{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Exploring ICS ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Query ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import TAXII Libraries\n", "ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from taxii2client.v20 import Server" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "server = Server(\"https://cti-taxii.mitre.org/taxii/\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "server.api_roots" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "api_root = server.api_roots[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Explore ATT&CK TAXII Collections\n", "The **collections** attribute can then be used and get more information about them via their respective available properties:" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[,\n", " ,\n", " ,\n", " ]" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK\n", "PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK\n", "Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK\n", "ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK\n" ] } ], "source": [ "for collection in api_root.collections:\n", " print(collection.title, \"->\", collection.description)" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'ICS ATT&CK'" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[3].title" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[3].id" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Set ICS ATT&CK TAXII Collection ID Variable" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [], "source": [ "ICS_ATTACK = \"02c3ef24-9cd4-48f3-a99f-b74ce24f1d34\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize TAXII Collection Sources\n", "According to [STIX2 docs](https://stix2.readthedocs.io/en/latest/index.html), the [TAXIICollectionSource API](https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource) provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "from stix2 import TAXIICollectionSource, Filter\n", "from taxii2client.v20 import Collection" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [], "source": [ "ATTACK_STIX_COLLECTIONS = \"https://cti-taxii.mitre.org/stix/collections/\"\n", "ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + \"/\")\n", "TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all ICS Techniques\n", "Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type \"attack-pattern\" -> \"Techniques\"" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"type\": \"attack-pattern\",\n", " \"id\": \"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc\",\n", " \"created_by_ref\": \"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5\",\n", " \"created\": \"2020-05-21T17:43:26.506Z\",\n", " \"modified\": \"2020-05-21T17:43:26.506Z\",\n", " \"name\": \"Alarm Suppression\",\n", " \"description\": \"Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. \\n\\nIn the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. (Citation: Maroochy - MITRE - 200808)\\n\\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: References - Secura - 2019) The method of suppression may greatly depend on the type of alarm in question:\\n\\n* An alarm raised by a protocol message\\n* An alarm signaled with I/O\\n* An alarm bit set in a flag (and read)\\n\\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: References - Secura - 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.\",\n", " \"kill_chain_phases\": [\n", " {\n", " \"kill_chain_name\": \"mitre-ics-attack\",\n", " \"phase_name\": \"inhibit-response-function\"\n", " }\n", " ],\n", " \"external_references\": [\n", " {\n", " \"source_name\": \"mitre-ics-attack\",\n", " \"url\": \"https://collaborate.mitre.org/attackics/index.php/Technique/T878\",\n", " \"external_id\": \"T0878\"\n", " },\n", " {\n", " \"source_name\": \"Maroochy - MITRE - 200808\",\n", " \"description\": \"Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.\",\n", " \"url\": \"https://www.mitre.org/sites/default/files/pdf/08%201145.pdf\"\n", " },\n", " {\n", " \"source_name\": \"References - Secura - 2019\",\n", " \"description\": \"Jos Wetzels, Marina Krotofil. (2019). A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices. Retrieved November 1, 2019.\",\n", " \"url\": \"https://troopers.de/downloads/troopers19/TROOPERS19%20NGI%20IoT%20diet%20poisoned%20fruit.pdf\"\n", " }\n", " ],\n", " \"object_marking_refs\": [\n", " \"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168\"\n", " ],\n", " \"x_mitre_contributors\": [\n", " \"Marina Krotofil\",\n", " \"Jos Wetzels - Midnight Blue\"\n", " ],\n", " \"x_mitre_data_sources\": [\n", " \"Alarm history\",\n", " \"Alarm thresholds\",\n", " \"Network protocol analysis\",\n", " \"Packet capture\"\n", " ],\n", " \"x_mitre_platforms\": [\n", " \"Field Controller/RTU/PLC/IED\",\n", " \"Safety Instrumented System/Protection Relay\"\n", " ]\n", "}\n" ] } ], "source": [ "ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter(\"type\", \"=\", \"attack-pattern\"))\n", "print(ICS_TECHNIQUES[0])" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "T0878 -- Alarm Suppression\n", "T0806 -- Brute Force I/O\n", "T0808 -- Control Device Identification\n", "T0812 -- Default Credentials\n", "T0870 -- Detect Program State\n", "T0819 -- Exploit Public-Facing Application\n", "T0874 -- Hooking\n", "T0825 -- Location Identification\n", "T0829 -- Loss of View\n", "T0849 -- Masquerading\n", "T0801 -- Monitor Process State\n", "T0843 -- Program Download\n", "T0846 -- Remote System Discovery\n", "T0852 -- Screen Capture\n", "T0856 -- Spoof Reporting Message\n", "T0855 -- Unauthorized Command Message\n", "T0803 -- Block Command Message\n", "T0807 -- Command-Line Interface\n", "T0809 -- Data Destruction\n", "T0814 -- Denial of Service\n", "T0817 -- Drive-by Compromise\n", "T0866 -- Exploitation of Remote Services\n", "T0824 -- I/O Module Discovery\n", "T0827 -- Loss of Control\n", "T0835 -- Manipulate I/O Image\n", "T0833 -- Modify Control Logic\n", "T0841 -- Network Service Scanning\n", "T0845 -- Program Upload\n", "T0848 -- Rogue Master Device\n", "T0854 -- Serial Connection Enumeration\n", "T0862 -- Supply Chain Compromise\n", "T0858 -- Utilize/Change Operating Mode\n", "T0804 -- Block Reporting Message\n", "T0885 -- Commonly Used Port\n", "T0810 -- Data Historian Compromise\n", "T0815 -- Denial of View\n", "T0818 -- Engineering Workstation Compromise\n", "T0822 -- External Remote Services\n", "T0872 -- Indicator Removal on Host\n", "T0828 -- Loss of Productivity and Revenue\n", "T0831 -- Manipulation of Control\n", "T0836 -- Modify Parameter\n", "T0842 -- Network Sniffing\n", "T0873 -- Project File Infection\n", "T0850 -- Role Identification\n", "T0881 -- Service Stop\n", "T0857 -- System Firmware\n", "T0859 -- Valid Accounts\n", "T0802 -- Automated Collection\n", "T0875 -- Change Program State\n", "T0879 -- Damage to Property\n", "T0813 -- Denial of Control\n", "T0816 -- Device Restart/Shutdown\n", "T0820 -- Exploitation for Evasion\n", "T0877 -- I/O Image\n", "T0826 -- Loss of Availability\n", "T0830 -- Man in the Middle\n", "T0838 -- Modify Alarm Settings\n", "T0840 -- Network Connection Enumeration\n", "T0844 -- Program Organization Units\n", "T0847 -- Replication Through Removable Media\n", "T0853 -- Scripting\n", "T0869 -- Standard Application Layer Protocol\n", "T0863 -- User Execution\n", "T0800 -- Activate Firmware Update Mode\n", "T0805 -- Block Serial COM\n", "T0884 -- Connection Proxy\n", "T0811 -- Data from Information Repositories\n", "T0868 -- Detect Operating Mode\n", "T0871 -- Execution through API\n", "T0823 -- Graphical User Interface\n", "T0883 -- Internet Accessible Device\n", "T0880 -- Loss of Safety\n", "T0832 -- Manipulation of View\n", "T0839 -- Module Firmware\n", "T0861 -- Point & Tag Identification\n", "T0867 -- Remote File Copy\n", "T0851 -- Rootkit\n", "T0865 -- Spearphishing Attachment\n", "T0882 -- Theft of Operational Information\n", "T0860 -- Wireless Compromise\n" ] } ], "source": [ "for TECHNIQUE in ICS_TECHNIQUES:\n", " print(TECHNIQUE['external_references'][0]['external_id'], \"--\", TECHNIQUE['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## ICS ATT&CK Available in attackcti 0.3.4.3\n", "Reference: https://pypi.org/project/attackcti/" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Techniques Count: 81\n" ] } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "\n", "ICS_TECHNIQUES = lift.get_ics_techniques()\n", "print(\"Techniques Count:\",len(ICS_TECHNIQUES))" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"type\": \"attack-pattern\",\n", " \"id\": \"attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc\",\n", " \"created_by_ref\": \"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5\",\n", " \"created\": \"2020-05-21T17:43:26.506Z\",\n", " \"modified\": \"2020-05-21T17:43:26.506Z\",\n", " \"name\": \"Alarm Suppression\",\n", " \"description\": \"Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. \\n\\nIn the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. (Citation: Maroochy - MITRE - 200808)\\n\\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: References - Secura - 2019) The method of suppression may greatly depend on the type of alarm in question:\\n\\n* An alarm raised by a protocol message\\n* An alarm signaled with I/O\\n* An alarm bit set in a flag (and read)\\n\\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: References - Secura - 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.\",\n", " \"kill_chain_phases\": [\n", " {\n", " \"kill_chain_name\": \"mitre-ics-attack\",\n", " \"phase_name\": \"inhibit-response-function\"\n", " }\n", " ],\n", " \"external_references\": [\n", " {\n", " \"source_name\": \"mitre-ics-attack\",\n", " \"url\": \"https://collaborate.mitre.org/attackics/index.php/Technique/T878\",\n", " \"external_id\": \"T0878\"\n", " },\n", " {\n", " \"source_name\": \"Maroochy - MITRE - 200808\",\n", " \"description\": \"Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.\",\n", " \"url\": \"https://www.mitre.org/sites/default/files/pdf/08%201145.pdf\"\n", " },\n", " {\n", " \"source_name\": \"References - Secura - 2019\",\n", " \"description\": \"Jos Wetzels, Marina Krotofil. (2019). A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices. Retrieved November 1, 2019.\",\n", " \"url\": \"https://troopers.de/downloads/troopers19/TROOPERS19%20NGI%20IoT%20diet%20poisoned%20fruit.pdf\"\n", " }\n", " ],\n", " \"object_marking_refs\": [\n", " \"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168\"\n", " ],\n", " \"x_mitre_contributors\": [\n", " \"Marina Krotofil\",\n", " \"Jos Wetzels - Midnight Blue\"\n", " ],\n", " \"x_mitre_data_sources\": [\n", " \"Alarm history\",\n", " \"Alarm thresholds\",\n", " \"Network protocol analysis\",\n", " \"Packet capture\"\n", " ],\n", " \"x_mitre_platforms\": [\n", " \"Field Controller/RTU/PLC/IED\",\n", " \"Safety Instrumented System/Protection Relay\"\n", " ]\n", "}\n" ] } ], "source": [ "print(ICS_TECHNIQUES[0])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Data Sources Mapped to ICS ATT&CK Techniques" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['Alarm history',\n", " 'Alarm thresholds',\n", " 'Network protocol analysis',\n", " 'Packet capture',\n", " 'Sequential event recorder',\n", " 'Data historian',\n", " 'Netflow/Enclave netflow',\n", " 'Authentication logs',\n", " 'Windows event logs',\n", " 'Web logs',\n", " 'Web application firewall logs',\n", " 'Application logs',\n", " 'File monitoring',\n", " 'Windows registry',\n", " 'API monitoring',\n", " 'File Monitoring',\n", " 'Process monitoring',\n", " 'Binary file metadata',\n", " 'Controller program',\n", " 'Network device logs',\n", " 'Host network interfaces',\n", " 'Process use of network',\n", " 'Process command-line parameters',\n", " 'Alarm History',\n", " 'Sequential Event Recorder',\n", " 'process use of network',\n", " 'Web proxy',\n", " 'SSl/TLS inspection',\n", " 'Network intrusion detection system',\n", " 'Windows error reporting',\n", " 'Asset management',\n", " 'Detonation chamber',\n", " 'Digital signatures',\n", " 'Windows Registry',\n", " 'Data loss prevention',\n", " 'Malware reverse engineering',\n", " 'Controller parameters',\n", " 'Anti-virus',\n", " 'Third-party application logs',\n", " 'Email gateway',\n", " 'Mail server']" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_DATA_SOURCES = []\n", "for TECHNIQUE in ICS_TECHNIQUES:\n", " if 'x_mitre_data_sources' in TECHNIQUE.keys():\n", " for DS in TECHNIQUE['x_mitre_data_sources']:\n", " if DS not in ICS_DATA_SOURCES:\n", " ICS_DATA_SOURCES.append(DS)\n", "ICS_DATA_SOURCES" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Groups from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "TEMP.Veles\n", "Dragonfly 2.0\n", "HEXANE\n", "Leafminer\n", "APT33\n", "OilRig\n", "Dragonfly\n", "Sandworm Team\n", "Lazarus Group\n", "ALLANITE\n" ] } ], "source": [ "ICS_GROUPS = lift.get_ics_groups()\n", "for GROUP in ICS_GROUPS:\n", " print(GROUP['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Malware from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Ryuk\n", "LockerGoga\n", "Stuxnet\n", "VPNFilter\n", "NotPetya\n", "Triton\n", "PLC-Blaster\n", "WannaCry\n", "Flame\n", "Industroyer\n", "Killdisk\n", "Backdoor.Oldrea\n", "BlackEnergy 3\n", "ACAD/Medre.A\n", "Conficker\n", "Bad Rabbit\n", "Duqu\n" ] } ], "source": [ "ICS_MALWARE = lift.get_ics_malware()\n", "for MALWARE in ICS_MALWARE:\n", " print(MALWARE['name'])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.8.5" } }, "nbformat": 4, "nbformat_minor": 4 }