/attackcti-ATTACK-Force-Graph

Generate JSON force-directed/ node graph data from MITRE's ATTACK framework and visualize it interactively

Primary LanguageHTMLMIT LicenseMIT

ATTACK-Force-Graph

  • Generate and visualize MITRE's ATTACK data in a 3D force-directed graph with a UI made specifically for the ATTACK data

Showcase Header

DEMO:

Preview:

Preview

TODO:

  • Add affiliation template
  • Add speciality template
  • Add attacks/ targets template
  • Optimize time complexity for certain sections

What?

  • Generate JSON force-graph data nodes and links from the MITRE ATTACK Framework based on your preferences. (graph_generator.py)

  • Use that data to visualize your results with a UI tailored around the ATTACK data. (frontend directory)

  • The JSON data generated is formatted for use with @vasturiano's awesome various force-directed graph projects. (Tested and works on both 2D and 3D versions)

  • At the moment you can do the following combinations:

    1. Group -> Group Tools -> Group Tool Techniques:
      • Each group (APT) node will be linked to the corresponding tools/ software the group uses along.
      • Total node connections: (group * n group tools * n tool techniques)
    2. Group -> Group Tools/ Software:
      • Links just the tools without fetching tool techniques data
      • Total node connections: (group * n group tools)
    3. Groups Only
      • A node for each group will be generated but no links. (What would you link a group to?!)
      • Total node connections: 0
    4. Other
      • You can generate standalone nodes of groups or group tools/ software.

Why?

  • Draw conclusions and spot patterns fast thanks to the power of data visualization.
  • Present compelling data stakeholders can easily understand and interact with.
  • Force-directed graphs are seriously... 😎 cool

How?

  • The graph generator script uses @Cyb3rWard0g's ATTACK-Python-Client to build the ATTACK graph data. Having used MITRE's STIX... just use Roberto's package.
    • Lift requests are network requests and can be time-consuming. Efficiency improvements planned after the main portion is done.
  • The 3D graph in the UI is the 3D version of vasturiano's awesome JS force-directed graphs.

Example Demos

Examples

Example0 Header Example1 Header Example1 Header Example1 Header

Data Preview

  • NOTE: Specific values are not part of the MITRE ATTACK Framework:

    • Group: affiliation - This is subjective and can be problematic, so it is up to your assessment to evaluate which group is affiliated with whom.
    • Group: targets - Work-in-progress for defaults but hard to maintain over time given that it is not part of the ATTACK framework.
    • Group: speciality - Work-in-progress and is much easier to maintain.
  • val - This is can be used to determine how big you want a node element to be.

    • For groups: The val is based on the number of tools the group uses
    • For tools: The val is based on the number of techniques the tool makes possible
    • For techniques: Set to None by default, leaving it up to you

Group Node

"id": "MITRE GROUP ID HERE. EX: G0005",
"type": "group",
"val": 2,
"attributes": {
    "name": "Cool Group/ APT Name Here",
    "aliases": [
        "Group alias",
        "Operation Golden Kitty",
    ],
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
    "affiliation": "You have to assign this value yourself, read the NOTE above :)", 
    "targets": ["Also you have to", "set this. Read NOTE above"],
    "speciality": ["set this based on your assessment", "Read NOTE above"],
    "tools": {
        "tool_id_here": "tool_name_here",
        "S0225": "sqlmap",
    },
    "techniques": {
        "technique_id_here": "technique_name_here",
        "T1566.003": "Spearphishing via Service",
    }
}

Tool Node

"id": "MITRE Software ID HERE. EX: S0084",
"type": "tool",
"val": 1
"attributes": {
    "name": "tool_name_here",
    "aliases": [],
    "labels": [
        "tool"
    ],
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
    "platforms": [
        "Linux",
        ...
    ],
    "techniques": {
        "T1190": "Exploit Public-Facing Application"
    }
}

Technique Node

  • val is set to None by default, you can set it to length of platforms or whatever your preference is.
"id": "MITRE Technique ID HERE. EX: T1190",
"type": "technique",
"val": null,
"attributes": {
    "name": "Exploit Public-Facing Application",
    "chain_phase": "initial-access",
    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc.",
    "detection": "Cleaned detection. Do not use `get_desc()` if you want raw detection paragraph...",
    "is_subtype": false,
    "platforms": [
        "Windows",
        ...
    ]
}