You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

160 lines
6.3 KiB

3 years ago
3 years ago
[![Project Status: WIP – Initial development is in progress, but there
has not yet been a stable, usable release suitable for the
public.](https://www.repostatus.org/badges/latest/wip.svg)](https://www.repostatus.org/#wip)
3 years ago
[![Signed
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr)
![Signed commit
3 years ago
%](https://img.shields.io/badge/Signed_Commits-100%25-lightgrey.svg)
3 years ago
[![Linux build
3 years ago
Status](https://travis-ci.org/hrbrmstr/attckr.svg?branch=master)](https://travis-ci.org/hrbrmstr/attckr)
[![Coverage
Status](https://codecov.io/gh/hrbrmstr/attckr/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/attckr)
3 years ago
![Minimal R
Version](https://img.shields.io/badge/R%3E%3D-3.2.0-blue.svg)
![License](https://img.shields.io/badge/License-Apache-blue.svg)
3 years ago
# attckr
3 years ago
Analyze Adversary Tactics and Techniques Using the MITRE ATT\&CK CTI
Corpus
## Description
MITRE ATT\&CK is a globally-accessible knowledge base of adversary
tactics and techniques based on real-world observations. The ATT\&CK
knowledge base is used as a foundation for the development of specific
threat models and methodologies in the private sector, in government,
and in the cybersecurity product and service community. Tools are
provided to analyze adversary tactics and techniques, build incident
metrics, and identify high level program gaps using the MITRE ATT\&CK
CTI Corpus.
## What’s Inside The Tin
The following functions are implemented:
3 years ago
- `attck_cdf_tactic`: Product an ATT\&CK Cumulative Distribution
Function by Tactic
3 years ago
- `attck_map`: Generate an ATT\&CK heatmap
3 years ago
- `enterprise_attack`: Enterprise Attack Taxonomy v2.0
3 years ago
- `fct_tactic`: Make an ordered Tactics factor with optional better
labelling
3 years ago
- `mobile_attack`: Mobile Attack Taxonomy v2.0
- `pre_attack`: Pre-Attack Taxonomy v2.0
3 years ago
- `read_events`: Read in ATT\&CK events from a file
3 years ago
- `tactics_f`: Tactics factors (generally for sorting &
pretty-printing)
3 years ago
- `theme_enhance_atkmap`: Remove cruft from ATT\&CK heatmaps
3 years ago
- `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
Technique detail
- `validate_tactics`: Validate Tactics strings against MITRE
authoritative source
- `validate_technique_ids`: Validate Technique IDs
- `validate_techniques`: Validate Techniques strings against MITRE
authoritative source
3 years ago
The following datasets are included:
- `enterprise_attack`: Enterprise Attack Taxonomy v2.0
- `mobile_attack`: Mobile Attack Taxonomy v2.0
- `pre_attack`: Pre-Attack Taxonomy v2.0
- `tactics_f`: Tactics factors (generally for sorting &
pretty-printing)
- `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
Technique detail
3 years ago
## Installation
``` r
3 years ago
install.packages("attckr", repos = "https://cinc.rud.is")
# or
3 years ago
remotes::install_git("https://git.rud.is/hrbrmstr/attckr.git")
# or
remotes::install_git("https://git.sr.ht/~hrbrmstr/attckr")
# or
remotes::install_gitlab("hrbrmstr/attckr")
# or
remotes::install_bitbucket("hrbrmstr/attckr")
3 years ago
# or
remotes::install_github("hrbrmstr/attckr")
3 years ago
```
NOTE: To use the ‘remotes’ install options you will need to have the
[{remotes} package](https://github.com/r-lib/remotes) installed.
## Usage
``` r
library(attckr)
3 years ago
library(hrbrthemes)
3 years ago
library(tidyverse)
3 years ago
# current version
packageVersion("attckr")
3 years ago
## [1] '0.2.0'
3 years ago
```
3 years ago
``` r
tidy_attack
3 years ago
## # A tibble: 795 x 5
## technique description id matrix tactic
## <chr> <chr> <chr> <chr> <chr>
## 1 .bash_profile and… "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are shel… T1156 mitre-at… persistence
## 2 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134 mitre-at… defense-evas…
## 3 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134 mitre-at… privilege-es…
## 4 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… defense-evas…
## 5 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… privilege-es…
## 6 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015 mitre-at… persistence
## 7 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015 mitre-at… privilege-es…
## 8 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… persistence
## 9 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… privilege-es…
## 10 Account Access Re… "Adversaries may interrupt availability of system and network res… T1531 mitre-at… impact
## # … with 785 more rows
3 years ago
```
``` r
events <- read_events(system.file("extdat/sample-incidents.csv.gz", package = "attckr"))
3 years ago
## Parsed with column specification:
## cols(
## event_id = col_character(),
## incident_id = col_character(),
## event_ts = col_date(format = ""),
## detection_ts = col_date(format = ""),
## tactic = col_character(),
## technique = col_character(),
## discovery_source = col_character(),
## reporting_source = col_character(),
## responder_id = col_character()
## )
## You appear to be using Tactic ids.
## You appear to be using Techinque ids.
3 years ago
3 years ago
attck_map(
events, "pretty", "nl", "enterprise",
dark_value_threshold = 1,
size = 3, family = font_rc, lineheight = 0.875
) +
scale_fill_distiller(
palette = "Spectral", na.value = "white", label = scales::comma, breaks = 1:3
3 years ago
) +
3 years ago
labs(x = NULL, y = NULL, fill = NULL) +
theme_ipsum_rc(grid="") +
theme(axis.text.y = element_blank())
3 years ago
```
<img src="man/figures/README-events-1.png" width="1056" />
3 years ago
## attckr Metrics
3 years ago
| Lang | \# Files | (%) | LoC | (%) | Blank lines | (%) | \# Lines | (%) |
| :--- | -------: | ---: | --: | ---: | ----------: | ---: | -------: | ---: |
3 years ago
| R | 13 | 0.93 | 304 | 0.93 | 72 | 0.78 | 180 | 0.84 |
| Rmd | 1 | 0.07 | 24 | 0.07 | 20 | 0.22 | 34 | 0.16 |
3 years ago
## Code of Conduct
Please note that this project is released with a Contributor Code of
Conduct. By participating in this project you agree to abide by its
terms.