Attack Force Graph

Automation & Frontend

2021

Generate JSON force-directed/ node graph data from MITRE’s ATTACK framework and visualize it interactively.

View GitHub Repo

About:

• Project I wanted to do as soon as I learned about force-directed graphs and the MITRE ATT&CK data seemed like a great candidate.
• Second goal was to brush up on creating unique elements in preparation to a project I worked on during my 2021 internship.
• Frontend done without React/ other JS frameworks given how small the project is.
• Python script generates a node->link connection.

Demo:

• View Demo (GitHub Pages)

Preview:

What?

• Generate JSON force-graph data nodes and links from the MITRE ATTACK Framework based on your preferences. (graph_generator.py)

• Use that data to visualize your results with a UI tailored around the ATTACK data. (frontend directory)

• The JSON data generated is formatted for use with @vasturiano’s awesome various force-directed graph projects. (Tested and works on both 2D and 3D versions)

• At the moment you can do the following combinations:

  1. Group -> Group Tools -> Group Tool Techniques:
     • Each group (APT) node will be linked to the corresponding tools/ software the group uses along.
     • Total node connections: (group * n group tools * n tool techniques)
  2. Group -> Group Tools/ Software:
     • Links just the tools without fetching tool techniques data
     • Total node connections: (group * n group tools)
  3. Groups Only
     • A node for each group will be generated but no links. (What would you link a group to?!)
     • Total node connections: 0
  4. Other
     • You can generate standalone nodes of groups or group tools/ software.

Why?

• Draw conclusions and spot patterns fast thanks to the power of data visualization.
• Present compelling data stakeholders can easily understand and interact with.
• Force-directed graphs are seriously… 😎 cool

How?

• The graph generator script uses @Cyb3rWard0g’s ATTACK-Python-Client to build the ATTACK graph data. Having used MITRE’s STIX… just use Roberto’s package.
  • Lift requests are network requests and can be time-consuming. Efficiency improvements planned after the main portion is done.
• The 3D graph in the UI is the 3D version of vasturiano’s awesome JS force-directed graphs.

Example Demos:

• Full ATTACK data demo with UI

• Graphs Only:
  • Example 0: Only Group Nodes
  • Example 1: Group -> Tool(s)
  • Example 2: Group -> Group Tool(s) -> Tool Technique(s)
  • Example 3 - ALL Group -> Tools -> Techniques (1MB of JSON Data)

Examples:

• View Example 0: Only Group Nodes
• View Example 1: Group -> Tool(s)
• View Example 2: Group -> Group Tool(s) -> Tool Technique(s)
• View Example 3 - ALL Group -> Tools -> Techniques (1MB of JSON Data)

Data Preview:

• NOTE: Specific values are not part of the MITRE ATTACK Framework:

  • Group: affiliation - This is subjective and can be problematic, so it is up to your assessment to evaluate which group is affiliated with whom.
  • Group: targets - Work-in-progress for defaults but hard to maintain over time given that it is not part of the ATTACK framework.
  • Group: speciality - Work-in-progress and is much easier to maintain.

• val - This is can be used to determine how big you want a node element to be.

  • For groups: The val is based on the number of tools the group uses
  • For tools: The val is based on the number of techniques the tool makes possible
  • For techniques: Set to None by default, leaving it up to you

Group Node

 1"id": "MITRE GROUP ID HERE. EX: G0005",
 2"type": "group",
 3"val": 2,
 4"attributes": {
 5    "name": "Cool Group/ APT Name Here",
 6    "aliases": [
 7        "Group alias",
 8        "Operation Golden Kitty",
 9    ],
10    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
11    "affiliation": "You have to assign this value yourself, read the NOTE above :)", 
12    "targets": ["Also you have to", "set this. Read NOTE above"],
13    "speciality": ["set this based on your assessment", "Read NOTE above"],
14    "tools": {
15        "tool_id_here": "tool_name_here",
16        "S0225": "sqlmap",
17    },
18    "techniques": {
19        "technique_id_here": "technique_name_here",
20        "T1566.003": "Spearphishing via Service",
21    }
22}

Tool Node

 1"id": "MITRE Software ID HERE. EX: S0084",
 2"type": "tool",
 3"val": 1
 4"attributes": {
 5    "name": "tool_name_here",
 6    "aliases": [],
 7    "labels": [
 8        "tool"
 9    ],
10    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
11    "platforms": [
12        "Linux",
13        ...
14    ],
15    "techniques": {
16        "T1190": "Exploit Public-Facing Application"
17    }
18}

Technique Node

• val is set to None by default, you can set it to length of platforms or whatever your preference is.

 1"id": "MITRE Technique ID HERE. EX: T1190",
 2"type": "technique",
 3"val": null,
 4"attributes": {
 5    "name": "Exploit Public-Facing Application",
 6    "chain_phase": "initial-access",
 7    "description": "Cleaned description. Do not use `get_desc()` if you want raw desc.",
 8    "detection": "Cleaned detection. Do not use `get_desc()` if you want raw detection paragraph...",
 9    "is_subtype": false,
10    "platforms": [
11        "Windows",
12        ...
13    ]
14}