{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Exploring ICS ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Query ATT&CK" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Import TAXII Libraries\n", "ATT&CK users can use the initial Server class to instantiate a server object pointing to the framework’s public TAXII server URL https://cti-taxii.mitre.org/taxii/" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from taxii2client.v20 import Server\n", "\n", "import logging\n", "logging.getLogger('taxii2client').setLevel(logging.CRITICAL)" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "server = Server(\"https://cti-taxii.mitre.org/taxii/\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Available API Roots can be referenced from the server object. API Roots are logical groupings of TAXII Channels and Collections and can be thought of as instances of the TAXII API available at different URLs, where each API Root is the “root” URL of that particular instance of the TAXII API:" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "server.api_roots" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "api_root = server.api_roots[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Explore ATT&CK TAXII Collections\n", "The **collections** attribute can then be used and get more information about them via their respective available properties:" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[,\n", " ,\n", " ,\n", " ]" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Enterprise ATT&CK -> This data collection holds STIX objects from Enterprise ATT&CK\n", "PRE-ATT&CK -> This data collection holds STIX objects from PRE-ATT&CK\n", "Mobile ATT&CK -> This data collection holds STIX objects from Mobile ATT&CK\n", "ICS ATT&CK -> This data collection holds STIX objects from ICS ATT&CK\n" ] } ], "source": [ "for collection in api_root.collections:\n", " print(collection.title, \"->\", collection.description)" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'ICS ATT&CK'" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[3].title" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'02c3ef24-9cd4-48f3-a99f-b74ce24f1d34'" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "api_root.collections[3].id" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Set ICS ATT&CK TAXII Collection ID Variable" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [], "source": [ "ICS_ATTACK = \"02c3ef24-9cd4-48f3-a99f-b74ce24f1d34\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize TAXII Collection Sources\n", "According to [STIX2 docs](https://stix2.readthedocs.io/en/latest/index.html), the [TAXIICollectionSource API](https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource) provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "from stix2 import TAXIICollectionSource, Filter\n", "from taxii2client.v20 import Collection" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [], "source": [ "ATTACK_STIX_COLLECTIONS = \"https://cti-taxii.mitre.org/stix/collections/\"\n", "ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + \"/\")\n", "TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Retrieve all ICS Techniques\n", "Now that we can query the ICS ATT&CK TAXIICollection. We can use the query method and a set of filter to retrieve STIX objects of type \"attack-pattern\" -> \"Techniques\"" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\\n\\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\\n\\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\\n\\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter(\"type\", \"=\", \"attack-pattern\"))\n", "ICS_TECHNIQUES[0]" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "T0864 -- Transient Cyber Asset\n", "T0888 -- Remote System Information Discovery\n", "T0834 -- Native API\n", "T0890 -- Exploitation for Privilege Escalation\n", "T0889 -- Modify Program\n", "T0821 -- Modify Controller Tasking\n", "T0886 -- Remote Services\n", "T0837 -- Loss of Protection\n", "T0878 -- Alarm Suppression\n", "T0806 -- Brute Force I/O\n", "T0885 -- Commonly Used Port\n", "T0810 -- Data Historian Compromise\n", "T0815 -- Denial of View\n", "T0818 -- Engineering Workstation Compromise\n", "T0866 -- Exploitation of Remote Services\n", "T0824 -- I/O Module Discovery\n", "T0826 -- Loss of Availability\n", "T0829 -- Loss of View\n", "T0849 -- Masquerading\n", "T0836 -- Modify Parameter\n", "T0840 -- Network Connection Enumeration\n", "T0844 -- Program Organization Units\n", "T0850 -- Role Identification\n", "T0851 -- Rootkit\n", "T0865 -- Spearphishing Attachment\n", "T0882 -- Theft of Operational Information\n", "T0860 -- Wireless Compromise\n", "T0802 -- Automated Collection\n", "T0875 -- Change Program State\n", "T0884 -- Connection Proxy\n", "T0811 -- Data from Information Repositories\n", "T0868 -- Detect Operating Mode\n", "T0871 -- Execution through API\n", "T0822 -- External Remote Services\n", "T0872 -- Indicator Removal on Host\n", "T0827 -- Loss of Control\n", "T0830 -- Man in the Middle\n", "T0841 -- Network Service Scanning\n", "T0845 -- Program Upload\n", "T0846 -- Remote System Discovery\n", "T0852 -- Screen Capture\n", "T0856 -- Spoof Reporting Message\n", "T0855 -- Unauthorized Command Message\n", "T0887 -- Wireless Sniffing\n", "T0800 -- Activate Firmware Update Mode\n", "T0805 -- Block Serial COM\n", "T0809 -- Data Destruction\n", "T0814 -- Denial of Service\n", "T0817 -- Drive-by Compromise\n", "T0877 -- I/O Image\n", "T0867 -- Lateral Tool Transfer\n", "T0880 -- Loss of Safety\n", "T0832 -- Manipulation of View\n", "T0833 -- Modify Control Logic\n", "T0843 -- Program Download\n", "T0848 -- Rogue Master\n", "T0881 -- Service Stop\n", "T0857 -- System Firmware\n", "T0859 -- Valid Accounts\n", "T0803 -- Block Command Message\n", "T0858 -- Change Operating Mode\n", "T0808 -- Control Device Identification\n", "T0812 -- Default Credentials\n", "T0870 -- Detect Program State\n", "T0819 -- Exploit Public-Facing Application\n", "T0823 -- Graphical User Interface\n", "T0883 -- Internet Accessible Device\n", "T0828 -- Loss of Productivity and Revenue\n", "T0835 -- Manipulate I/O Image\n", "T0838 -- Modify Alarm Settings\n", "T0839 -- Module Firmware\n", "T0842 -- Network Sniffing\n", "T0873 -- Project File Infection\n", "T0853 -- Scripting\n", "T0869 -- Standard Application Layer Protocol\n", "T0804 -- Block Reporting Message\n", "T0807 -- Command-Line Interface\n", "T0879 -- Damage to Property\n", "T0813 -- Denial of Control\n", "T0816 -- Device Restart/Shutdown\n", "T0820 -- Exploitation for Evasion\n", "T0874 -- Hooking\n", "T0825 -- Location Identification\n", "T0831 -- Manipulation of Control\n", "T0801 -- Monitor Process State\n", "T0861 -- Point & Tag Identification\n", "T0847 -- Replication Through Removable Media\n", "T0854 -- Serial Connection Enumeration\n", "T0862 -- Supply Chain Compromise\n", "T0863 -- User Execution\n" ] } ], "source": [ "for TECHNIQUE in ICS_TECHNIQUES:\n", " print(TECHNIQUE['external_references'][0]['external_id'], \"--\", TECHNIQUE['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## ICS ATT&CK Available since attackcti 0.3.4.3\n", "Reference: https://pypi.org/project/attackcti/" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Techniques Count: 78\n" ] } ], "source": [ "from attackcti import attack_client\n", "lift = attack_client()\n", "\n", "ICS_TECHNIQUES = lift.get_ics_techniques()\n", "print(\"Techniques Count:\",len(ICS_TECHNIQUES))" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "AttackPattern(type='attack-pattern', id='attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-14T15:25:32.143Z', modified='2021-10-14T15:25:32.143Z', name='Transient Cyber Asset', description='Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: NERC June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.\\n\\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices.\\n\\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems.\\n\\nIn the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system. (Citation: Maroochy - MITRE - 200808)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')], revoked=False, external_references=[ExternalReference(source_name='mitre-ics-attack', url='https://collaborate.mitre.org/attackics/index.php/Technique/T0864', external_id='T0864'), ExternalReference(source_name='NERC June 2021', description=' North American Electric Reliability Corporation. (2021, June 28). Glossary of Terms Used in NERC Reliability Standards. Retrieved October 11, 2021.', url='https://www.nerc.com/files/glossary_of_terms.pdf'), ExternalReference(source_name='Maroochy - MITRE - 200808', description='Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.', url='https://www.mitre.org/sites/default/files/pdf/08%201145.pdf'), ExternalReference(source_name='NIST Apr 2013', description='National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.', url='https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf'), ExternalReference(source_name='NAFT Dec 2019', description='North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.', url='https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf'), ExternalReference(source_name='Emerson Exchange', description='Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.', url='https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot'), ExternalReference(source_name='National Security Agency Feb 2016', description='National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.', url='https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Flows', 'Network Traffic: Network Connections', 'Assets: Asset Inventory'], x_mitre_platforms=['Engineering Workstation'])" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_TECHNIQUES[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Data Sources Mapped to ICS ATT&CK Techniques" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['Network Traffic: Network Flows',\n", " 'Network Traffic: Network Connections',\n", " 'Assets: Asset Inventory',\n", " 'Network Traffic: Network Traffic Content',\n", " 'Application Log: Application Log Content',\n", " 'Process: OS API Execution',\n", " 'File: File Modification',\n", " 'Asset: Software/Firmware',\n", " 'Command: Command Execution',\n", " 'Logon Session: Logon Session Creation',\n", " 'Network Share: Network Share Access',\n", " 'Network Traffic: Network Connection Creation',\n", " 'Network Traffic: Network Traffic Flow',\n", " 'Process: Process Creation',\n", " 'Operational Databases: Process History/Live Data',\n", " 'Operational Databases: Process/Event Alarm',\n", " 'File: File Metadata',\n", " 'Scheduled Job: Scheduled Job Metadata',\n", " 'Scheduled Job: Scheduled Job Modification',\n", " 'Service: Service Creation',\n", " 'Service: Service Metadata',\n", " 'Operational Databases: Device Alarm',\n", " 'Asset: Device Configuration/Parameters',\n", " 'Drive: Drive Modification',\n", " 'Firmware: Firmware Modification',\n", " 'Module: Module Load',\n", " 'File: File Access',\n", " 'Script: Script Execution',\n", " 'Logon Session: Logon Session Metadata',\n", " 'File: File Deletion',\n", " 'User Account: User Account Authentication',\n", " 'Windows Registry: Windows Registry Key Deletion',\n", " 'Windows Registry: Windows Registry Key Modification',\n", " 'Process: Process Termination',\n", " 'File: File Creation',\n", " 'Drive: Drive Creation']" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ICS_DATA_SOURCES = []\n", "for TECHNIQUE in ICS_TECHNIQUES:\n", " if 'x_mitre_data_sources' in TECHNIQUE.keys():\n", " for DS in TECHNIQUE['x_mitre_data_sources']:\n", " if DS not in ICS_DATA_SOURCES:\n", " ICS_DATA_SOURCES.append(DS)\n", "ICS_DATA_SOURCES" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Groups from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "TEMP.Veles\n", "Dragonfly 2.0\n", "HEXANE\n", "APT33\n", "OilRig\n", "Dragonfly\n", "Sandworm Team\n", "Lazarus Group\n", "ALLANITE\n" ] } ], "source": [ "ICS_GROUPS = lift.get_ics_groups()\n", "for GROUP in ICS_GROUPS:\n", " print(GROUP['name'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Get All Malware from ICS ATT&CK" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Conficker\n", "EKANS\n", "Bad Rabbit\n", "KillDisk\n", "Industroyer\n", "Stuxnet\n", "REvil\n", "Ryuk\n", "LockerGoga\n", "Triton\n", "VPNFilter\n", "PLC-Blaster\n", "NotPetya\n", "WannaCry\n", "Flame\n", "Backdoor.Oldrea\n", "ACAD/Medre.A\n", "BlackEnergy\n", "Duqu\n" ] } ], "source": [ "ICS_MALWARE = lift.get_ics_malware()\n", "for MALWARE in ICS_MALWARE:\n", " print(MALWARE['name'])" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.9.5" } }, "nbformat": 4, "nbformat_minor": 4 }