nshalabi/ATTACK-Tools

Requested Features

nshalabi opened this issue · 2 comments

nshalabi commented

This is a summary of the features requests I received (in random order):

  1. The ability to import ATT&CK™ data sets using the tool itself.
  2. Add custom techniques not listed in ATT&CK™ (insider threat and fraud focused).
  3. Incorporate more red-teams playbooks, similar to atomic-red-team™.
  4. Start a plan by importing ATT&CK™ navigator exports.
  5. Ability to define targets and assign a "testing guideline" to each, allowing users to input components of their systems in terms of access/process/technology (what is being defended).
  6. Integrate the tool with CALDERA™ to generate tests.
  7. Create macOS & Linux versions.
  8. Open source the tool.
  9. Exporting plans for sharing.
  10. Map NIST SP 800-53 controls to techniques (other controls SOX, PCI, FFIEC).
  11. Allow users to enter known vulnerability data for systems (like Kenna or NVD).
  12. Add technique scoring cost/difficulty/discoverability for attack tree modeling (technique based attack probability and simulation).

Thank you all for your feedback, if you would like to add a new feature or feedback about a requested feature, please add it here or email me directly at nader@nosecurecode.com

OpalSec commented

Amazing tool, I wish I'd found it sooner!

Just the one feature request from what I've seen so far:

  1. Ability to include software used by APTs, e.g. APT30 uses S0028 (SHIPSHAPE), which maps to T1060, T1091, T1023. Implementation of this could be that importing S0028 would add S0028 as a node and expand the three Techniques as child nodes, with the "Use" information populated in the Description field.

Also is there a way to update the sqlite db with the latest data from the Mitre Att&ck site?

  • 👍1
nshalabi commented

Thank you!

  • Regarding the first request, it used to exist but was removed and replaced with filtering the techniques related to a certain adversary or software for selection while creating/editing the testing guideline. The decision was based on feedback that not all TTPs would fit into one testing guideline, which makes sense if you look at APT3 plan, testing guidelines are matched with less TTPs, and the full plan doesn't cover all TTPs reported.

  • Regarding the database update, I just updated the content with the latest ATT&CK and ATOMIC contents

Much appreciated.