CK-Enterprise']
     DATA_SOURCES_ICS = input_data['ATT&CK-ICS']
+    DATA_SOURCES_MOBILE = input_data['ATT&CK-Mobile']
     DETTECT_DATA_SOURCES_PLATFORMS_ENTERPRISE = input_data['DeTT&CT-Enterprise']
     DETTECT_DATA_SOURCES_PLATFORMS_ICS = input_data['DeTT&CT-ICS']
+    DETTECT_DATA_SOURCES_PLATFORMS_MOBILE = input_data['DeTT&CT-Mobile']
 
 LAYER_SETTINGS = {'showAggregateScores': ['True', 'False'], 'layout': ['side', 'flat', 'mini']}

data/data_source_platforms.json

@@ -607,5 +607,13 @@
     "Input/Output Server": [],
     "Safety Instrumented System/Protection Relay": [],
     "None": []
+  },
+  "ATT&CK-Mobile": {
+    "Android": [],
+    "iOS": []
+  },
+  "DeTT&CT-Mobile": {
+    "Android": [],
+    "iOS": []
   }
 }

data_source_mapping.py

@@ -55,7 +55,7 @@ def _map_and_colorize_techniques(my_ds, systems, exceptions, domain):
     :param domain: the specified domain
     :return: a dictionary with techniques that can be used in the layer's output file
     """
-    techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH_ENTERPRISE if domain == 'enterprise-attack' else DATA_TYPE_STIX_ALL_TECH_ICS)
+    techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH_ENTERPRISE if domain == 'enterprise-attack' else DATA_TYPE_STIX_ALL_TECH_ICS if domain == 'ics-attack' else DATA_TYPE_STIX_ALL_TECH_MOBILE)
     output_techniques = []
 
     for t in techniques:
@@ -866,7 +866,7 @@ def generate_technique_administration_file(filename, output_filename, write_file
     """
     my_ds, name, systems, exceptions, domain = load_data_sources(filename)
 
-    techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH_ENTERPRISE if domain == 'enterprise-attack' else DATA_TYPE_STIX_ALL_TECH_ICS)
+    techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH_ENTERPRISE if domain == 'enterprise-attack' else DATA_TYPE_STIX_ALL_TECH_ICS if domain == 'ics-attack' else DATA_TYPE_STIX_ALL_TECH_MOBILE)
     yaml_platform = list(set(chain.from_iterable(map(lambda k: k['platform'], systems))))
     all_applicable_to_values = set([s['applicable_to'] for s in systems])
 

dettect.py

@@ -168,7 +168,7 @@ def _init_menu():
                               default=None, action='append')
     parser_group.add_argument('-d', '--domain', help='specify the ATT&CK domain (default = enterprise). This argument '
                                                      'is ignored if a domain is specified in the Group YAML file.',
-                              required=False, choices=['enterprise', 'ics'])
+                              required=False, choices=['enterprise', 'ics', 'mobile'])
     parser_group.add_argument('-o', '--overlay', help='specify what to overlay on the group(s) (provided using the '
                                                       'arguments \-g/--groups\): group(s), visibility or detection. '
                                                       'When overlaying a GROUP: the group can be its ATT&CK ID, '
@@ -213,17 +213,17 @@ def _init_menu():
     parser_generic.add_argument('-ds', '--datasources', help='get a sorted count on how many ATT&CK techniques'
                                                              'are covered by a particular data source '
                                                              '(default = enterprise data sources)',
-                                choices=['enterprise', 'ics'], const='enterprise', nargs='?')
+                                choices=['enterprise', 'ics', 'mobile'], const='enterprise', nargs='?')
     parser_generic.add_argument('-p', '--platform', action='append', help='only include data sources for the provided '
                                 'ATT&CK platforms in the \'-ds\' argument (default = all). Multiple platforms can be '
                                 'provided with extra \'-p/--platform\' arguments. The available platforms can be listed '
                                 'using \'--list-platforms\'')
     parser_generic.add_argument('-m', '--mitigations', help='get a sorted count on how many ATT&CK Enterprise or '
                                                             'Mobile techniques are covered by a Mitigation',
                                 choices=['enterprise', 'ics', 'mobile'], const='enterprise', nargs='?')
-    parser_generic.add_argument('--list-platforms', help='list the ATT&CK Enterprise or ICS (default = Enterprise) '
+    parser_generic.add_argument('--list-platforms', help='list the ATT&CK Enterprise, ICS or Mobile (default = Enterprise) '
                                 'platforms that can be used with the \'-p/--platform\' argument',
-                                choices=['enterprise', 'ics'], const='enterprise', nargs='?')
+                                choices=['enterprise', 'ics', 'mobile'], const='enterprise', nargs='?')
     parser_generic.add_argument('-u', '--updates', help='get a sorted list for when updates were released for '
                                                         'techniques, groups or software',
                                 choices=['techniques', 'groups', 'software'])