# SANS CTI Summit 2022 - Explorando ATT&CK Fuentes & Componentes de Datos

---

## Instalando ATT&CK Python Client 

In [1]:
!pip install --upgrade attackcti

# If attackcti is already installed, you can upgrade it by adding the --upgrade option
# !pip install --upgrade attackcti



## Importando ATT&CK Api Client

In [2]:
from attackcti import attack_client

import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)

## Inicializando la clase ATT&CK Client

In [3]:
lift = attack_client()

## Obteniendo Objetos: Fuentes de Datos

La función **get_data_sources** accesa la metadata de los nuevos objetos **x-mitre-data-source**.

Actualmente, los objetos `x-mitre-data-source` agregan contexto en la sección **Detección** para cada técnica de la matriz `Enterprise`.

In [4]:
data_sources = lift.get_data_sources()

In [5]:
# Cantidad the objetos x-mitre-data-source
print('Existen',len(data_sources),'fuentes de datos')

Existen 38 fuentes de datos


In [6]:
# Ejemplo de objeto x-mitre-data-source
data_sources[0]

{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'modified': '2021-10-20T15:05:19.275Z',
 'name': 'Internet Scan',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'type': 'x-mitre-data-source',
 'id': 'x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17',
 'description': 'Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet',
 'created': '2021-10-20T15:05:19.275Z',
 'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0035',
   'external_id': 'DS0035',
   'source_name': 'mitre-attack'}],
 'x_mitre_version': '1.0',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_collection_layers': ['OSINT'],
 'x_mitre_contributors': []}

## Obteniendo Objetos: Componentes de Datos

La función **get_data_components** accesa la metadata de los nuevos objetos **x-mitre-data-component**.

Actualmente, los objetos `x-mitre-data-component` solo agregan contexto en la sección **Detección** para cada técnica de la matriz `Enterprise`.

Por ello, la función `get_data_components` retorna el mismo resultado que la función **get_enterprise_data_components**.

En el futuro, cuando se complete el mapeo de `data components` a técnicas de las matrices ICS y Mobile, existirá una diferencia entre estas funciones.

Además, podremos introducir nuevas funciones como **get_ics_data_components** y **get_mobile_data_components**.

In [7]:
data_components = lift.get_data_components()

In [8]:
# Cantidad the objetos x-mitre-data-component
print('Existen',len(data_components),'componentes de datos')

Existen 109 componentes de datos


In [9]:
# Ejemplo de objeto x-mitre-data-component
data_components[0]

{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'modified': '2021-10-20T15:05:19.275Z',
 'id': 'x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4',
 'description': 'Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'name': 'Passive DNS',
 'created': '2021-10-20T15:05:19.275Z',
 'type': 'x-mitre-data-component',
 'x_mitre_version': '1.0',
 'x_mitre_data_source_ref': 'x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866'}

## Obteniendo Objetos: Técnicas (enrich_data_sources = False)

La función **get_techniques** accesa la metadata de objetos **attack-pattern** de las matrices `Enterprise`, `ICS`, y `Mobile`.

Para obtener los objetos `attack-pattern` de cada matriz, se puede usar las siguientes funciones:

- Enterprise -->: **get_enterprise_techniques**
- ICS --------->: **get_ics_techniques**
- Mobile ------>: **get_mobile_techniques**

Todos los objetos `attack-pattern` contienen, como parte de su metadata, el campo **x_mitre_data_sources**.

El campo `x_mitre_data_sources` brinda contexto de **data sources** y **data components** como una lista de nombres, pero no como objetos. Aquí tenemos un ejemplo: 

*x_mitre_data_sources=['File: File Creation', 'Process: Process Creation', 'File: File Metadata', 'Command: Command Execution']*

In [10]:
techniques = lift.get_techniques()

In [11]:
# Cantidad the objetos attack-pattern
print('Existen',len(techniques),'técnicas (Enterprise, ICS, Mobile)')

Existen 736 técnicas (Enterprise, ICS, Mobile)


In [12]:
# Ejemplo de objeto attack-pattern
techniques[0]

AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2021-10-16T01:50:40.276Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(

In [13]:
# Ejemplo de contexto (Data Sources y Data Components) para objeto attack-pattern
techniques[0]['x_mitre_data_sources']

['File: File Creation',
 'Process: Process Creation',
 'File: File Metadata',
 'Command: Command Execution']

## Obteniendo Objetos: Técnicas (enrich_data_sources = True)

Como se mencionó anteriormente, los objetos `x-mitre-data-component` solo agregan contexto en la sección **Detección** para cada técnica de la matriz `Enterprise`.

Por lo tanto, hemos considerado el parámetro **enrich_data_sources** en las funciones **get_enterprise_techniques** y **get_techniques** para agregar el contexto de los objetos **x-mitre-data-source** and **x-mitre-data-component**.

En el futuro, cuando se complete el mapeo de `data components` a técnicas de las matrices ICS y Mobile, agregaremos el parámetro `enrich_data_sources` a las funciones **get_ics_techniques** y **get_mobile_techniques**.

In [14]:
techniques_enriched = lift.get_techniques(enrich_data_sources=True)

In [15]:
# Cantidad the objetos attack-pattern
print('Existen',len(techniques_enriched),'técnicas (Enterprise, ICS, Mobile)')

Existen 736 técnicas (Enterprise, ICS, Mobile)


In [16]:
# Ejemplo de objeto attack-pattern
techniques_enriched[0]

AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2022-01-20T19:26:43.291Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(

In [17]:
# Ejemplo de contexto (Data Sources y Data Components) para objeto attack-pattern
techniques_enriched[0]['x_mitre_data_sources']

[{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'modified': '2021-11-10T09:30:48.694Z',
  'name': 'Command',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'type': 'x-mitre-data-source',
  'id': 'x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089',
  'description': 'A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)',
  'created': '2021-10-20T15:05:19.273Z',
  'external_references': [{'url': 'https://attack.mitre.org/datasources/DS0017',
    'external_id': 'DS0017',
    'source_name': 'mitre-attack'},
   {'url': 'https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html',
    'description': 'Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.',
    'source_name': 'Confluenc