threat intelligence

Analyzing Threat Actor TTPs with MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.

ctiiocmitre-attackstixthreat-actorsthreat-intelligencettp-analysis
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.

When to Use

  • When investigating security incidents that require analyzing threat actor ttps with mitre attack
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.9+ with mitreattack-python, attackcti, stix2 libraries
  • MITRE ATT&CK Navigator (web-based or local deployment)
  • Understanding of ATT&CK matrix structure: Tactics, Techniques, Sub-techniques
  • Access to threat intelligence reports or MISP/OpenCTI for threat actor data
  • Familiarity with STIX 2.1 Attack Pattern objects

Key Concepts

ATT&CK Matrix Structure

The ATT&CK Enterprise matrix organizes adversary behavior into 14 Tactics (the "why") containing Techniques (the "how") and Sub-techniques (specific implementations). Each technique has associated data sources, detections, mitigations, and real-world procedure examples from observed threat groups.

Threat Group Profiles

ATT&CK catalogs over 140 threat groups (e.g., APT28, APT29, Lazarus Group, FIN7) with documented technique usage. Each group profile includes aliases, targeted sectors, associated campaigns, software used, and technique mappings with procedure-level detail.

ATT&CK Navigator

The ATT&CK Navigator is a web-based tool for creating custom ATT&CK matrix visualizations. Analysts create layers (JSON files) that annotate techniques with scores, colors, comments, and metadata to visualize threat actor coverage, detection capabilities, or risk assessments.

Workflow

Step 1: Query ATT&CK Data Programmatically

from attackcti import attack_client
import json
 
# Initialize ATT&CK client (queries MITRE TAXII server)
lift = attack_client()
 
# Get all Enterprise techniques
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
 
# Get all threat groups
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
 
# Get specific group by name
apt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
    group = apt29[0]
    print(f"Group: {group['name']}")
    print(f"Aliases: {group.get('aliases', [])}")
    print(f"Description: {group.get('description', '')[:200]}")

Step 2: Map Threat Actor to ATT&CK Techniques

from attackcti import attack_client
 
lift = attack_client()
 
# Get techniques used by APT29
apt29_techniques = lift.get_techniques_used_by_group("G0016")  # APT29 group ID
 
technique_map = {}
for entry in apt29_techniques:
    tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
    tech_name = entry.get("name", "")
    description = entry.get("description", "")
    tactic_refs = [
        phase.get("phase_name", "")
        for phase in entry.get("kill_chain_phases", [])
    ]
 
    technique_map[tech_id] = {
        "name": tech_name,
        "tactics": tactic_refs,
        "description": description[:300],
    }
 
print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
    print(f"  {tid}: {info['name']} [{', '.join(info['tactics'])}]")

Step 3: Generate ATT&CK Navigator Layer

import json
 
def create_navigator_layer(group_name, technique_map, description=""):
    """Generate ATT&CK Navigator layer JSON for a threat group."""
    techniques_list = []
    for tech_id, info in technique_map.items():
        techniques_list.append({
            "techniqueID": tech_id,
            "tactic": info["tactics"][0] if info["tactics"] else "",
            "color": "#ff6666",  # Red for observed techniques
            "comment": info["description"][:200],
            "enabled": True,
            "score": 100,
            "metadata": [
                {"name": "group", "value": group_name},
            ],
        })
 
    layer = {
        "name": f"{group_name} TTP Coverage",
        "versions": {
            "attack": "16.1",
            "navigator": "5.1.0",
            "layer": "4.5",
        },
        "domain": "enterprise-attack",
        "description": description or f"Techniques attributed to {group_name}",
        "filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
        "sorting": 0,
        "layout": {
            "layout": "side",
            "aggregateFunction": "average",
            "showID": True,
            "showName": True,
            "showAggregateScores": False,
            "countUnscored": False,
        },
        "hideDisabled": False,
        "techniques": techniques_list,
        "gradient": {
            "colors": ["#ffffff", "#ff6666"],
            "minValue": 0,
            "maxValue": 100,
        },
        "legendItems": [
            {"label": "Observed technique", "color": "#ff6666"},
            {"label": "Not observed", "color": "#ffffff"},
        ],
        "showTacticRowBackground": True,
        "tacticRowBackground": "#dddddd",
        "selectTechniquesAcrossTactics": True,
        "selectSubtechniquesWithParent": False,
        "selectVisibleTechniques": False,
    }
 
    return layer
 
 
# Generate and save layer
layer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
    json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")

Step 4: Identify Detection Gaps

from attackcti import attack_client
 
lift = attack_client()
 
# Get all techniques with data sources
all_techniques = lift.get_enterprise_techniques()
 
# Build data source coverage map
data_source_coverage = {}
for tech in all_techniques:
    tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
    data_sources = tech.get("x_mitre_data_sources", [])
 
    for ds in data_sources:
        if ds not in data_source_coverage:
            data_source_coverage[ds] = []
        data_source_coverage[ds].append(tech_id)
 
# Compare threat actor techniques against available detections
detected_techniques = {"T1059", "T1071", "T1566"}  # Example: techniques you can detect
actor_techniques = set(technique_map.keys())
 
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
 
print(f"\n=== Detection Gap Analysis for APT29 ===")
print(f"Actor techniques: {len(actor_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\nUndetected techniques:")
for tech_id in sorted(gaps):
    if tech_id in technique_map:
        print(f"  {tech_id}: {technique_map[tech_id]['name']}")

Step 5: Cross-Group Technique Comparison

from attackcti import attack_client
 
lift = attack_client()
 
# Compare techniques across multiple groups
groups_to_compare = {
    "G0016": "APT29",
    "G0007": "APT28",
    "G0032": "Lazarus Group",
}
 
group_techniques = {}
for gid, gname in groups_to_compare.items():
    techs = lift.get_techniques_used_by_group(gid)
    tech_ids = set()
    for t in techs:
        tid = t.get("external_references", [{}])[0].get("external_id", "")
        if tid:
            tech_ids.add(tid)
    group_techniques[gname] = tech_ids
 
# Find common and unique techniques
all_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\nTechniques common to all {len(all_groups)} groups: {len(common_to_all)}")
for tid in sorted(common_to_all):
    print(f"  {tid}")
 
for gname, techs in group_techniques.items():
    unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
    print(f"\nUnique to {gname}: {len(unique)} techniques")

Validation Criteria

  • ATT&CK data successfully queried via TAXII server or local copy
  • Threat actor mapped to specific techniques with procedure examples
  • ATT&CK Navigator layer JSON is valid and renders correctly
  • Detection gap analysis identifies unmonitored techniques
  • Cross-group comparison reveals shared and unique TTPs
  • Output is actionable for detection engineering prioritization

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.1 KB

API Reference: Threat Actor TTP Analysis with MITRE ATT&CK

ATT&CK STIX Data

Download

curl -o enterprise-attack.json   https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

STIX Object Types

Type Description
attack-pattern Techniques and sub-techniques
intrusion-set Threat actor groups
relationship Links (group "uses" technique)
malware Malware families
tool Legitimate tools abused

mitreattack-python

Installation

pip install mitreattack-python

Query Techniques

from mitreattack.stix20 import MitreAttackData
attack = MitreAttackData("enterprise-attack.json")
 
# Get all techniques
techniques = attack.get_techniques()
 
# Get group techniques
group = attack.get_group_by_alias("APT29")
techs = attack.get_techniques_used_by_group(group.id)

Get Technique Mitigations

mitigations = attack.get_mitigations_mitigating_technique(technique.id)
for m in mitigations:
    print(m.name, m.description)

ATT&CK Navigator Layer Format

Technique Entry

{
  "techniqueID": "T1566.001",
  "tactic": "initial-access",
  "color": "#ff6666",
  "score": 100,
  "comment": "Spearphishing Attachment",
  "enabled": true
}

ATT&CK Tactic IDs

Tactic ID
Reconnaissance TA0043
Resource Development TA0042
Initial Access TA0001
Execution TA0002
Persistence TA0003
Privilege Escalation TA0004
Defense Evasion TA0005
Credential Access TA0006
Discovery TA0007
Lateral Movement TA0008
Collection TA0009
Command and Control TA0011
Exfiltration TA0010
Impact TA0040

TAXII Server Access

from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
 
collection = Collection(
    "https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/"
)
src = TAXIICollectionSource(collection)
groups = src.query([Filter("type", "=", "intrusion-set")])
standards.md3.2 KB

Standards and Frameworks Reference

MITRE ATT&CK Framework

Matrix Structure

  • Enterprise ATT&CK: Windows, macOS, Linux, Cloud (AWS, Azure, GCP, SaaS, Office 365), Network, Containers
  • Mobile ATT&CK: Android, iOS
  • ICS ATT&CK: Industrial Control Systems

14 Enterprise Tactics (Kill Chain Order)

  1. Reconnaissance (TA0043): Gathering information for planning
  2. Resource Development (TA0042): Establishing resources for operations
  3. Initial Access (TA0001): Gaining initial foothold
  4. Execution (TA0002): Running adversary-controlled code
  5. Persistence (TA0003): Maintaining access across restarts
  6. Privilege Escalation (TA0004): Gaining higher-level permissions
  7. Defense Evasion (TA0005): Avoiding detection
  8. Credential Access (TA0006): Stealing credentials
  9. Discovery (TA0007): Understanding the environment
  10. Lateral Movement (TA0008): Moving through the environment
  11. Collection (TA0009): Gathering data of interest
  12. Command and Control (TA0011): Communicating with compromised systems
  13. Exfiltration (TA0010): Stealing data
  14. Impact (TA0040): Manipulating, interrupting, or destroying systems

Technique Naming Convention

  • Technique: T[NNNN] (e.g., T1059 - Command and Scripting Interpreter)
  • Sub-technique: T[NNNN].[NNN] (e.g., T1059.001 - PowerShell)
  • Group: G[NNNN] (e.g., G0016 - APT29)
  • Software: S[NNNN] (e.g., S0154 - Cobalt Strike)
  • Mitigation: M[NNNN] (e.g., M1049 - Antivirus/Antimalware)

Data Sources

ATT&CK v16+ uses structured data sources:

  • Process: Process Creation, Process Access, OS API Execution
  • File: File Creation, File Modification, File Access
  • Network Traffic: Network Connection Creation, Network Traffic Flow
  • Command: Command Execution
  • Module: Module Load
  • Windows Registry: Windows Registry Key Modification

STIX 2.1 Representation

Attack Pattern (SDO)

Maps to ATT&CK techniques:

{
  "type": "attack-pattern",
  "id": "attack-pattern--uuid",
  "name": "Spearphishing Attachment",
  "external_references": [
    {"source_name": "mitre-attack", "external_id": "T1566.001"}
  ],
  "kill_chain_phases": [
    {"kill_chain_name": "mitre-attack", "phase_name": "initial-access"}
  ]
}

Intrusion Set (SDO)

Maps to ATT&CK groups:

{
  "type": "intrusion-set",
  "name": "APT29",
  "aliases": ["Cozy Bear", "The Dukes", "NOBELIUM"],
  "goals": ["espionage"],
  "resource_level": "government"
}

ATT&CK Navigator Layer Specification

Layer Version 4.5 Schema

  • name: Layer display name
  • domain: enterprise-attack, mobile-attack, ics-attack
  • techniques[]: Array of technique annotations
    • techniqueID: ATT&CK ID
    • score: Numeric score (0-100)
    • color: Hex color override
    • comment: Analyst notes
    • enabled: Show/hide technique
    • metadata[]: Key-value pairs for additional context

References

workflows.md4.7 KB

MITRE ATT&CK Analysis Workflows

Workflow 1: Threat Actor TTP Mapping

[Threat Report] --> [Extract Behaviors] --> [Map to ATT&CK] --> [Navigator Layer]
                                                                       |
                                                                       v
                                                              [Detection Priorities]

Steps:

  1. Report Ingestion: Obtain threat intelligence report (vendor, OSINT, internal)
  2. Behavior Extraction: Identify adversary actions described in the report
  3. Technique Mapping: Map each behavior to ATT&CK technique IDs using the ATT&CK knowledge base
  4. Sub-technique Precision: Drill down to sub-techniques where procedure details allow
  5. Layer Creation: Generate ATT&CK Navigator layer with mapped techniques
  6. Priority Assessment: Rank techniques by detection feasibility and impact

Workflow 2: Detection Gap Analysis

[Current Detections] --> [Detection Layer] --> [Overlay with Threat Layer] --> [Gap Layer]
                                                                                    |
                                                                                    v
                                                                          [Engineering Backlog]

Steps:

  1. Detection Inventory: Catalog existing detection rules mapped to ATT&CK techniques
  2. Detection Layer: Create Navigator layer showing detected techniques (green)
  3. Threat Layer: Create layer showing adversary techniques (red)
  4. Overlay Analysis: Combine layers to identify uncovered threat techniques
  5. Gap Prioritization: Rank gaps by threat actor relevance and detection feasibility
  6. Engineering Plan: Create detection engineering backlog from prioritized gaps

Workflow 3: Cross-Actor Comparison

[Group A TTPs] --+
                 |--> [Intersection Analysis] --> [Common Techniques] --> [Priority Detections]
[Group B TTPs] --+                                                               |
                 |                                                               v
[Group C TTPs] --+                                                    [Unique Techniques per Group]

Steps:

  1. Group Selection: Choose threat groups relevant to your industry/region
  2. TTP Extraction: Pull technique lists for each group from ATT&CK
  3. Common Analysis: Find techniques shared across all selected groups
  4. Unique Analysis: Identify techniques unique to specific groups
  5. Detection ROI: Prioritize detections for commonly used techniques (highest coverage ROI)
  6. Actor Attribution: Use unique techniques as potential attribution indicators

Workflow 4: Campaign-to-TTP Analysis

[Campaign IOCs] --> [Sandbox/Analysis] --> [Behavior Extraction] --> [TTP Mapping]
                                                                          |
                                                                          v
                                                                 [Compare to Known Groups]
                                                                          |
                                                                          v
                                                                 [Attribution Hypothesis]

Steps:

  1. IOC Collection: Gather campaign IOCs (malware hashes, C2 domains, phishing emails)
  2. Dynamic Analysis: Execute samples in sandbox, capture behavioral artifacts
  3. Behavior Documentation: Document file operations, registry changes, network connections, process activity
  4. ATT&CK Mapping: Map observed behaviors to techniques and sub-techniques
  5. Group Comparison: Compare campaign TTPs against known group profiles
  6. Attribution Assessment: Assess likelihood of attribution based on TTP overlap

Workflow 5: Threat-Informed Defense

[ATT&CK Mappings] --> [Data Source Analysis] --> [Telemetry Assessment] --> [Control Mapping]
                                                                                   |
                                                                                   v
                                                                          [Security Roadmap]

Steps:

  1. Threat Profile: Identify relevant threat actors and their techniques
  2. Data Source Mapping: Determine which data sources can detect each technique
  3. Telemetry Audit: Assess which data sources are currently collected
  4. Control Assessment: Map existing security controls to technique mitigations
  5. Gap Identification: Find techniques with neither detection nor mitigation coverage
  6. Roadmap Creation: Build security improvement roadmap addressing highest-risk gaps

Scripts 2

agent.py5.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Threat actor TTP analysis agent using MITRE ATT&CK framework.

Maps threat actor behaviors to ATT&CK techniques, performs coverage analysis,
and generates detection gap reports.
"""

import os
import sys
import json
from collections import Counter, defaultdict

try:
    import requests
    HAS_REQUESTS = True
except ImportError:
    HAS_REQUESTS = False

ATTACK_ENTERPRISE_URL = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"


def load_attack_bundle(filepath=None):
    if filepath and os.path.exists(filepath):
        with open(filepath, "r", encoding="utf-8") as f:
            return json.load(f)
    if HAS_REQUESTS:
        resp = requests.get(ATTACK_ENTERPRISE_URL, timeout=60)
        resp.raise_for_status()
        return resp.json()
    return None


def get_techniques(bundle):
    techniques = {}
    for obj in bundle.get("objects", []):
        if obj.get("type") == "attack-pattern" and not obj.get("revoked"):
            ext_id = ""
            for ref in obj.get("external_references", []):
                if ref.get("source_name") == "mitre-attack":
                    ext_id = ref.get("external_id", "")
            if ext_id:
                tactics = [p["phase_name"] for p in obj.get("kill_chain_phases", [])]
                techniques[obj["id"]] = {
                    "id": ext_id, "name": obj.get("name", ""),
                    "tactics": tactics,
                    "platforms": obj.get("x_mitre_platforms", []),
                    "detection": obj.get("x_mitre_detection", "")[:200],
                }
    return techniques


def get_groups(bundle):
    groups = {}
    for obj in bundle.get("objects", []):
        if obj.get("type") == "intrusion-set":
            ext_id = ""
            for ref in obj.get("external_references", []):
                if ref.get("source_name") == "mitre-attack":
                    ext_id = ref.get("external_id", "")
            groups[obj["id"]] = {
                "id": ext_id, "name": obj.get("name", ""),
                "aliases": obj.get("aliases", []),
                "description": obj.get("description", "")[:300],
            }
    return groups


def map_group_techniques(bundle, group_id, techniques):
    ttps = []
    for obj in bundle.get("objects", []):
        if (obj.get("type") == "relationship" and
                obj.get("relationship_type") == "uses" and
                obj.get("source_ref") == group_id):
            target = obj.get("target_ref", "")
            if target in techniques:
                ttps.append(techniques[target])
    return ttps


def tactic_coverage(ttps):
    tactic_map = defaultdict(list)
    for t in ttps:
        for tactic in t["tactics"]:
            tactic_map[tactic].append(t["id"])
    return {k: {"count": len(v), "techniques": v} for k, v in tactic_map.items()}


def detection_gaps(ttps, existing_detections):
    covered = set(existing_detections)
    gaps = [t for t in ttps if t["id"] not in covered]
    coverage = 1 - (len(gaps) / len(ttps)) if ttps else 0
    return gaps, round(coverage * 100, 1)


def find_group(groups, query):
    query_lower = query.lower()
    for gid, g in groups.items():
        if (g["name"].lower() == query_lower or
                g["id"].lower() == query_lower or
                query_lower in [a.lower() for a in g["aliases"]]):
            return gid, g
    return None, None


if __name__ == "__main__":
    print("=" * 60)
    print("Threat Actor TTP Analysis Agent (MITRE ATT&CK)")
    print("TTP mapping, tactic coverage, detection gap analysis")
    print("=" * 60)

    group_query = sys.argv[1] if len(sys.argv) > 1 else None
    bundle_path = sys.argv[2] if len(sys.argv) > 2 else None

    bundle = load_attack_bundle(bundle_path)
    if not bundle:
        print("[!] Cannot load ATT&CK data")
        print("[DEMO] Usage: python agent.py APT29 [enterprise-attack.json]")
        sys.exit(1)

    techniques = get_techniques(bundle)
    groups = get_groups(bundle)
    print(f"[*] Loaded {len(techniques)} techniques, {len(groups)} groups")

    if not group_query:
        print("\n--- Available Groups (sample) ---")
        for gid, g in list(groups.items())[:15]:
            print(f"  {g['id']:8s} {g['name']}")
        sys.exit(0)

    gid, ginfo = find_group(groups, group_query)
    if not ginfo:
        print(f"[!] Group not found: {group_query}")
        sys.exit(1)

    print(f"\n[*] Group: {ginfo['name']} ({ginfo['id']})")
    print(f"    Aliases: {', '.join(ginfo['aliases'][:5])}")

    ttps = map_group_techniques(bundle, gid, techniques)
    print(f"    Techniques: {len(ttps)}")

    coverage = tactic_coverage(ttps)
    print("\n--- Tactic Coverage ---")
    for tactic, info in sorted(coverage.items(), key=lambda x: -x[1]["count"]):
        bar = "#" * info["count"]
        print(f"  {tactic:35s} {info['count']:3d} {bar}")

    sample_detections = [t["id"] for t in ttps[:len(ttps)//2]]
    gaps, pct = detection_gaps(ttps, sample_detections)
    print(f"\n--- Detection Gaps (demo: {pct}% coverage) ---")
    for g in gaps[:10]:
        print(f"  [GAP] {g['id']:12s} {g['name']}")
process.py12.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
MITRE ATT&CK Threat Actor TTP Analysis Script

Queries the MITRE ATT&CK STIX data to:
- Map threat actor groups to their known techniques
- Generate ATT&CK Navigator layers for visualization
- Perform detection gap analysis
- Compare TTPs across multiple threat groups
- Identify high-priority detection opportunities

Requirements:
    pip install attackcti mitreattack-python stix2 requests

Usage:
    python process.py --group APT29 --output apt29_layer.json
    python process.py --compare APT28 APT29 "Lazarus Group"
    python process.py --gap-analysis --detections detections.json --group APT29
"""

import argparse
import json
import sys
from collections import defaultdict
from typing import Optional

try:
    from attackcti import attack_client
except ImportError:
    print("ERROR: attackcti not installed. Run: pip install attackcti")
    sys.exit(1)


class ATTACKAnalyzer:
    """Analyze threat actor TTPs using MITRE ATT&CK."""

    def __init__(self):
        print("[*] Initializing ATT&CK client (querying MITRE TAXII server)...")
        self.lift = attack_client()
        self.groups_cache = None
        self.techniques_cache = None

    def _get_groups(self):
        if self.groups_cache is None:
            self.groups_cache = self.lift.get_groups()
        return self.groups_cache

    def _get_techniques(self):
        if self.techniques_cache is None:
            self.techniques_cache = self.lift.get_enterprise_techniques()
        return self.techniques_cache

    def find_group(self, name: str) -> Optional[dict]:
        """Find a threat group by name or alias."""
        groups = self._get_groups()
        for group in groups:
            if name.lower() == group.get("name", "").lower():
                return group
            aliases = group.get("aliases", [])
            if any(name.lower() == a.lower() for a in aliases):
                return group
        return None

    def get_group_techniques(self, group_name: str) -> dict:
        """Get all techniques used by a threat group."""
        group = self.find_group(group_name)
        if not group:
            print(f"[-] Group '{group_name}' not found")
            return {}

        group_id = ""
        for ref in group.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                group_id = ref.get("external_id", "")
                break

        if not group_id:
            print(f"[-] No ATT&CK ID found for {group_name}")
            return {}

        techniques = self.lift.get_techniques_used_by_group(group_id)
        technique_map = {}

        for tech in techniques:
            tech_id = ""
            for ref in tech.get("external_references", []):
                if ref.get("source_name") == "mitre-attack":
                    tech_id = ref.get("external_id", "")
                    break

            if not tech_id:
                continue

            tactics = [
                phase.get("phase_name", "")
                for phase in tech.get("kill_chain_phases", [])
            ]

            technique_map[tech_id] = {
                "name": tech.get("name", ""),
                "tactics": tactics,
                "description": tech.get("description", "")[:500],
                "platforms": tech.get("x_mitre_platforms", []),
                "data_sources": tech.get("x_mitre_data_sources", []),
            }

        print(f"[+] {group_name} ({group_id}): {len(technique_map)} techniques")
        return technique_map

    def create_navigator_layer(self, group_name: str, technique_map: dict,
                                color: str = "#ff6666") -> dict:
        """Generate ATT&CK Navigator layer JSON."""
        techniques_list = []
        for tech_id, info in technique_map.items():
            for tactic in info["tactics"]:
                techniques_list.append({
                    "techniqueID": tech_id,
                    "tactic": tactic,
                    "color": color,
                    "comment": info["name"],
                    "enabled": True,
                    "score": 100,
                    "metadata": [
                        {"name": "group", "value": group_name},
                        {"name": "platforms", "value": ", ".join(info["platforms"])},
                    ],
                })

        layer = {
            "name": f"{group_name} TTP Coverage",
            "versions": {
                "attack": "16.1",
                "navigator": "5.1.0",
                "layer": "4.5",
            },
            "domain": "enterprise-attack",
            "description": f"Techniques attributed to {group_name}",
            "filters": {
                "platforms": [
                    "Linux", "macOS", "Windows", "Cloud",
                    "Azure AD", "Office 365", "SaaS", "Google Workspace",
                ]
            },
            "sorting": 0,
            "layout": {
                "layout": "side",
                "aggregateFunction": "average",
                "showID": True,
                "showName": True,
                "showAggregateScores": False,
                "countUnscored": False,
            },
            "hideDisabled": False,
            "techniques": techniques_list,
            "gradient": {
                "colors": ["#ffffff", color],
                "minValue": 0,
                "maxValue": 100,
            },
            "legendItems": [
                {"label": f"Used by {group_name}", "color": color},
                {"label": "Not observed", "color": "#ffffff"},
            ],
            "showTacticRowBackground": True,
            "tacticRowBackground": "#dddddd",
            "selectTechniquesAcrossTactics": True,
            "selectSubtechniquesWithParent": False,
            "selectVisibleTechniques": False,
        }

        return layer

    def compare_groups(self, group_names: list) -> dict:
        """Compare TTPs across multiple threat groups."""
        group_techs = {}
        for name in group_names:
            techs = self.get_group_techniques(name)
            group_techs[name] = set(techs.keys())

        if len(group_techs) < 2:
            print("[-] Need at least 2 groups for comparison")
            return {}

        all_techniques = set.union(*group_techs.values())
        common_to_all = set.intersection(*group_techs.values())

        comparison = {
            "groups": group_names,
            "total_unique_techniques": len(all_techniques),
            "common_to_all": sorted(common_to_all),
            "common_count": len(common_to_all),
            "per_group": {},
        }

        for name, techs in group_techs.items():
            others = set.union(*[t for n, t in group_techs.items() if n != name])
            unique = techs - others

            comparison["per_group"][name] = {
                "total": len(techs),
                "unique": sorted(unique),
                "unique_count": len(unique),
                "overlap_percentage": round(
                    len(techs.intersection(others)) / len(techs) * 100, 1
                ) if techs else 0,
            }

        # Technique frequency across groups
        tech_freq = defaultdict(list)
        for name, techs in group_techs.items():
            for t in techs:
                tech_freq[t].append(name)

        comparison["technique_frequency"] = {
            t: {"count": len(g), "groups": g}
            for t, g in sorted(tech_freq.items(), key=lambda x: -len(x[1]))
        }

        return comparison

    def gap_analysis(self, group_name: str,
                     detected_techniques: set) -> dict:
        """Analyze detection gaps for a specific threat group."""
        actor_techs = self.get_group_techniques(group_name)
        actor_tech_ids = set(actor_techs.keys())

        covered = actor_tech_ids.intersection(detected_techniques)
        gaps = actor_tech_ids - detected_techniques

        gap_details = []
        for tech_id in sorted(gaps):
            info = actor_techs.get(tech_id, {})
            gap_details.append({
                "technique_id": tech_id,
                "name": info.get("name", ""),
                "tactics": info.get("tactics", []),
                "data_sources": info.get("data_sources", []),
                "platforms": info.get("platforms", []),
            })

        analysis = {
            "group": group_name,
            "total_actor_techniques": len(actor_tech_ids),
            "detected": len(covered),
            "gaps": len(gaps),
            "coverage_percentage": round(
                len(covered) / len(actor_tech_ids) * 100, 1
            ) if actor_tech_ids else 0,
            "detected_techniques": sorted(covered),
            "gap_details": gap_details,
            "recommended_data_sources": self._recommend_data_sources(gap_details),
        }

        return analysis

    def _recommend_data_sources(self, gaps: list) -> list:
        """Recommend data sources that would close the most gaps."""
        ds_coverage = defaultdict(list)
        for gap in gaps:
            for ds in gap.get("data_sources", []):
                ds_coverage[ds].append(gap["technique_id"])

        recommendations = [
            {"data_source": ds, "covers_techniques": techs, "count": len(techs)}
            for ds, techs in sorted(ds_coverage.items(), key=lambda x: -len(x[1]))
        ]

        return recommendations[:10]

    def tactic_breakdown(self, group_name: str) -> dict:
        """Break down threat actor techniques by tactic."""
        techs = self.get_group_techniques(group_name)
        tactic_map = defaultdict(list)

        for tech_id, info in techs.items():
            for tactic in info["tactics"]:
                tactic_map[tactic].append({
                    "id": tech_id,
                    "name": info["name"],
                })

        tactic_order = [
            "reconnaissance", "resource-development", "initial-access",
            "execution", "persistence", "privilege-escalation",
            "defense-evasion", "credential-access", "discovery",
            "lateral-movement", "collection", "command-and-control",
            "exfiltration", "impact",
        ]

        breakdown = {}
        for tactic in tactic_order:
            if tactic in tactic_map:
                breakdown[tactic] = {
                    "count": len(tactic_map[tactic]),
                    "techniques": tactic_map[tactic],
                }

        return breakdown


def main():
    parser = argparse.ArgumentParser(
        description="MITRE ATT&CK Threat Actor TTP Analyzer"
    )
    parser.add_argument("--group", help="Threat group name (e.g., APT29)")
    parser.add_argument("--compare", nargs="+", help="Compare multiple groups")
    parser.add_argument(
        "--gap-analysis", action="store_true", help="Perform detection gap analysis"
    )
    parser.add_argument(
        "--detections",
        help="JSON file with detected technique IDs",
    )
    parser.add_argument("--breakdown", action="store_true", help="Tactic breakdown")
    parser.add_argument("--output", default="attack_layer.json", help="Output file")

    args = parser.parse_args()
    analyzer = ATTACKAnalyzer()

    if args.compare:
        comparison = analyzer.compare_groups(args.compare)
        print(json.dumps(comparison, indent=2))
        with open(args.output, "w") as f:
            json.dump(comparison, f, indent=2)

    elif args.group and args.gap_analysis:
        detected = set()
        if args.detections:
            with open(args.detections) as f:
                detected = set(json.load(f))

        analysis = analyzer.gap_analysis(args.group, detected)
        print(json.dumps(analysis, indent=2))
        with open(args.output, "w") as f:
            json.dump(analysis, f, indent=2)

    elif args.group and args.breakdown:
        breakdown = analyzer.tactic_breakdown(args.group)
        print(json.dumps(breakdown, indent=2))

    elif args.group:
        tech_map = analyzer.get_group_techniques(args.group)
        layer = analyzer.create_navigator_layer(args.group, tech_map)
        with open(args.output, "w") as f:
            json.dump(layer, f, indent=2)
        print(f"[+] Navigator layer saved to {args.output}")

    else:
        parser.print_help()


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 2.2 KB
Keep exploring