attckr/README.md


[![Project Status: WIP – Initial development is in progress, but there
has not yet been a stable, usable release suitable for the
public.](https://www.repostatus.org/badges/latest/wip.svg)](https://www.repostatus.org/#wip)
[![Signed
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr)
![Signed commit
%](https://img.shields.io/badge/Signed_Commits-100%25-lightgrey.svg)
[![Linux build
Status](https://travis-ci.org/hrbrmstr/attckr.svg?branch=master)](https://travis-ci.org/hrbrmstr/attckr)
[![Coverage
Status](https://codecov.io/gh/hrbrmstr/attckr/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/attckr)
![Minimal R
Version](https://img.shields.io/badge/R%3E%3D-3.2.0-blue.svg)
![License](https://img.shields.io/badge/License-Apache-blue.svg)

# attckr

Analyze Adversary Tactics and Techniques Using the MITRE ATT\&CK CTI
Corpus

## Description

MITRE ATT\&CK is a globally-accessible knowledge base of adversary
tactics and techniques based on real-world observations. The ATT\&CK
knowledge base is used as a foundation for the development of specific
threat models and methodologies in the private sector, in government,
and in the cybersecurity product and service community. Tools are
provided to analyze adversary tactics and techniques, build incident
metrics, and identify high level program gaps using the MITRE ATT\&CK
CTI Corpus.

## What’s Inside The Tin

The following functions are implemented:

  - `attck_cdf_tactic`: Product an ATT\&CK Cumulative Distribution
    Function by Tactic
  - `attck_map`: Generate an ATT\&CK heatmap
  - `enterprise_attack`: Enterprise Attack Taxonomy v2.0
  - `fct_tactic`: Make an ordered Tactics factor with optional better
    labelling
  - `mobile_attack`: Mobile Attack Taxonomy v2.0
  - `pre_attack`: Pre-Attack Taxonomy v2.0
  - `read_events`: Read in ATT\&CK events from a file
  - `tactics_f`: Tactics factors (generally for sorting &
    pretty-printing)
  - `theme_enhance_atkmap`: Remove cruft from ATT\&CK heatmaps
  - `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
    Technique detail
  - `validate_tactics`: Validate Tactics strings against MITRE
    authoritative source
  - `validate_technique_ids`: Validate Technique IDs
  - `validate_techniques`: Validate Techniques strings against MITRE
    authoritative source

The following datasets are included:

  - `enterprise_attack`: Enterprise Attack Taxonomy v2.0
  - `mobile_attack`: Mobile Attack Taxonomy v2.0
  - `pre_attack`: Pre-Attack Taxonomy v2.0
  - `tactics_f`: Tactics factors (generally for sorting &
    pretty-printing)
  - `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
    Technique detail

## Installation

``` r
install.packages("attckr", repos = "https://cinc.rud.is")
# or
remotes::install_git("https://git.rud.is/hrbrmstr/attckr.git")
# or
remotes::install_git("https://git.sr.ht/~hrbrmstr/attckr")
# or
remotes::install_gitlab("hrbrmstr/attckr")
# or
remotes::install_bitbucket("hrbrmstr/attckr")
# or
remotes::install_github("hrbrmstr/attckr")
```

NOTE: To use the ‘remotes’ install options you will need to have the
[{remotes} package](https://github.com/r-lib/remotes) installed.

## Usage

``` r
library(attckr)
library(hrbrthemes)
library(tidyverse)

# current version
packageVersion("attckr")
## [1] '0.2.0'
```

``` r
tidy_attack
## # A tibble: 795 x 5
##    technique          description                                                        id      matrix    tactic       
##    <chr>              <chr>                                                              <chr>   <chr>     <chr>        
##  1 .bash_profile and… "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are shel… T1156   mitre-at… persistence  
##  2 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134   mitre-at… defense-evas…
##  3 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134   mitre-at… privilege-es…
##  4 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… defense-evas…
##  5 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… privilege-es…
##  6 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015   mitre-at… persistence  
##  7 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015   mitre-at… privilege-es…
##  8 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… persistence  
##  9 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… privilege-es…
## 10 Account Access Re… "Adversaries may interrupt availability of system and network res… T1531   mitre-at… impact       
## # … with 785 more rows
```

``` r
events <- read_events(system.file("extdat/sample-incidents.csv.gz", package = "attckr"))
## Parsed with column specification:
## cols(
##   event_id = col_character(),
##   incident_id = col_character(),
##   event_ts = col_date(format = ""),
##   detection_ts = col_date(format = ""),
##   tactic = col_character(),
##   technique = col_character(),
##   discovery_source = col_character(),
##   reporting_source = col_character(),
##   responder_id = col_character()
## )
## You appear to be using Tactic ids.
## You appear to be using Techinque ids.

attck_map(
  events, "pretty", "nl", "enterprise",
  dark_value_threshold = 1,
  size = 3, family = font_rc, lineheight = 0.875
) +
  scale_fill_distiller(
    palette = "Spectral", na.value = "white", label = scales::comma, breaks = 1:3
  ) +
  labs(x = NULL, y = NULL, fill = NULL) +
  theme_ipsum_rc(grid="") +
  theme(axis.text.y = element_blank())
```

<img src="man/figures/README-events-1.png" width="1056" />

## attckr Metrics

| Lang | \# Files |  (%) | LoC |  (%) | Blank lines |  (%) | \# Lines |  (%) |
| :--- | -------: | ---: | --: | ---: | ----------: | ---: | -------: | ---: |
| R    |       13 | 0.93 | 304 | 0.93 |          72 | 0.78 |      180 | 0.84 |
| Rmd  |        1 | 0.07 |  24 | 0.07 |          20 | 0.22 |       34 | 0.16 |

## Code of Conduct

Please note that this project is released with a Contributor Code of
Conduct. By participating in this project you agree to abide by its
terms.
update 5 years ago
wip 5 years ago			`[![Project Status: WIP – Initial development is in progress, but there`
			`has not yet been a stable, usable release suitable for the`
			`public.](https://www.repostatus.org/badges/latest/wip.svg)](https://www.repostatus.org/#wip)`
update 5 years ago			`[![Signed`
			`by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr)`
			`![Signed commit`
README 5 years ago			`%](https://img.shields.io/badge/Signed_Commits-100%25-lightgrey.svg)`
update 5 years ago			`[![Linux build`
0.2.0 5 years ago			`Status](https://travis-ci.org/hrbrmstr/attckr.svg?branch=master)](https://travis-ci.org/hrbrmstr/attckr)`
			`[![Coverage`
			`Status](https://codecov.io/gh/hrbrmstr/attckr/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/attckr)`
update 5 years ago			`![Minimal R`
			`Version](https://img.shields.io/badge/R%3E%3D-3.2.0-blue.svg)`
			`![License](https://img.shields.io/badge/License-Apache-blue.svg)`

Initial commit 5 years ago			`# attckr`

update 5 years ago			`Analyze Adversary Tactics and Techniques Using the MITRE ATT\&CK CTI`
			`Corpus`

			`## Description`

			`MITRE ATT\&CK is a globally-accessible knowledge base of adversary`
			`tactics and techniques based on real-world observations. The ATT\&CK`
			`knowledge base is used as a foundation for the development of specific`
			`threat models and methodologies in the private sector, in government,`
			`and in the cybersecurity product and service community. Tools are`
			`provided to analyze adversary tactics and techniques, build incident`
			`metrics, and identify high level program gaps using the MITRE ATT\&CK`
			`CTI Corpus.`

			`## What’s Inside The Tin`

			`The following functions are implemented:`

0.2.0 5 years ago			- `attck_cdf_tactic`: Product an ATT\&CK Cumulative Distribution
			`Function by Tactic`
attck_map() 5 years ago			- `attck_map`: Generate an ATT\&CK heatmap
update to 2.0 5 years ago			- `enterprise_attack`: Enterprise Attack Taxonomy v2.0
update 5 years ago			- `fct_tactic`: Make an ordered Tactics factor with optional better
			`labelling`
update to 2.0 5 years ago			- `mobile_attack`: Mobile Attack Taxonomy v2.0
			- `pre_attack`: Pre-Attack Taxonomy v2.0
update 5 years ago			- `read_events`: Read in ATT\&CK events from a file
wip 5 years ago			- `tactics_f`: Tactics factors (generally for sorting &
			`pretty-printing)`
0.2.0 5 years ago			- `theme_enhance_atkmap`: Remove cruft from ATT\&CK heatmaps
update 5 years ago			- `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
			`Technique detail`
			- `validate_tactics`: Validate Tactics strings against MITRE
			`authoritative source`
			- `validate_technique_ids`: Validate Technique IDs
			- `validate_techniques`: Validate Techniques strings against MITRE
			`authoritative source`

update to 2.0 5 years ago			`The following datasets are included:`

			- `enterprise_attack`: Enterprise Attack Taxonomy v2.0
			- `mobile_attack`: Mobile Attack Taxonomy v2.0
			- `pre_attack`: Pre-Attack Taxonomy v2.0
			- `tactics_f`: Tactics factors (generally for sorting &
			`pretty-printing)`
			- `tidy_attack`: Combined ATT\&CK Matricies Tactics, Techniques and
			`Technique detail`

update 5 years ago			`## Installation`

			``` r
README 5 years ago			`install.packages("attckr", repos = "https://cinc.rud.is")`
			`# or`
update 5 years ago			`remotes::install_git("https://git.rud.is/hrbrmstr/attckr.git")`
			`# or`
			`remotes::install_git("https://git.sr.ht/~hrbrmstr/attckr")`
			`# or`
			`remotes::install_gitlab("hrbrmstr/attckr")`
			`# or`
			`remotes::install_bitbucket("hrbrmstr/attckr")`
README 5 years ago			`# or`
			`remotes::install_github("hrbrmstr/attckr")`
update 5 years ago			```

			`NOTE: To use the ‘remotes’ install options you will need to have the`
			`[{remotes} package](https://github.com/r-lib/remotes) installed.`

			`## Usage`

			``` r
			`library(attckr)`
attck_map() 5 years ago			`library(hrbrthemes)`
wip 5 years ago			`library(tidyverse)`
update 5 years ago
			`# current version`
			`packageVersion("attckr")`
0.2.0 5 years ago			`## [1] '0.2.0'`
update 5 years ago			```

wip 5 years ago			``` r
			`tidy_attack`
0.2.0 5 years ago			`## # A tibble: 795 x 5`
			`## technique description id matrix tactic`
			`## <chr> <chr> <chr> <chr> <chr>`
			`## 1 .bash_profile and… "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are shel… T1156 mitre-at… persistence`
			`## 2 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134 mitre-at… defense-evas…`
			`## 3 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… T1134 mitre-at… privilege-es…`
			`## 4 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… defense-evas…`
			`## 5 Access Token Mani… "Windows uses access tokens to determine the ownership of a runni… CAPEC-… mitre-at… privilege-es…`
			`## 6 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015 mitre-at… persistence`
			`## 7 Accessibility Fea… "Windows contains accessibility features that may be launched wit… T1015 mitre-at… privilege-es…`
			`## 8 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… persistence`
			`## 9 Accessibility Fea… "Windows contains accessibility features that may be launched wit… CAPEC-… mitre-at… privilege-es…`
			`## 10 Account Access Re… "Adversaries may interrupt availability of system and network res… T1531 mitre-at… impact`
			`## # … with 785 more rows`
wip 5 years ago			```

			``` r
			`events <- read_events(system.file("extdat/sample-incidents.csv.gz", package = "attckr"))`
README 5 years ago			`## Parsed with column specification:`
			`## cols(`
			`## event_id = col_character(),`
			`## incident_id = col_character(),`
			`## event_ts = col_date(format = ""),`
			`## detection_ts = col_date(format = ""),`
			`## tactic = col_character(),`
			`## technique = col_character(),`
			`## discovery_source = col_character(),`
			`## reporting_source = col_character(),`
			`## responder_id = col_character()`
			`## )`
			`## You appear to be using Tactic ids.`
			`## You appear to be using Techinque ids.`
wip 5 years ago
attck_map() 5 years ago			`attck_map(`
			`events, "pretty", "nl", "enterprise",`
			`dark_value_threshold = 1,`
			`size = 3, family = font_rc, lineheight = 0.875`
			`) +`
			`scale_fill_distiller(`
			`palette = "Spectral", na.value = "white", label = scales::comma, breaks = 1:3`
wip 5 years ago			`) +`
attck_map() 5 years ago			`labs(x = NULL, y = NULL, fill = NULL) +`
			`theme_ipsum_rc(grid="") +`
			`theme(axis.text.y = element_blank())`
wip 5 years ago			```

			`<img src="man/figures/README-events-1.png" width="1056" />`

update 5 years ago			`## attckr Metrics`

update to 2.0 5 years ago			`\| Lang \| \# Files \| (%) \| LoC \| (%) \| Blank lines \| (%) \| \# Lines \| (%) \|`
			`\| :--- \| -------: \| ---: \| --: \| ---: \| ----------: \| ---: \| -------: \| ---: \|`
0.2.0 5 years ago			`\| R \| 13 \| 0.93 \| 304 \| 0.93 \| 72 \| 0.78 \| 180 \| 0.84 \|`
			`\| Rmd \| 1 \| 0.07 \| 24 \| 0.07 \| 20 \| 0.22 \| 34 \| 0.16 \|`
update 5 years ago
			`## Code of Conduct`

			`Please note that this project is released with a Contributor Code of`
			`Conduct. By participating in this project you agree to abide by its`
			`terms.`