Generate JSON force-directed/ node graph data from MITRE’s ATTACK framework and visualize it interactively
ATTACK-Force-Graph
- Generate and visualize MITRE’s ATTACK data in a 3D force-directed graph with a UI made specifically for the ATTACK data
DEMO:
View Demo (GitHub Pages)
https://osv22.github.io/ATTACK-Force-Graph/main-site/index.html
Preview:
TODO:
- Add affiliation template
- Add speciality template
- Add attacks/ targets template
- Optimize time complexity for certain sections
What?
- Generate JSON force-graph data nodes and links from the MITRE ATTACK Framework based on your preferences. (
graph_generator.py
) - Use that data to visualize your results with a UI tailored around the ATTACK data. (
frontend
directory) - The JSON data generated is formatted for use with @vasturiano’s awesome various force-directed graph projects. (Tested and works on both 2D and 3D versions)
- At the moment you can do the following combinations:
- Group -> Group Tools -> Group Tool Techniques:
- Each group (APT) node will be linked to the corresponding tools/ software the group uses along.
- Total node connections: (group * n group tools * n tool techniques)
- Group -> Group Tools/ Software:
- Links just the tools without fetching tool techniques data
- Total node connections: (group * n group tools)
- Groups Only
- A node for each group will be generated but no links. (What would you link a group to?!)
- Total node connections: 0
- Other
- You can generate standalone nodes of groups or group tools/ software.
- Group -> Group Tools -> Group Tool Techniques:
Why?
- Draw conclusions and spot patterns fast thanks to the power of data visualization.
- Present compelling data stakeholders can easily understand and interact with.
- Force-directed graphs are seriously… 😎 cool
How?
- The graph generator script uses @Cyb3rWard0g’s ATTACK-Python-Client to build the ATTACK graph data. Having used MITRE’s STIX… just use Roberto’s package.
- Lift requests are network requests and can be time-consuming. Efficiency improvements planned after the main portion is done.
- The 3D graph in the UI is the 3D version of vasturiano’s awesome JS force-directed graphs.
Example Demos
- Full ATTACK data demo with UI
- Graphs Only:
Examples
Data Preview
- NOTE: Specific values are not part of the MITRE ATTACK Framework:
- Group:
affiliation
– This is subjective and can be problematic, so it is up to your assessment to evaluate which group is affiliated with whom. - Group:
targets
– Work-in-progress for defaults but hard to maintain over time given that it is not part of the ATTACK framework. - Group:
speciality
– Work-in-progress and is much easier to maintain.
- Group:
val
– This is can be used to determine how big you want a node element to be.- For groups: The
val
is based on the number of tools the group uses - For tools: The
val
is based on the number of techniques the tool makes possible - For techniques: Set to
None
by default, leaving it up to you
- For groups: The
Group Node
"id": "MITRE GROUP ID HERE. EX: G0005",
"type": "group",
"val": 2,
"attributes": {
"name": "Cool Group/ APT Name Here",
"aliases": [
"Group alias",
"Operation Golden Kitty",
],
"description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
"affiliation": "You have to assign this value yourself, read the NOTE above :)",
"targets": ["Also you have to", "set this. Read NOTE above"],
"speciality": ["set this based on your assessment", "Read NOTE above"],
"tools": {
"tool_id_here": "tool_name_here",
"S0225": "sqlmap",
},
"techniques": {
"technique_id_here": "technique_name_here",
"T1566.003": "Spearphishing via Service",
}
}
Tool Node
"id": "MITRE Software ID HERE. EX: S0084",
"type": "tool",
"val": 1
"attributes": {
"name": "tool_name_here",
"aliases": [],
"labels": [
"tool"
],
"description": "Cleaned description. Do not use `get_desc()` if you want raw desc...",
"platforms": [
"Linux",
...
],
"techniques": {
"T1190": "Exploit Public-Facing Application"
}
}
Technique Node
val
is set toNone
by default, you can set it to length of platforms or whatever your preference is.
"id": "MITRE Technique ID HERE. EX: T1190",
"type": "technique",
"val": null,
"attributes": {
"name": "Exploit Public-Facing Application",
"chain_phase": "initial-access",
"description": "Cleaned description. Do not use `get_desc()` if you want raw desc.",
"detection": "Cleaned detection. Do not use `get_desc()` if you want raw detection paragraph...",
"is_subtype": false,
"platforms": [
"Windows",
...
]
}
Leave a Reply