NOTE: The Mitre ATT&CK Framework is NOT an all-encompassing/defacto security coverage map. It is rather a FRAMEWORK, and other avenues should be considered when assessing your security posture.
As security teams adopt the Mitre ATT&CK Framework to help them identify gaps in their defenses, having a way to identify what malware and tools are being used by specific actors or groups becomes more critical. Additionally, having a way to identify these relationships programatically is even more critical.
Today, we are excited to announce the Swimlane research team has released pyattck—a Python package to interact with the Mitre ATT&CK Framework. There are many different open-source projects being released on a daily basis, but we wanted to provide a straightforward Python package that allows the user to identify known relationships between all verticals of the Mitre ATT&CK Framework.
If you are unfamiliar with the Mitre ATT&CK Framework, there are a few key components in which you need a firm grasp:
Tactics and techniques
When looking at the Mitre ATT&CK Framework, tactics are listed within the columns and represent the different phases of an attack.
Techniques appear in the rows beneath specific tactics (columns) and are data points within the framework that provide guidance when assessing security gaps. Additionally, most techniques contain mitigation guidance, as well as information about their relationship to tools, malware, and even actors/groups that are using or have used the technique during recorded attacks.
If your organization is focused on tactics, techniques and procedures (TTPs) used by certain actors/groups, then Mitre ATT&CK Framework is perfect for you. If your organization has not reached this level of security maturity, no worries! The ATT&CK Framework still provides rich guidance in a simple and straightforward layout. However, it is not straightforward programmatically, especially if you want to measure (or map) your security controls using the framework.
But do not fret, we have released pyattck as an open-source Python package that enables security teams to draw upon these relationships for their own internal or external tooling. Currently, pyattck supports the identification of the following relationships with more being added:
- Tools used by the actor or group.
- Malware used by the actor or group.
- Techniques used by the actor or group.
- Actor or group using this malware.
- Techniques this malware is used with.
- Techniques related to a specific set of mitigation suggestions.
- Techniques found in a specific tactic (phase).
- Tactics in which a technique is found.
- Mitigation suggestions for a given technique.
- Actor or group(s) identified as using this technique.
- Techniques used within the specified tools.
- Actor or group(s) using a specified tool.
As an example, if your security team wants to ensure they are protected against TTPs related to APT1, then instead of looking through a visual map of information about APT1, you can use pyattck to extract the tools, malware, and techniques associated or used by APT1.
To retrieve this information from pyattck, you can specify the actor name and retrieve any information about the actor itself and it’s techniques:
from pyattck import Attck attack = Attck() for actor in attack.actors: if 'APT1' in actor.name: for technique in actor.techniques: print(technique.name)
If you wanted to retrieve technique mitigation suggestions, you can do the following:
from pyattck import Attck attack = Attck() for technique in attack.techniques: print(technique.name) for mitigation in technique.mitigation: print(mitigation.description)