npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.
When to Use
- When investigating security incidents that require analyzing campaign attribution evidence
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
attackcti,stix2,networkxlibraries - Access to threat intelligence platforms (MISP, OpenCTI)
- Understanding of Diamond Model of Intrusion Analysis
- Familiarity with MITRE ATT&CK threat group profiles
- Knowledge of malware analysis and infrastructure tracking techniques
Key Concepts
Attribution Evidence Categories
- Infrastructure Overlap: Shared C2 servers, domains, IP ranges, hosting providers
- TTP Consistency: Matching ATT&CK techniques and sub-techniques across campaigns
- Malware Code Similarity: Shared code bases, compilers, PDB paths, encryption routines
- Operational Patterns: Timing (working hours, time zones), targeting patterns, operational tempo
- Language Artifacts: Embedded strings, variable names, error messages in specific languages
- Victimology: Target sector, geography, and organizational profile consistency
Confidence Levels
- High Confidence: Multiple independent evidence categories converge on same actor
- Moderate Confidence: Several evidence categories match, some ambiguity remains
- Low Confidence: Limited evidence, possible false flags or shared tooling
Analysis of Competing Hypotheses (ACH)
Structured analytical method that evaluates evidence against multiple competing hypotheses. Each piece of evidence is scored as consistent, inconsistent, or neutral with respect to each hypothesis. The hypothesis with the least inconsistent evidence is favored.
Workflow
Step 1: Collect Attribution Evidence
from stix2 import MemoryStore, Filter
from collections import defaultdict
class AttributionAnalyzer:
def __init__(self):
self.evidence = []
self.hypotheses = {}
def add_evidence(self, category, description, value, confidence):
self.evidence.append({
"category": category,
"description": description,
"value": value,
"confidence": confidence,
"timestamp": None,
})
def add_hypothesis(self, actor_name, actor_id=""):
self.hypotheses[actor_name] = {
"actor_id": actor_id,
"consistent_evidence": [],
"inconsistent_evidence": [],
"neutral_evidence": [],
"score": 0,
}
def evaluate_evidence(self, evidence_idx, actor_name, assessment):
"""Assess evidence against a hypothesis: consistent/inconsistent/neutral."""
if assessment == "consistent":
self.hypotheses[actor_name]["consistent_evidence"].append(evidence_idx)
self.hypotheses[actor_name]["score"] += self.evidence[evidence_idx]["confidence"]
elif assessment == "inconsistent":
self.hypotheses[actor_name]["inconsistent_evidence"].append(evidence_idx)
self.hypotheses[actor_name]["score"] -= self.evidence[evidence_idx]["confidence"] * 2
else:
self.hypotheses[actor_name]["neutral_evidence"].append(evidence_idx)
def rank_hypotheses(self):
"""Rank hypotheses by attribution score."""
ranked = sorted(
self.hypotheses.items(),
key=lambda x: x[1]["score"],
reverse=True,
)
return [
{
"actor": name,
"score": data["score"],
"consistent": len(data["consistent_evidence"]),
"inconsistent": len(data["inconsistent_evidence"]),
"confidence": self._score_to_confidence(data["score"]),
}
for name, data in ranked
]
def _score_to_confidence(self, score):
if score >= 80:
return "HIGH"
elif score >= 40:
return "MODERATE"
else:
return "LOW"Step 2: Infrastructure Overlap Analysis
def analyze_infrastructure_overlap(campaign_a_infra, campaign_b_infra):
"""Compare infrastructure between two campaigns for attribution."""
overlap = {
"shared_ips": set(campaign_a_infra.get("ips", [])).intersection(
campaign_b_infra.get("ips", [])
),
"shared_domains": set(campaign_a_infra.get("domains", [])).intersection(
campaign_b_infra.get("domains", [])
),
"shared_asns": set(campaign_a_infra.get("asns", [])).intersection(
campaign_b_infra.get("asns", [])
),
"shared_registrars": set(campaign_a_infra.get("registrars", [])).intersection(
campaign_b_infra.get("registrars", [])
),
}
overlap_score = 0
if overlap["shared_ips"]:
overlap_score += 30
if overlap["shared_domains"]:
overlap_score += 25
if overlap["shared_asns"]:
overlap_score += 15
if overlap["shared_registrars"]:
overlap_score += 10
return {
"overlap": {k: list(v) for k, v in overlap.items()},
"overlap_score": overlap_score,
"assessment": "STRONG" if overlap_score >= 40 else "MODERATE" if overlap_score >= 20 else "WEAK",
}Step 3: TTP Comparison Across Campaigns
from attackcti import attack_client
def compare_campaign_ttps(campaign_techniques, known_actor_techniques):
"""Compare campaign TTPs against known threat actor profiles."""
campaign_set = set(campaign_techniques)
actor_set = set(known_actor_techniques)
common = campaign_set.intersection(actor_set)
unique_campaign = campaign_set - actor_set
unique_actor = actor_set - campaign_set
jaccard = len(common) / len(campaign_set.union(actor_set)) if campaign_set.union(actor_set) else 0
return {
"common_techniques": sorted(common),
"common_count": len(common),
"unique_to_campaign": sorted(unique_campaign),
"unique_to_actor": sorted(unique_actor),
"jaccard_similarity": round(jaccard, 3),
"overlap_percentage": round(len(common) / len(campaign_set) * 100, 1) if campaign_set else 0,
}Step 4: Generate Attribution Report
def generate_attribution_report(analyzer):
"""Generate structured attribution assessment report."""
rankings = analyzer.rank_hypotheses()
report = {
"assessment_date": "2026-02-23",
"total_evidence_items": len(analyzer.evidence),
"hypotheses_evaluated": len(analyzer.hypotheses),
"rankings": rankings,
"primary_attribution": rankings[0] if rankings else None,
"evidence_summary": [
{
"index": i,
"category": e["category"],
"description": e["description"],
"confidence": e["confidence"],
}
for i, e in enumerate(analyzer.evidence)
],
}
return reportValidation Criteria
- Evidence collection covers all six attribution categories
- ACH matrix properly evaluates evidence against competing hypotheses
- Infrastructure overlap analysis identifies shared indicators
- TTP comparison uses ATT&CK technique IDs for precision
- Attribution confidence levels are properly justified
- Report includes alternative hypotheses and false flag considerations
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md3.1 KB
API Reference: Campaign Attribution Evidence Analysis
Diamond Model of Intrusion Analysis
Four Core Features
| Feature | Description | Attribution Value |
|---|---|---|
| Adversary | Threat actor identity | Direct attribution |
| Capability | Malware, exploits, tools | Indirect - shared tooling |
| Infrastructure | C2, domains, IPs | Strong - operational overlap |
| Victim | Targets, sectors, regions | Contextual - targeting pattern |
Pivot Analysis
Adversary ←→ Capability ←→ Infrastructure ←→ Victim
↕ ↕ ↕ ↕
(HUMINT) (Malware DB) (WHOIS/DNS) (Victimology)Analysis of Competing Hypotheses (ACH)
Matrix Format
Evidence \ Hypothesis | APT28 | APT29 | Lazarus | Unknown
-----------------------------------------------------------------
Infrastructure overlap | ++ | - | - | N
TTP consistency | ++ | ++ | - | N
Malware similarity | + | - | - | N
Timing (UTC+3) | ++ | ++ | - | N
Language (Russian) | ++ | ++ | - | NScoring
| Symbol | Meaning | Weight |
|---|---|---|
++ |
Strongly consistent | +2 |
+ |
Consistent | +1 |
N |
Neutral | 0 |
- |
Inconsistent | -1 |
-- |
Strongly inconsistent | -2 |
MITRE ATT&CK Group Queries
Python (mitreattack-python)
from mitreattack.stix20 import MitreAttackData
attack = MitreAttackData("enterprise-attack.json")
group = attack.get_group_by_alias("APT29")
techniques = attack.get_techniques_used_by_group(group.id)STIX2 Relationship Query
from stix2 import Filter
relationships = src.query([
Filter("type", "=", "relationship"),
Filter("source_ref", "=", group_id),
Filter("relationship_type", "=", "uses"),
])Infrastructure Overlap Tools
PassiveTotal / RiskIQ
# WHOIS history
curl -u user:key "https://api.passivetotal.org/v2/whois?query=domain.com"
# Passive DNS
curl -u user:key "https://api.passivetotal.org/v2/dns/passive?query=1.2.3.4"VirusTotal Relations
curl -H "x-apikey: KEY" \
"https://www.virustotal.com/api/v3/domains/example.com/communicating_files"Confidence Assessment Framework
| Level | Score Range | Criteria |
|---|---|---|
| HIGH | 0.8-1.0 | Multiple independent evidence types converge |
| MEDIUM | 0.5-0.8 | Significant evidence with some gaps |
| LOW | 0.2-0.5 | Limited evidence, alternative hypotheses remain |
| NEGLIGIBLE | 0.0-0.2 | Insufficient evidence for attribution |
STIX Attribution Objects
Campaign Object
{
"type": "campaign",
"name": "Operation DarkShadow",
"first_seen": "2024-01-15T00:00:00Z",
"last_seen": "2024-03-20T00:00:00Z",
"objective": "Espionage targeting defense sector"
}Attribution Relationship
{
"type": "relationship",
"relationship_type": "attributed-to",
"source_ref": "campaign--abc123",
"target_ref": "intrusion-set--def456",
"confidence": 75
}standards.md1.1 KB
Standards and Frameworks Reference
Applicable Standards
- STIX 2.1: Structured Threat Information eXpression for CTI data representation
- TAXII 2.1: Transport protocol for sharing CTI over HTTPS
- MITRE ATT&CK: Adversary tactics, techniques, and procedures taxonomy
- Diamond Model: Intrusion analysis framework (Adversary, Capability, Infrastructure, Victim)
- Traffic Light Protocol (TLP): Information sharing classification (CLEAR, GREEN, AMBER, RED)
MITRE ATT&CK Relevance
- Technique mapping for threat actor behavior classification
- Data sources for detection capability assessment
- Mitigation strategies linked to specific techniques
Industry Frameworks
- NIST Cybersecurity Framework (CSF) 2.0 - Identify function
- ISO 27001:2022 - A.5.7 Threat Intelligence
- FIRST Standards - TLP, CSIRT, vulnerability coordination
References
workflows.md1.4 KB
Campaign Attribution Analysis Workflows
Workflow 1: Collection and Analysis
[Intelligence Sources] --> [Data Collection] --> [Analysis] --> [Reporting]
| | | |
v v v v
OSINT/HUMINT/SIGINT Normalize/Enrich Assess/Correlate DisseminateSteps:
- Planning: Define intelligence requirements and collection priorities
- Collection: Gather data from relevant sources
- Processing: Normalize data formats and filter noise
- Analysis: Apply analytical frameworks and correlate findings
- Production: Generate intelligence products and reports
- Dissemination: Share with stakeholders via appropriate channels
- Feedback: Collect consumer feedback to refine future collection
Workflow 2: Continuous Monitoring
[Watchlist] --> [Automated Monitoring] --> [Change Detection] --> [Alert/Update]Steps:
- Define Watchlist: Identify indicators, actors, and topics to monitor
- Configure Monitoring: Set up automated collection from relevant sources
- Change Detection: Identify new or changed intelligence
- Assessment: Evaluate significance of changes
- Alerting: Notify stakeholders of significant intelligence updates
- Archive: Store intelligence for historical analysis and trending
Scripts 2
agent.py9.9 KB
#!/usr/bin/env python3
"""Campaign attribution analysis agent using Diamond Model and ACH methodology.
Evaluates attribution evidence including infrastructure overlaps, TTP consistency,
malware code similarity, timing patterns, and language artifacts.
"""
import json
import re
from collections import defaultdict
from datetime import datetime
DIAMOND_DIMENSIONS = {
"adversary": "Threat actor identity, group attribution",
"capability": "Malware, exploits, tools used",
"infrastructure": "C2 servers, domains, IP addresses",
"victim": "Targeted sectors, regions, organizations",
}
EVIDENCE_WEIGHTS = {
"infrastructure_overlap": 0.25,
"ttp_consistency": 0.30,
"malware_code_similarity": 0.25,
"timing_pattern": 0.10,
"language_artifact": 0.10,
}
CONFIDENCE_LEVELS = {
(0.8, 1.0): "HIGH - Strong attribution confidence",
(0.5, 0.8): "MEDIUM - Moderate attribution, further analysis recommended",
(0.2, 0.5): "LOW - Weak attribution, insufficient evidence",
(0.0, 0.2): "NEGLIGIBLE - No meaningful attribution possible",
}
def diamond_model_analysis(adversary=None, capability=None, infrastructure=None, victim=None):
"""Structure evidence using the Diamond Model of Intrusion Analysis."""
model = {
"adversary": {
"identified": adversary is not None,
"details": adversary or "Unknown",
},
"capability": {
"tools": capability.get("tools", []) if capability else [],
"exploits": capability.get("exploits", []) if capability else [],
"malware": capability.get("malware", []) if capability else [],
},
"infrastructure": {
"c2_servers": infrastructure.get("c2", []) if infrastructure else [],
"domains": infrastructure.get("domains", []) if infrastructure else [],
"ip_addresses": infrastructure.get("ips", []) if infrastructure else [],
},
"victim": {
"sectors": victim.get("sectors", []) if victim else [],
"regions": victim.get("regions", []) if victim else [],
},
"pivot_opportunities": [],
}
if infrastructure and infrastructure.get("c2"):
model["pivot_opportunities"].append("Pivot from C2 infrastructure to related campaigns")
if capability and capability.get("malware"):
model["pivot_opportunities"].append("Pivot from malware samples to shared infrastructure")
return model
def evaluate_infrastructure_overlap(campaign_infra, known_actor_infra):
"""Score infrastructure overlap between campaign and known actor."""
campaign_set = set(campaign_infra)
known_set = set(known_actor_infra)
if not campaign_set or not known_set:
return 0.0, []
overlap = campaign_set & known_set
score = len(overlap) / max(len(campaign_set), len(known_set))
return round(score, 4), sorted(overlap)
def evaluate_ttp_consistency(campaign_ttps, actor_ttps):
"""Score TTP consistency using MITRE ATT&CK technique overlap."""
campaign_set = set(campaign_ttps)
actor_set = set(actor_ttps)
if not campaign_set or not actor_set:
return 0.0, []
overlap = campaign_set & actor_set
jaccard = len(overlap) / len(campaign_set | actor_set)
return round(jaccard, 4), sorted(overlap)
def evaluate_malware_similarity(sample_features, known_features):
"""Score malware code similarity based on feature comparison."""
if not sample_features or not known_features:
return 0.0
matches = 0
total = max(len(sample_features), len(known_features))
for feature in sample_features:
if feature in known_features:
matches += 1
return round(matches / total, 4) if total > 0 else 0.0
def evaluate_timing_pattern(campaign_timestamps, actor_timezone_offset=None):
"""Analyze operational timing to infer timezone/working hours."""
if not campaign_timestamps:
return {"score": 0.0, "working_hours": None, "timezone_guess": None}
hours = []
for ts in campaign_timestamps:
try:
if isinstance(ts, str):
dt = datetime.fromisoformat(ts.replace("Z", "+00:00"))
else:
dt = ts
adjusted = dt.hour + (actor_timezone_offset or 0)
hours.append(adjusted % 24)
except (ValueError, TypeError):
continue
if not hours:
return {"score": 0.0}
work_hours = sum(1 for h in hours if 8 <= h <= 18)
work_ratio = work_hours / len(hours)
avg_hour = sum(hours) / len(hours)
return {
"score": round(work_ratio, 4),
"average_hour_utc": round(avg_hour, 1),
"work_hour_ratio": round(work_ratio, 4),
"sample_size": len(hours),
}
def evaluate_language_artifacts(strings_list):
"""Detect language artifacts in malware strings or documents."""
language_indicators = {
"Russian": [r"[а-яА-Я]{3,}", r"codepage.*1251", r"locale.*ru"],
"Chinese": [r"[\u4e00-\u9fff]{2,}", r"codepage.*936", r"GB2312"],
"Korean": [r"[\uac00-\ud7af]{2,}", r"codepage.*949", r"EUC-KR"],
"Farsi": [r"[\u0600-\u06ff]{3,}", r"codepage.*1256"],
"English": [r"\b(the|and|for|with)\b"],
}
detections = defaultdict(int)
for s in strings_list:
for lang, patterns in language_indicators.items():
for pattern in patterns:
if re.search(pattern, s, re.IGNORECASE):
detections[lang] += 1
total = sum(detections.values()) or 1
scored = {lang: round(count / total, 4) for lang, count in detections.items()}
return scored
def ach_analysis(hypotheses, evidence_items):
"""Analysis of Competing Hypotheses (ACH) for attribution."""
matrix = {}
for hyp in hypotheses:
hyp_name = hyp["name"]
matrix[hyp_name] = {"consistent": 0, "inconsistent": 0, "neutral": 0, "score": 0}
for evidence in evidence_items:
ev_name = evidence["name"]
consistency = evidence.get("hypotheses", {}).get(hyp_name, "neutral")
if consistency == "consistent":
matrix[hyp_name]["consistent"] += evidence.get("weight", 1)
elif consistency == "inconsistent":
matrix[hyp_name]["inconsistent"] += evidence.get("weight", 1)
else:
matrix[hyp_name]["neutral"] += evidence.get("weight", 1)
c = matrix[hyp_name]["consistent"]
i = matrix[hyp_name]["inconsistent"]
matrix[hyp_name]["score"] = round((c - i) / (c + i + 0.01), 4)
return matrix
def compute_attribution_score(scores):
"""Compute weighted attribution confidence score."""
total = 0.0
for evidence_type, weight in EVIDENCE_WEIGHTS.items():
score = scores.get(evidence_type, 0.0)
total += score * weight
confidence = "UNKNOWN"
for (low, high), label in CONFIDENCE_LEVELS.items():
if low <= total < high:
confidence = label
break
return round(total, 4), confidence
def generate_attribution_report(campaign_name, candidate_actor, evidence):
"""Generate structured attribution assessment report."""
scores = {}
details = {}
infra_score, infra_overlap = evaluate_infrastructure_overlap(
evidence.get("campaign_infra", []), evidence.get("actor_infra", []))
scores["infrastructure_overlap"] = infra_score
details["infrastructure_overlap"] = infra_overlap
ttp_score, ttp_overlap = evaluate_ttp_consistency(
evidence.get("campaign_ttps", []), evidence.get("actor_ttps", []))
scores["ttp_consistency"] = ttp_score
details["ttp_consistency"] = ttp_overlap
malware_score = evaluate_malware_similarity(
evidence.get("sample_features", []), evidence.get("known_features", []))
scores["malware_code_similarity"] = malware_score
timing = evaluate_timing_pattern(
evidence.get("timestamps", []), evidence.get("tz_offset"))
scores["timing_pattern"] = timing.get("score", 0.0)
details["timing"] = timing
lang = evaluate_language_artifacts(evidence.get("strings", []))
scores["language_artifact"] = max(lang.values()) if lang else 0.0
details["language_artifacts"] = lang
total_score, confidence = compute_attribution_score(scores)
return {
"campaign": campaign_name,
"candidate_actor": candidate_actor,
"attribution_score": total_score,
"confidence_level": confidence,
"evidence_scores": scores,
"evidence_details": details,
}
if __name__ == "__main__":
print("=" * 60)
print("Campaign Attribution Evidence Analysis Agent")
print("Diamond Model, ACH, TTP/infrastructure/malware scoring")
print("=" * 60)
demo_evidence = {
"campaign_infra": ["185.220.101.1", "evil-domain.com", "c2.attacker.net"],
"actor_infra": ["185.220.101.1", "c2.attacker.net", "other-domain.org"],
"campaign_ttps": ["T1566.001", "T1059.001", "T1053.005", "T1071.001", "T1041"],
"actor_ttps": ["T1566.001", "T1059.001", "T1053.005", "T1071.001", "T1021.001", "T1003.001"],
"sample_features": ["xor_0x55", "mutex_Global\\QWE", "ua_Mozilla5", "rc4_key"],
"known_features": ["xor_0x55", "mutex_Global\\QWE", "ua_Mozilla5", "aes_cbc"],
"timestamps": ["2024-03-15T06:30:00Z", "2024-03-15T07:15:00Z",
"2024-03-16T08:00:00Z", "2024-03-16T09:45:00Z"],
"tz_offset": 3,
"strings": ["Привет мир", "connect to server", "upload file"],
}
report = generate_attribution_report("Operation DarkShadow", "APT29", demo_evidence)
print(f"\n[*] Campaign: {report['campaign']}")
print(f"[*] Candidate: {report['candidate_actor']}")
print(f"[*] Attribution Score: {report['attribution_score']}")
print(f"[*] Confidence: {report['confidence_level']}")
print("\n--- Evidence Scores ---")
for ev, score in report["evidence_scores"].items():
weight = EVIDENCE_WEIGHTS.get(ev, 0)
print(f" {ev:30s} score={score:.4f} weight={weight}")
print(f"\n[*] Full report:\n{json.dumps(report, indent=2, default=str)}")
process.py5.9 KB
#!/usr/bin/env python3
"""
Campaign Attribution Evidence Analysis Script
Implements structured attribution analysis:
- Analysis of Competing Hypotheses (ACH) matrix
- Infrastructure overlap scoring
- TTP similarity comparison using ATT&CK
- Evidence weighting and confidence assessment
Requirements:
pip install attackcti stix2 requests
Usage:
python process.py --evidence evidence.json --hypotheses actors.json --output report.json
python process.py --compare-ttps --campaign campaign_techs.json --actor APT29
"""
import argparse
import json
import sys
from collections import defaultdict
class AttributionEngine:
"""Structured attribution analysis using ACH methodology."""
def __init__(self):
self.evidence = []
self.hypotheses = {}
def load_evidence(self, filepath):
with open(filepath) as f:
self.evidence = json.load(f)
def add_evidence(self, category, description, value, confidence):
self.evidence.append({
"id": len(self.evidence),
"category": category,
"description": description,
"value": value,
"confidence": confidence,
})
def add_hypothesis(self, actor_name, supporting_info=""):
self.hypotheses[actor_name] = {
"info": supporting_info,
"assessments": {},
"score": 0,
}
def evaluate(self, evidence_id, actor_name, assessment):
"""Evaluate evidence against hypothesis: C=consistent, I=inconsistent, N=neutral."""
weight = self.evidence[evidence_id]["confidence"]
self.hypotheses[actor_name]["assessments"][evidence_id] = assessment
if assessment == "C":
self.hypotheses[actor_name]["score"] += weight
elif assessment == "I":
self.hypotheses[actor_name]["score"] -= weight * 2
def generate_ach_matrix(self):
matrix = {"evidence": [], "hypotheses": {}}
for e in self.evidence:
matrix["evidence"].append({
"id": e["id"],
"category": e["category"],
"description": e["description"],
})
for actor, data in self.hypotheses.items():
matrix["hypotheses"][actor] = {
"assessments": data["assessments"],
"score": data["score"],
"consistent": sum(1 for a in data["assessments"].values() if a == "C"),
"inconsistent": sum(1 for a in data["assessments"].values() if a == "I"),
"neutral": sum(1 for a in data["assessments"].values() if a == "N"),
}
return matrix
def rank(self):
ranked = sorted(
self.hypotheses.items(), key=lambda x: x[1]["score"], reverse=True
)
results = []
for name, data in ranked:
incon = sum(1 for a in data["assessments"].values() if a == "I")
confidence = "HIGH" if data["score"] >= 80 and incon == 0 else \
"MODERATE" if data["score"] >= 40 else "LOW"
results.append({
"actor": name,
"score": data["score"],
"confidence": confidence,
"inconsistent_count": incon,
})
return results
def compare_ttp_similarity(campaign_techs, actor_techs):
campaign_set = set(campaign_techs)
actor_set = set(actor_techs)
common = campaign_set & actor_set
jaccard = len(common) / len(campaign_set | actor_set) if (campaign_set | actor_set) else 0
return {
"common": sorted(common),
"jaccard_similarity": round(jaccard, 3),
"campaign_coverage": round(len(common) / len(campaign_set) * 100, 1) if campaign_set else 0,
}
def main():
parser = argparse.ArgumentParser(description="Campaign Attribution Analysis")
parser.add_argument("--evidence", help="Evidence JSON file")
parser.add_argument("--hypotheses", help="Hypotheses JSON file")
parser.add_argument("--compare-ttps", action="store_true")
parser.add_argument("--campaign", help="Campaign techniques JSON")
parser.add_argument("--actor", help="Actor name for ATT&CK lookup")
parser.add_argument("--output", default="attribution_report.json")
args = parser.parse_args()
engine = AttributionEngine()
if args.evidence and args.hypotheses:
engine.load_evidence(args.evidence)
with open(args.hypotheses) as f:
hyps = json.load(f)
for h in hyps:
engine.add_hypothesis(h["name"], h.get("info", ""))
for eid, assessment in h.get("evaluations", {}).items():
engine.evaluate(int(eid), h["name"], assessment)
matrix = engine.generate_ach_matrix()
rankings = engine.rank()
report = {"ach_matrix": matrix, "rankings": rankings}
print(json.dumps(report, indent=2))
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
elif args.compare_ttps and args.campaign:
with open(args.campaign) as f:
campaign_techs = json.load(f)
if args.actor:
try:
from attackcti import attack_client
lift = attack_client()
groups = lift.get_groups()
group = next(
(g for g in groups if args.actor.lower() in g.get("name", "").lower()),
None,
)
if group:
gid = group["external_references"][0]["external_id"]
techs = lift.get_techniques_used_by_group(gid)
actor_techs = [
t["external_references"][0]["external_id"]
for t in techs if t.get("external_references")
]
result = compare_ttp_similarity(campaign_techs, actor_techs)
print(json.dumps(result, indent=2))
except ImportError:
print("[-] attackcti not installed")
if __name__ == "__main__":
main()