attack-dashboard 0.11.1

Update ATT&CK data for the HELK kibana dashboard.

Update Mitre Dashboard

Goal: Update the Mitre Dashboard from the HELK with the latest data.

Challenge

• The old data does not match with newer data, both in column names and count.
• Different sources with varying data formats.
• Sub-techniques not included in the old data.

Set up

Get started:

poetry install

Mitreattack-py

Mitre offers a python lib to parse their data. The returned data is very rich and in json format. Surely it contains all the columns we need, yet renaming and joining will require patience.

Challenge

• The data is split into different tables which reference between each other.
• Table joining results in a 60GB and 130M row table.
• (Optionally) Exclude sub-techniques from the table.

The following sript exports the data as csv and the headers as txt.

poetry run python run.py --matrix_name <matrix> --include_subtechniques  --output_dir ./output

Options for matrix_name are enterprise-attack, mobile-attack and ics-attack. Optional flags are:

• --include_sub_techniques to include sub_techniques.
• --include_detection to include detection methods.
• --include_descriptions to include descriptions of techniques, software, groups, etc.

Note: setting all flags will result in a 60GB csv file and might take a while.

Send 2 Logstash

Now that we got the more or les lean data as csv, lets use logstash to import it into elasticsearch. First set your creds in the .env` file. Then run:

export $(grep -v '^#' .env | xargs -d '\n')
export HEADERS=$(grep -v '^#' output/<pick1>.txt)
logstash -f logstash.conf

then in a separate shell:

nc <logstash-host> 32173 -q 11 < output/<the-same1>.csv

OTRF attackcti

From the dude who wrote the HELK. Yet columns do not match.

Work can be found in the mitre_tables notebook.

He also introduces the openhunt library to visualize pivoting. Experiments are in the openhunt notebook.