{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Get Techniques from Data Sources" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import Library" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [], "source": [ "from attackcti import attack_client" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize Client" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "lift = attack_client()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve Techniques " ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "techniques = lift.get_techniques_by_datasources(\n", " \"Network intrusion detection system\",\n", " \"Network protocol analysis\",\n", " \"Netflow/Enclave netflow\",\n", " \"Packet capture\",\n", " \"DNS records\"\n", ")" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "54" ] }, "execution_count": 4, "metadata": {}, "output_type": "execute_result" } ], "source": [ "len(techniques)" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"type\": \"attack-pattern\",\n", " \"id\": \"attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4\",\n", " \"created_by_ref\": \"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5\",\n", " \"created\": \"2019-04-18T11:00:55.862Z\",\n", " \"modified\": \"2019-06-20T13:58:02.153Z\",\n", " \"name\": \"Endpoint Denial of Service\",\n", " \"description\": \"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\\n\\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\\n\\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\\n\\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\\n\\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\\n\\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\\n\\nFor attacks attempting to saturate the providing network, see the Network Denial of Service Technique [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\\n\\n### OS Exhaustion Flood\\nSince operating systems (OSs) are responsible for managing the finite resources on a system, they can be a target for DoS. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018)\\n\\n#### SYN Flood\\nWith SYN floods excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\\n\\n#### ACK Flood\\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)\\n\\n### Service Exhaustion Flood\\nDifferent network services provided by systems are targeted in different ways to conduct a DoS. Adversaries often target DNS and web servers, but other services have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\\n\\n#### Simple HTTP Flood\\nA large number of HTTP requests can be issued to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\\n\\n#### SSL Renegotiation Attack\\nSSL Renegotiation Attacks take advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)\\n\\n### Application Exhaustion Flood\\nWeb applications that sit on top of web server stacks can be targeted for DoS. Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)\\n\\n### Application or System Exploitation\\nSoftware vulnerabilities exist that when exploited can cause an application or system to crash and deny availability to users.(Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.\",\n", " \"kill_chain_phases\": [\n", " {\n", " \"kill_chain_name\": \"mitre-attack\",\n", " \"phase_name\": \"impact\"\n", " }\n", " ],\n", " \"external_references\": [\n", " {\n", " \"source_name\": \"mitre-attack\",\n", " \"url\": \"https://attack.mitre.org/techniques/T1499\",\n", " \"external_id\": \"T1499\"\n", " },\n", " {\n", " \"source_name\": \"capec\",\n", " \"url\": \"https://capec.mitre.org/data/definitions/227.html\",\n", " \"external_id\": \"CAPEC-227\"\n", " },\n", " {\n", " \"source_name\": \"capec\",\n", " \"url\": \"https://capec.mitre.org/data/definitions/131.html\",\n", " \"external_id\": \"CAPEC-131\"\n", " },\n", " {\n", " \"source_name\": \"capec\",\n", " \"url\": \"https://capec.mitre.org/data/definitions/130.html\",\n", " \"external_id\": \"CAPEC-130\"\n", " },\n", " {\n", " \"source_name\": \"capec\",\n", " \"url\": \"https://capec.mitre.org/data/definitions/125.html\",\n", " \"external_id\": \"CAPEC-125\"\n", " },\n", " {\n", " \"source_name\": \"FireEye OpPoisonedHandover February 2016\",\n", " \"description\": \"Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong\\u2019s Pro-Democracy Movement. Retrieved April 18, 2019.\",\n", " \"url\": \"https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html\"\n", " },\n", " {\n", " \"source_name\": \"FSISAC FraudNetDoS September 2012\",\n", " \"description\": \"FS-ISAC. (2012, September 17). Fraud Alert \\u2013 Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019.\",\n", " \"url\": \"https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf\"\n", " },\n", " {\n", " \"source_name\": \"Symantec DDoS October 2014\",\n", " \"description\": \"Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019.\",\n", " \"url\": \"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf\"\n", " },\n", " {\n", " \"source_name\": \"USNYAG IranianBotnet March 2016\",\n", " \"description\": \"Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.\",\n", " \"url\": \"https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\"\n", " },\n", " {\n", " \"source_name\": \"ArsTechnica Great Firewall of China\",\n", " \"description\": \"Goodin, D.. (2015, March 31). Massive denial-of-service attack on GitHub tied to Chinese government. Retrieved April 19, 2019.\",\n", " \"url\": \"https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/\"\n", " },\n", " {\n", " \"source_name\": \"Arbor AnnualDoSreport Jan 2018\",\n", " \"description\": \"Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.\",\n", " \"url\": \"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf\"\n", " },\n", " {\n", " \"source_name\": \"Cloudflare SynFlood\",\n", " \"description\": \"Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.\",\n", " \"url\": \"https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/\"\n", " },\n", " {\n", " \"source_name\": \"Corero SYN-ACKflood\",\n", " \"description\": \"Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.\",\n", " \"url\": \"https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html\"\n", " },\n", " {\n", " \"source_name\": \"Cloudflare HTTPflood\",\n", " \"description\": \"Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.\",\n", " \"url\": \"https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/\"\n", " },\n", " {\n", " \"source_name\": \"Arbor SSLDoS April 2012\",\n", " \"description\": \"ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.\",\n", " \"url\": \"https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new\"\n", " },\n", " {\n", " \"source_name\": \"Sucuri BIND9 August 2015\",\n", " \"description\": \"Cid, D.. (2015, August 2). BIND9 \\u2013 Denial of Service Exploit in the Wild. Retrieved April 26, 2019.\",\n", " \"url\": \"https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html\"\n", " },\n", " {\n", " \"source_name\": \"Cisco DoSdetectNetflow\",\n", " \"description\": \"Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.\",\n", " \"url\": \"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf\"\n", " }\n", " ],\n", " \"object_marking_refs\": [\n", " \"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168\"\n", " ],\n", " \"x_mitre_data_sources\": [\n", " \"SSL/TLS inspection\",\n", " \"Web logs\",\n", " \"Web application firewall logs\",\n", " \"Network intrusion detection system\",\n", " \"Network protocol analysis\",\n", " \"Network device logs\",\n", " \"Netflow/Enclave netflow\"\n", " ],\n", " \"x_mitre_detection\": \"Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\\n\\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\\n\\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.\",\n", " \"x_mitre_impact_type\": [\n", " \"Availability\"\n", " ],\n", " \"x_mitre_platforms\": [\n", " \"Linux\",\n", " \"macOS\",\n", " \"Windows\"\n", " ],\n", " \"x_mitre_version\": \"1.0\"\n", "}\n" ] } ], "source": [ "print(techniques[0])" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.3" } }, "nbformat": 4, "nbformat_minor": 4 }