Skip to content

Latest commit

 

History

History
501 lines (414 loc) · 14.5 KB

File metadata and controls

501 lines (414 loc) · 14.5 KB

⚔️ MITRE ATT&CK Integration

Complete guide to MITRE ATT&CK framework integration for realistic attack technique simulation and mapping.

📋 Table of Contents

Overview

The MITRE ATT&CK integration provides comprehensive coverage of the ATT&CK framework, enabling:

  • Complete Technique Coverage: All 14 tactics and 200+ techniques
  • Realistic Attack Simulation: Accurate technique implementation
  • Attack Chain Generation: Multi-stage attack progressions
  • Detection Mapping: Link techniques to detection rules
  • Campaign Attribution: Associate techniques with threat actors

Quick Start

Basic MITRE Integration

# Generate alerts with MITRE mapping
yarn start generate-alerts --count 50 --mitre

# Generate specific tactic alerts
yarn start generate-alerts --count 30 --mitre --tactics initial-access,execution

# Generate campaign with MITRE techniques
yarn start generate-campaign apt --mitre --count 100

Advanced MITRE Features

# Generate attack chains
yarn start generate-alerts --count 40 --mitre --attack-chains

# Generate with sub-techniques
yarn start generate-alerts --count 25 --mitre --sub-techniques

# Generate detection rules with MITRE mapping
yarn start generate-rules --count 20 --mitre --comprehensive

Framework Coverage

Supported Tactics

The system covers all 14 MITRE ATT&CK tactics:

Tactic ID Name Description Techniques Covered
TA0001 Initial Access Entry vectors into networks 9 techniques
TA0002 Execution Code execution techniques 12 techniques
TA0003 Persistence Maintaining foothold 19 techniques
TA0004 Privilege Escalation Higher-level permissions 13 techniques
TA0005 Defense Evasion Avoiding detection 42 techniques
TA0006 Credential Access Stealing credentials 15 techniques
TA0007 Discovery Environment reconnaissance 29 techniques
TA0008 Lateral Movement Moving through networks 9 techniques
TA0009 Collection Data gathering 17 techniques
TA0010 Command and Control Remote communication 16 techniques
TA0011 Exfiltration Data theft 9 techniques
TA0040 Impact Destructive actions 13 techniques
TA0042 Resource Development Infrastructure setup 7 techniques
TA0043 Reconnaissance Target information gathering 10 techniques

Technique Implementation

Each technique includes:

  • Realistic Implementation: Accurate simulation of technique characteristics
  • Sub-Technique Support: Detailed sub-technique variants
  • Context Awareness: Appropriate technique usage in different scenarios
  • Detection Signatures: Corresponding detection patterns

Technique Implementation

Example Technique Mappings

T1566.001 - Spearphishing Attachment

{
  "threat": [{
    "framework": "MITRE ATT&CK",
    "tactic": {
      "id": "TA0001",
      "name": "Initial Access",
      "reference": "https://attack.mitre.org/tactics/TA0001/"
    },
    "technique": [{
      "id": "T1566.001",
      "name": "Spearphishing Attachment",
      "reference": "https://attack.mitre.org/techniques/T1566/001/",
      "subtechnique": {
        "name": "Malicious Document",
        "description": "Document with embedded macros"
      }
    }]
  }],
  "event": {
    "category": "file",
    "type": "creation",
    "action": "email_attachment_opened"
  },
  "file": {
    "name": "invoice.docx",
    "extension": "docx",
    "size": 2048576
  },
  "email": {
    "subject": "Urgent: Invoice Payment Required",
    "sender": "finance@malicious-domain.com"
  }
}

T1059.001 - PowerShell

{
  "threat": [{
    "framework": "MITRE ATT&CK",
    "tactic": {
      "id": "TA0002",
      "name": "Execution",
      "reference": "https://attack.mitre.org/tactics/TA0002/"
    },
    "technique": [{
      "id": "T1059.001",
      "name": "PowerShell",
      "reference": "https://attack.mitre.org/techniques/T1059/001/"
    }]
  }],
  "process": {
    "name": "powershell.exe",
    "command_line": "powershell.exe -ExecutionPolicy Bypass -EncodedCommand <base64>",
    "parent": {
      "name": "winword.exe"
    }
  },
  "event": {
    "category": "process",
    "type": "start",
    "action": "process_creation"
  }
}

T1055 - Process Injection

{
  "threat": [{
    "framework": "MITRE ATT&CK",
    "tactic": {
      "id": "TA0005",
      "name": "Defense Evasion",
      "reference": "https://attack.mitre.org/tactics/TA0005/"
    },
    "technique": [{
      "id": "T1055",
      "name": "Process Injection",
      "reference": "https://attack.mitre.org/techniques/T1055/"
    }]
  }],
  "process": {
    "name": "svchost.exe",
    "pid": 1234,
    "injection": {
      "target": "explorer.exe",
      "method": "DLL Injection"
    }
  },
  "event": {
    "category": "process",
    "type": "change",
    "action": "memory_modification"
  }
}

Attack Chain Generation

Sequential Attack Progressions

Generate realistic attack chains following MITRE progression patterns:

# Generate complete attack chain
yarn start generate-alerts --count 50 --mitre --attack-chains --progression realistic

Example Attack Chain:

  1. Initial Access (T1566.001) → Spearphishing Attachment
  2. Execution (T1059.001) → PowerShell execution
  3. Persistence (T1053.005) → Scheduled Task creation
  4. Defense Evasion (T1055) → Process Injection
  5. Discovery (T1082) → System Information Discovery
  6. Lateral Movement (T1021.001) → Remote Desktop Protocol
  7. Collection (T1005) → Data from Local System
  8. Exfiltration (T1041) → Exfiltration Over C2 Channel

Campaign-Specific Chains

Different attack campaigns use characteristic technique patterns:

APT Campaign Chain

yarn start generate-campaign apt --mitre --attack-chains
  • Focus: Stealth, persistence, long-term access
  • Techniques: T1566.001 → T1059.001 → T1547.001 → T1070.004 → T1083

Ransomware Campaign Chain

yarn start generate-campaign ransomware --mitre --attack-chains
  • Focus: Speed, impact, data encryption
  • Techniques: T1566.002 → T1059.003 → T1486 → T1490 → T1491

Insider Threat Chain

yarn start generate-campaign insider --mitre --attack-chains
  • Focus: Privilege abuse, data collection
  • Techniques: T1078 → T1087.001 → T1083 → T1005 → T1041

Detection Mapping

Technique-to-Detection Mapping

Link MITRE techniques to specific detection approaches:

{
  "detection_mapping": {
    "technique_id": "T1059.001",
    "detection_methods": [
      {
        "method": "Process Monitoring",
        "query": "process.name:powershell.exe AND process.command_line:*-EncodedCommand*",
        "confidence": "High"
      },
      {
        "method": "Command Line Analysis",
        "query": "process.command_line:*-ExecutionPolicy* AND process.command_line:*Bypass*",
        "confidence": "Medium"
      },
      {
        "method": "Parent Process Context",
        "query": "process.parent.name:(winword.exe OR excel.exe) AND process.name:powershell.exe",
        "confidence": "High"
      }
    ]
  }
}

Detection Rule Integration

Generate detection rules mapped to MITRE techniques:

# Generate MITRE-mapped detection rules
yarn start generate-rules --count 30 --mitre --detection-mapping

# Rules include technique references and detection logic

Campaign Integration

Threat Actor Attribution

Associate techniques with known threat actors:

{
  "threat_actor": {
    "name": "APT29",
    "aliases": ["Cozy Bear", "The Dukes"],
    "preferred_techniques": [
      "T1566.001", "T1059.001", "T1055",
      "T1021.001", "T1041"
    ],
    "signature_techniques": [
      "T1547.001", "T1070.004"
    ]
  }
}

Campaign Simulation

Simulate complete threat actor campaigns:

# APT29-style campaign
yarn start generate-campaign apt --mitre --threat-actor apt29 --count 150

# Lazarus Group simulation
yarn start generate-campaign apt --mitre --threat-actor lazarus --count 200

Analytics and Reporting

MITRE Coverage Analysis

Analyze technique coverage across generated data:

# Generate coverage report
yarn start analyze-mitre-coverage --space production

# Export coverage metrics
yarn start export-mitre-metrics --format json --comprehensive

Technique Frequency Analysis

Track technique usage patterns:

{
  "technique_frequency": {
    "T1059.001": {
      "count": 47,
      "percentage": 15.2,
      "campaigns": ["apt", "ransomware"],
      "detection_rate": 0.68
    },
    "T1566.001": {
      "count": 32,
      "percentage": 10.3,
      "campaigns": ["apt", "phishing"],
      "detection_rate": 0.82
    }
  }
}

Detection Gap Analysis

Identify techniques without detection coverage:

# Analyze detection gaps
yarn start analyze-detection-gaps --mitre --comprehensive

# Generate gap remediation recommendations
yarn start recommend-detection-rules --mitre --gap-analysis

Use Cases

1. SOC Training and Education

Create comprehensive MITRE-based training scenarios:

# Progressive MITRE training
yarn start generate-alerts --count 60 --mitre --training-mode --difficulty progressive

# Specific tactic focus
yarn start generate-alerts --count 40 --mitre --tactics defense-evasion --training

2. Detection Rule Development

Develop and test detection rules against MITRE techniques:

# Rule development dataset
yarn start generate-alerts --count 100 --mitre --rule-development --comprehensive

# Technique-specific testing
yarn start generate-alerts --count 50 --mitre --techniques T1059.001,T1055,T1082

3. Purple Team Exercises

Conduct purple team exercises with MITRE framework alignment:

# Purple team simulation
yarn start generate-campaign apt --mitre --purple-team --realistic --count 200

# Red team technique simulation
yarn start generate-alerts --count 75 --mitre --red-team-tactics --stealth

4. Compliance and Assessment

Generate data for compliance and security assessments:

# Compliance assessment data
yarn start generate-alerts --count 80 --mitre --compliance-assessment --frameworks NIST,ISO27001

# Security control validation
yarn start generate-alerts --count 60 --mitre --control-validation --comprehensive

Best Practices

Technique Selection

  1. Realistic Combinations: Use techniques that naturally flow together
  2. Campaign Alignment: Match techniques to appropriate threat actor profiles
  3. Environment Context: Consider organizational environment and attack surface
  4. Detection Capability: Balance between detectable and stealthy techniques
  5. Current Threats: Focus on techniques currently observed in the wild

Attack Chain Design

  1. Logical Progression: Ensure techniques follow realistic attack progression
  2. Time Distribution: Spread techniques across realistic timeframes
  3. Persistence Integration: Include persistence mechanisms throughout chains
  4. Evasion Techniques: Integrate defense evasion at appropriate stages
  5. Impact Alignment: Ensure techniques align with campaign objectives

Detection Strategy

  1. Layered Detection: Implement multiple detection methods per technique
  2. Behavioral Analysis: Include behavioral indicators alongside technical indicators
  3. Context Awareness: Consider technique context in detection logic
  4. False Positive Management: Account for legitimate technique usage
  5. Continuous Improvement: Regularly update detection based on new intelligence

Troubleshooting

Common Issues

Missing MITRE Mappings

Issue: Generated alerts lack MITRE technique mappings Solutions:

  • Always use --mitre flag when generating alerts
  • Verify MITRE data files are properly loaded
  • Check that technique selection is working correctly
  • Validate JSON structure of MITRE mappings

Unrealistic Technique Combinations

Issue: Generated techniques don't represent realistic attack patterns Solutions:

  • Use --attack-chains for logical technique progressions
  • Specify appropriate campaign types for technique selection
  • Review threat actor technique preferences
  • Implement technique validation logic

Detection Coverage Gaps

Issue: Generated techniques don't align with detection capabilities Solutions:

  • Analyze current detection rule coverage
  • Generate techniques that complement existing detection
  • Focus on techniques with proven detection methods
  • Implement detection gap analysis workflows

Debug and Analysis

# Debug MITRE technique selection
yarn start generate-alerts --count 10 --mitre --debug-techniques

# Analyze technique distribution
yarn start analyze-mitre-distribution --comprehensive

# Validate attack chains
yarn start validate-attack-chains --mitre --logical-analysis

Advanced Features

Custom Technique Profiles

Define organization-specific technique profiles:

{
  "custom_technique_profiles": {
    "organization_apt": {
      "preferred_initial_access": ["T1566.001", "T1190"],
      "common_persistence": ["T1053.005", "T1547.001"],
      "signature_evasion": ["T1055", "T1070.004"],
      "exfiltration_methods": ["T1041", "T1567.002"]
    }
  }
}

Technique Evolution Tracking

Track how techniques evolve over time:

# Historical technique analysis
yarn start analyze-technique-evolution --mitre --timeframe 12months

# Emerging technique detection
yarn start detect-emerging-techniques --mitre --threat-landscape

Integration with Threat Intelligence

Integrate MITRE techniques with threat intelligence:

# TI-enhanced MITRE generation
yarn start generate-alerts --count 50 --mitre --threat-intelligence --current

# Attribution-based technique selection
yarn start generate-campaign apt --mitre --attribution-guided --threat-actor apt29

Ready to implement comprehensive MITRE ATT&CK coverage? Start with yarn start generate-alerts --count 50 --mitre --attack-chains for realistic technique simulation and detection testing!