npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE D3FEND
Overview
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.
When to Use
- When investigating security incidents that require analyzing threat actor ttps with mitre attack
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
mitreattack-python,attackcti,stix2libraries - MITRE ATT&CK Navigator (web-based or local deployment)
- Understanding of ATT&CK matrix structure: Tactics, Techniques, Sub-techniques
- Access to threat intelligence reports or MISP/OpenCTI for threat actor data
- Familiarity with STIX 2.1 Attack Pattern objects
Key Concepts
ATT&CK Matrix Structure
The ATT&CK Enterprise matrix organizes adversary behavior into 14 Tactics (the "why") containing Techniques (the "how") and Sub-techniques (specific implementations). Each technique has associated data sources, detections, mitigations, and real-world procedure examples from observed threat groups.
Threat Group Profiles
ATT&CK catalogs over 140 threat groups (e.g., APT28, APT29, Lazarus Group, FIN7) with documented technique usage. Each group profile includes aliases, targeted sectors, associated campaigns, software used, and technique mappings with procedure-level detail.
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for creating custom ATT&CK matrix visualizations. Analysts create layers (JSON files) that annotate techniques with scores, colors, comments, and metadata to visualize threat actor coverage, detection capabilities, or risk assessments.
Workflow
Step 1: Query ATT&CK Data Programmatically
from attackcti import attack_client
import json
# Initialize ATT&CK client (queries MITRE TAXII server)
lift = attack_client()
# Get all Enterprise techniques
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
# Get all threat groups
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
# Get specific group by name
apt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
group = apt29[0]
print(f"Group: {group['name']}")
print(f"Aliases: {group.get('aliases', [])}")
print(f"Description: {group.get('description', '')[:200]}")Step 2: Map Threat Actor to ATT&CK Techniques
from attackcti import attack_client
lift = attack_client()
# Get techniques used by APT29
apt29_techniques = lift.get_techniques_used_by_group("G0016") # APT29 group ID
technique_map = {}
for entry in apt29_techniques:
tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
tech_name = entry.get("name", "")
description = entry.get("description", "")
tactic_refs = [
phase.get("phase_name", "")
for phase in entry.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech_name,
"tactics": tactic_refs,
"description": description[:300],
}
print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")Step 3: Generate ATT&CK Navigator Layer
import json
def create_navigator_layer(group_name, technique_map, description=""):
"""Generate ATT&CK Navigator layer JSON for a threat group."""
techniques_list = []
for tech_id, info in technique_map.items():
techniques_list.append({
"techniqueID": tech_id,
"tactic": info["tactics"][0] if info["tactics"] else "",
"color": "#ff6666", # Red for observed techniques
"comment": info["description"][:200],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": description or f"Techniques attributed to {group_name}",
"filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "Observed technique", "color": "#ff6666"},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layer
# Generate and save layer
layer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")Step 4: Identify Detection Gaps
from attackcti import attack_client
lift = attack_client()
# Get all techniques with data sources
all_techniques = lift.get_enterprise_techniques()
# Build data source coverage map
data_source_coverage = {}
for tech in all_techniques:
tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
data_sources = tech.get("x_mitre_data_sources", [])
for ds in data_sources:
if ds not in data_source_coverage:
data_source_coverage[ds] = []
data_source_coverage[ds].append(tech_id)
# Compare threat actor techniques against available detections
detected_techniques = {"T1059", "T1071", "T1566"} # Example: techniques you can detect
actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
print(f"\n=== Detection Gap Analysis for APT29 ===")
print(f"Actor techniques: {len(actor_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\nUndetected techniques:")
for tech_id in sorted(gaps):
if tech_id in technique_map:
print(f" {tech_id}: {technique_map[tech_id]['name']}")Step 5: Cross-Group Technique Comparison
from attackcti import attack_client
lift = attack_client()
# Compare techniques across multiple groups
groups_to_compare = {
"G0016": "APT29",
"G0007": "APT28",
"G0032": "Lazarus Group",
}
group_techniques = {}
for gid, gname in groups_to_compare.items():
techs = lift.get_techniques_used_by_group(gid)
tech_ids = set()
for t in techs:
tid = t.get("external_references", [{}])[0].get("external_id", "")
if tid:
tech_ids.add(tid)
group_techniques[gname] = tech_ids
# Find common and unique techniques
all_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\nTechniques common to all {len(all_groups)} groups: {len(common_to_all)}")
for tid in sorted(common_to_all):
print(f" {tid}")
for gname, techs in group_techniques.items():
unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
print(f"\nUnique to {gname}: {len(unique)} techniques")Validation Criteria
- ATT&CK data successfully queried via TAXII server or local copy
- Threat actor mapped to specific techniques with procedure examples
- ATT&CK Navigator layer JSON is valid and renders correctly
- Detection gap analysis identifies unmonitored techniques
- Cross-group comparison reveals shared and unique TTPs
- Output is actionable for detection engineering prioritization
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.1 KB
API Reference: Threat Actor TTP Analysis with MITRE ATT&CK
ATT&CK STIX Data
Download
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.jsonSTIX Object Types
| Type | Description |
|---|---|
attack-pattern |
Techniques and sub-techniques |
intrusion-set |
Threat actor groups |
relationship |
Links (group "uses" technique) |
malware |
Malware families |
tool |
Legitimate tools abused |
mitreattack-python
Installation
pip install mitreattack-pythonQuery Techniques
from mitreattack.stix20 import MitreAttackData
attack = MitreAttackData("enterprise-attack.json")
# Get all techniques
techniques = attack.get_techniques()
# Get group techniques
group = attack.get_group_by_alias("APT29")
techs = attack.get_techniques_used_by_group(group.id)Get Technique Mitigations
mitigations = attack.get_mitigations_mitigating_technique(technique.id)
for m in mitigations:
print(m.name, m.description)ATT&CK Navigator Layer Format
Technique Entry
{
"techniqueID": "T1566.001",
"tactic": "initial-access",
"color": "#ff6666",
"score": 100,
"comment": "Spearphishing Attachment",
"enabled": true
}ATT&CK Tactic IDs
| Tactic | ID |
|---|---|
| Reconnaissance | TA0043 |
| Resource Development | TA0042 |
| Initial Access | TA0001 |
| Execution | TA0002 |
| Persistence | TA0003 |
| Privilege Escalation | TA0004 |
| Defense Evasion | TA0005 |
| Credential Access | TA0006 |
| Discovery | TA0007 |
| Lateral Movement | TA0008 |
| Collection | TA0009 |
| Command and Control | TA0011 |
| Exfiltration | TA0010 |
| Impact | TA0040 |
TAXII Server Access
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
collection = Collection(
"https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/"
)
src = TAXIICollectionSource(collection)
groups = src.query([Filter("type", "=", "intrusion-set")])standards.md3.2 KB
Standards and Frameworks Reference
MITRE ATT&CK Framework
Matrix Structure
- Enterprise ATT&CK: Windows, macOS, Linux, Cloud (AWS, Azure, GCP, SaaS, Office 365), Network, Containers
- Mobile ATT&CK: Android, iOS
- ICS ATT&CK: Industrial Control Systems
14 Enterprise Tactics (Kill Chain Order)
- Reconnaissance (TA0043): Gathering information for planning
- Resource Development (TA0042): Establishing resources for operations
- Initial Access (TA0001): Gaining initial foothold
- Execution (TA0002): Running adversary-controlled code
- Persistence (TA0003): Maintaining access across restarts
- Privilege Escalation (TA0004): Gaining higher-level permissions
- Defense Evasion (TA0005): Avoiding detection
- Credential Access (TA0006): Stealing credentials
- Discovery (TA0007): Understanding the environment
- Lateral Movement (TA0008): Moving through the environment
- Collection (TA0009): Gathering data of interest
- Command and Control (TA0011): Communicating with compromised systems
- Exfiltration (TA0010): Stealing data
- Impact (TA0040): Manipulating, interrupting, or destroying systems
Technique Naming Convention
- Technique: T[NNNN] (e.g., T1059 - Command and Scripting Interpreter)
- Sub-technique: T[NNNN].[NNN] (e.g., T1059.001 - PowerShell)
- Group: G[NNNN] (e.g., G0016 - APT29)
- Software: S[NNNN] (e.g., S0154 - Cobalt Strike)
- Mitigation: M[NNNN] (e.g., M1049 - Antivirus/Antimalware)
Data Sources
ATT&CK v16+ uses structured data sources:
- Process: Process Creation, Process Access, OS API Execution
- File: File Creation, File Modification, File Access
- Network Traffic: Network Connection Creation, Network Traffic Flow
- Command: Command Execution
- Module: Module Load
- Windows Registry: Windows Registry Key Modification
STIX 2.1 Representation
Attack Pattern (SDO)
Maps to ATT&CK techniques:
{
"type": "attack-pattern",
"id": "attack-pattern--uuid",
"name": "Spearphishing Attachment",
"external_references": [
{"source_name": "mitre-attack", "external_id": "T1566.001"}
],
"kill_chain_phases": [
{"kill_chain_name": "mitre-attack", "phase_name": "initial-access"}
]
}Intrusion Set (SDO)
Maps to ATT&CK groups:
{
"type": "intrusion-set",
"name": "APT29",
"aliases": ["Cozy Bear", "The Dukes", "NOBELIUM"],
"goals": ["espionage"],
"resource_level": "government"
}ATT&CK Navigator Layer Specification
Layer Version 4.5 Schema
name: Layer display namedomain: enterprise-attack, mobile-attack, ics-attacktechniques[]: Array of technique annotationstechniqueID: ATT&CK IDscore: Numeric score (0-100)color: Hex color overridecomment: Analyst notesenabled: Show/hide techniquemetadata[]: Key-value pairs for additional context
References
workflows.md4.7 KB
MITRE ATT&CK Analysis Workflows
Workflow 1: Threat Actor TTP Mapping
[Threat Report] --> [Extract Behaviors] --> [Map to ATT&CK] --> [Navigator Layer]
|
v
[Detection Priorities]Steps:
- Report Ingestion: Obtain threat intelligence report (vendor, OSINT, internal)
- Behavior Extraction: Identify adversary actions described in the report
- Technique Mapping: Map each behavior to ATT&CK technique IDs using the ATT&CK knowledge base
- Sub-technique Precision: Drill down to sub-techniques where procedure details allow
- Layer Creation: Generate ATT&CK Navigator layer with mapped techniques
- Priority Assessment: Rank techniques by detection feasibility and impact
Workflow 2: Detection Gap Analysis
[Current Detections] --> [Detection Layer] --> [Overlay with Threat Layer] --> [Gap Layer]
|
v
[Engineering Backlog]Steps:
- Detection Inventory: Catalog existing detection rules mapped to ATT&CK techniques
- Detection Layer: Create Navigator layer showing detected techniques (green)
- Threat Layer: Create layer showing adversary techniques (red)
- Overlay Analysis: Combine layers to identify uncovered threat techniques
- Gap Prioritization: Rank gaps by threat actor relevance and detection feasibility
- Engineering Plan: Create detection engineering backlog from prioritized gaps
Workflow 3: Cross-Actor Comparison
[Group A TTPs] --+
|--> [Intersection Analysis] --> [Common Techniques] --> [Priority Detections]
[Group B TTPs] --+ |
| v
[Group C TTPs] --+ [Unique Techniques per Group]Steps:
- Group Selection: Choose threat groups relevant to your industry/region
- TTP Extraction: Pull technique lists for each group from ATT&CK
- Common Analysis: Find techniques shared across all selected groups
- Unique Analysis: Identify techniques unique to specific groups
- Detection ROI: Prioritize detections for commonly used techniques (highest coverage ROI)
- Actor Attribution: Use unique techniques as potential attribution indicators
Workflow 4: Campaign-to-TTP Analysis
[Campaign IOCs] --> [Sandbox/Analysis] --> [Behavior Extraction] --> [TTP Mapping]
|
v
[Compare to Known Groups]
|
v
[Attribution Hypothesis]Steps:
- IOC Collection: Gather campaign IOCs (malware hashes, C2 domains, phishing emails)
- Dynamic Analysis: Execute samples in sandbox, capture behavioral artifacts
- Behavior Documentation: Document file operations, registry changes, network connections, process activity
- ATT&CK Mapping: Map observed behaviors to techniques and sub-techniques
- Group Comparison: Compare campaign TTPs against known group profiles
- Attribution Assessment: Assess likelihood of attribution based on TTP overlap
Workflow 5: Threat-Informed Defense
[ATT&CK Mappings] --> [Data Source Analysis] --> [Telemetry Assessment] --> [Control Mapping]
|
v
[Security Roadmap]Steps:
- Threat Profile: Identify relevant threat actors and their techniques
- Data Source Mapping: Determine which data sources can detect each technique
- Telemetry Audit: Assess which data sources are currently collected
- Control Assessment: Map existing security controls to technique mitigations
- Gap Identification: Find techniques with neither detection nor mitigation coverage
- Roadmap Creation: Build security improvement roadmap addressing highest-risk gaps
Scripts 2
agent.py5.1 KB
#!/usr/bin/env python3
"""Threat actor TTP analysis agent using MITRE ATT&CK framework.
Maps threat actor behaviors to ATT&CK techniques, performs coverage analysis,
and generates detection gap reports.
"""
import os
import sys
import json
from collections import Counter, defaultdict
try:
import requests
HAS_REQUESTS = True
except ImportError:
HAS_REQUESTS = False
ATTACK_ENTERPRISE_URL = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
def load_attack_bundle(filepath=None):
if filepath and os.path.exists(filepath):
with open(filepath, "r", encoding="utf-8") as f:
return json.load(f)
if HAS_REQUESTS:
resp = requests.get(ATTACK_ENTERPRISE_URL, timeout=60)
resp.raise_for_status()
return resp.json()
return None
def get_techniques(bundle):
techniques = {}
for obj in bundle.get("objects", []):
if obj.get("type") == "attack-pattern" and not obj.get("revoked"):
ext_id = ""
for ref in obj.get("external_references", []):
if ref.get("source_name") == "mitre-attack":
ext_id = ref.get("external_id", "")
if ext_id:
tactics = [p["phase_name"] for p in obj.get("kill_chain_phases", [])]
techniques[obj["id"]] = {
"id": ext_id, "name": obj.get("name", ""),
"tactics": tactics,
"platforms": obj.get("x_mitre_platforms", []),
"detection": obj.get("x_mitre_detection", "")[:200],
}
return techniques
def get_groups(bundle):
groups = {}
for obj in bundle.get("objects", []):
if obj.get("type") == "intrusion-set":
ext_id = ""
for ref in obj.get("external_references", []):
if ref.get("source_name") == "mitre-attack":
ext_id = ref.get("external_id", "")
groups[obj["id"]] = {
"id": ext_id, "name": obj.get("name", ""),
"aliases": obj.get("aliases", []),
"description": obj.get("description", "")[:300],
}
return groups
def map_group_techniques(bundle, group_id, techniques):
ttps = []
for obj in bundle.get("objects", []):
if (obj.get("type") == "relationship" and
obj.get("relationship_type") == "uses" and
obj.get("source_ref") == group_id):
target = obj.get("target_ref", "")
if target in techniques:
ttps.append(techniques[target])
return ttps
def tactic_coverage(ttps):
tactic_map = defaultdict(list)
for t in ttps:
for tactic in t["tactics"]:
tactic_map[tactic].append(t["id"])
return {k: {"count": len(v), "techniques": v} for k, v in tactic_map.items()}
def detection_gaps(ttps, existing_detections):
covered = set(existing_detections)
gaps = [t for t in ttps if t["id"] not in covered]
coverage = 1 - (len(gaps) / len(ttps)) if ttps else 0
return gaps, round(coverage * 100, 1)
def find_group(groups, query):
query_lower = query.lower()
for gid, g in groups.items():
if (g["name"].lower() == query_lower or
g["id"].lower() == query_lower or
query_lower in [a.lower() for a in g["aliases"]]):
return gid, g
return None, None
if __name__ == "__main__":
print("=" * 60)
print("Threat Actor TTP Analysis Agent (MITRE ATT&CK)")
print("TTP mapping, tactic coverage, detection gap analysis")
print("=" * 60)
group_query = sys.argv[1] if len(sys.argv) > 1 else None
bundle_path = sys.argv[2] if len(sys.argv) > 2 else None
bundle = load_attack_bundle(bundle_path)
if not bundle:
print("[!] Cannot load ATT&CK data")
print("[DEMO] Usage: python agent.py APT29 [enterprise-attack.json]")
sys.exit(1)
techniques = get_techniques(bundle)
groups = get_groups(bundle)
print(f"[*] Loaded {len(techniques)} techniques, {len(groups)} groups")
if not group_query:
print("\n--- Available Groups (sample) ---")
for gid, g in list(groups.items())[:15]:
print(f" {g['id']:8s} {g['name']}")
sys.exit(0)
gid, ginfo = find_group(groups, group_query)
if not ginfo:
print(f"[!] Group not found: {group_query}")
sys.exit(1)
print(f"\n[*] Group: {ginfo['name']} ({ginfo['id']})")
print(f" Aliases: {', '.join(ginfo['aliases'][:5])}")
ttps = map_group_techniques(bundle, gid, techniques)
print(f" Techniques: {len(ttps)}")
coverage = tactic_coverage(ttps)
print("\n--- Tactic Coverage ---")
for tactic, info in sorted(coverage.items(), key=lambda x: -x[1]["count"]):
bar = "#" * info["count"]
print(f" {tactic:35s} {info['count']:3d} {bar}")
sample_detections = [t["id"] for t in ttps[:len(ttps)//2]]
gaps, pct = detection_gaps(ttps, sample_detections)
print(f"\n--- Detection Gaps (demo: {pct}% coverage) ---")
for g in gaps[:10]:
print(f" [GAP] {g['id']:12s} {g['name']}")
process.py12.1 KB
#!/usr/bin/env python3
"""
MITRE ATT&CK Threat Actor TTP Analysis Script
Queries the MITRE ATT&CK STIX data to:
- Map threat actor groups to their known techniques
- Generate ATT&CK Navigator layers for visualization
- Perform detection gap analysis
- Compare TTPs across multiple threat groups
- Identify high-priority detection opportunities
Requirements:
pip install attackcti mitreattack-python stix2 requests
Usage:
python process.py --group APT29 --output apt29_layer.json
python process.py --compare APT28 APT29 "Lazarus Group"
python process.py --gap-analysis --detections detections.json --group APT29
"""
import argparse
import json
import sys
from collections import defaultdict
from typing import Optional
try:
from attackcti import attack_client
except ImportError:
print("ERROR: attackcti not installed. Run: pip install attackcti")
sys.exit(1)
class ATTACKAnalyzer:
"""Analyze threat actor TTPs using MITRE ATT&CK."""
def __init__(self):
print("[*] Initializing ATT&CK client (querying MITRE TAXII server)...")
self.lift = attack_client()
self.groups_cache = None
self.techniques_cache = None
def _get_groups(self):
if self.groups_cache is None:
self.groups_cache = self.lift.get_groups()
return self.groups_cache
def _get_techniques(self):
if self.techniques_cache is None:
self.techniques_cache = self.lift.get_enterprise_techniques()
return self.techniques_cache
def find_group(self, name: str) -> Optional[dict]:
"""Find a threat group by name or alias."""
groups = self._get_groups()
for group in groups:
if name.lower() == group.get("name", "").lower():
return group
aliases = group.get("aliases", [])
if any(name.lower() == a.lower() for a in aliases):
return group
return None
def get_group_techniques(self, group_name: str) -> dict:
"""Get all techniques used by a threat group."""
group = self.find_group(group_name)
if not group:
print(f"[-] Group '{group_name}' not found")
return {}
group_id = ""
for ref in group.get("external_references", []):
if ref.get("source_name") == "mitre-attack":
group_id = ref.get("external_id", "")
break
if not group_id:
print(f"[-] No ATT&CK ID found for {group_name}")
return {}
techniques = self.lift.get_techniques_used_by_group(group_id)
technique_map = {}
for tech in techniques:
tech_id = ""
for ref in tech.get("external_references", []):
if ref.get("source_name") == "mitre-attack":
tech_id = ref.get("external_id", "")
break
if not tech_id:
continue
tactics = [
phase.get("phase_name", "")
for phase in tech.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech.get("name", ""),
"tactics": tactics,
"description": tech.get("description", "")[:500],
"platforms": tech.get("x_mitre_platforms", []),
"data_sources": tech.get("x_mitre_data_sources", []),
}
print(f"[+] {group_name} ({group_id}): {len(technique_map)} techniques")
return technique_map
def create_navigator_layer(self, group_name: str, technique_map: dict,
color: str = "#ff6666") -> dict:
"""Generate ATT&CK Navigator layer JSON."""
techniques_list = []
for tech_id, info in technique_map.items():
for tactic in info["tactics"]:
techniques_list.append({
"techniqueID": tech_id,
"tactic": tactic,
"color": color,
"comment": info["name"],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
{"name": "platforms", "value": ", ".join(info["platforms"])},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": f"Techniques attributed to {group_name}",
"filters": {
"platforms": [
"Linux", "macOS", "Windows", "Cloud",
"Azure AD", "Office 365", "SaaS", "Google Workspace",
]
},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", color],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": f"Used by {group_name}", "color": color},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layer
def compare_groups(self, group_names: list) -> dict:
"""Compare TTPs across multiple threat groups."""
group_techs = {}
for name in group_names:
techs = self.get_group_techniques(name)
group_techs[name] = set(techs.keys())
if len(group_techs) < 2:
print("[-] Need at least 2 groups for comparison")
return {}
all_techniques = set.union(*group_techs.values())
common_to_all = set.intersection(*group_techs.values())
comparison = {
"groups": group_names,
"total_unique_techniques": len(all_techniques),
"common_to_all": sorted(common_to_all),
"common_count": len(common_to_all),
"per_group": {},
}
for name, techs in group_techs.items():
others = set.union(*[t for n, t in group_techs.items() if n != name])
unique = techs - others
comparison["per_group"][name] = {
"total": len(techs),
"unique": sorted(unique),
"unique_count": len(unique),
"overlap_percentage": round(
len(techs.intersection(others)) / len(techs) * 100, 1
) if techs else 0,
}
# Technique frequency across groups
tech_freq = defaultdict(list)
for name, techs in group_techs.items():
for t in techs:
tech_freq[t].append(name)
comparison["technique_frequency"] = {
t: {"count": len(g), "groups": g}
for t, g in sorted(tech_freq.items(), key=lambda x: -len(x[1]))
}
return comparison
def gap_analysis(self, group_name: str,
detected_techniques: set) -> dict:
"""Analyze detection gaps for a specific threat group."""
actor_techs = self.get_group_techniques(group_name)
actor_tech_ids = set(actor_techs.keys())
covered = actor_tech_ids.intersection(detected_techniques)
gaps = actor_tech_ids - detected_techniques
gap_details = []
for tech_id in sorted(gaps):
info = actor_techs.get(tech_id, {})
gap_details.append({
"technique_id": tech_id,
"name": info.get("name", ""),
"tactics": info.get("tactics", []),
"data_sources": info.get("data_sources", []),
"platforms": info.get("platforms", []),
})
analysis = {
"group": group_name,
"total_actor_techniques": len(actor_tech_ids),
"detected": len(covered),
"gaps": len(gaps),
"coverage_percentage": round(
len(covered) / len(actor_tech_ids) * 100, 1
) if actor_tech_ids else 0,
"detected_techniques": sorted(covered),
"gap_details": gap_details,
"recommended_data_sources": self._recommend_data_sources(gap_details),
}
return analysis
def _recommend_data_sources(self, gaps: list) -> list:
"""Recommend data sources that would close the most gaps."""
ds_coverage = defaultdict(list)
for gap in gaps:
for ds in gap.get("data_sources", []):
ds_coverage[ds].append(gap["technique_id"])
recommendations = [
{"data_source": ds, "covers_techniques": techs, "count": len(techs)}
for ds, techs in sorted(ds_coverage.items(), key=lambda x: -len(x[1]))
]
return recommendations[:10]
def tactic_breakdown(self, group_name: str) -> dict:
"""Break down threat actor techniques by tactic."""
techs = self.get_group_techniques(group_name)
tactic_map = defaultdict(list)
for tech_id, info in techs.items():
for tactic in info["tactics"]:
tactic_map[tactic].append({
"id": tech_id,
"name": info["name"],
})
tactic_order = [
"reconnaissance", "resource-development", "initial-access",
"execution", "persistence", "privilege-escalation",
"defense-evasion", "credential-access", "discovery",
"lateral-movement", "collection", "command-and-control",
"exfiltration", "impact",
]
breakdown = {}
for tactic in tactic_order:
if tactic in tactic_map:
breakdown[tactic] = {
"count": len(tactic_map[tactic]),
"techniques": tactic_map[tactic],
}
return breakdown
def main():
parser = argparse.ArgumentParser(
description="MITRE ATT&CK Threat Actor TTP Analyzer"
)
parser.add_argument("--group", help="Threat group name (e.g., APT29)")
parser.add_argument("--compare", nargs="+", help="Compare multiple groups")
parser.add_argument(
"--gap-analysis", action="store_true", help="Perform detection gap analysis"
)
parser.add_argument(
"--detections",
help="JSON file with detected technique IDs",
)
parser.add_argument("--breakdown", action="store_true", help="Tactic breakdown")
parser.add_argument("--output", default="attack_layer.json", help="Output file")
args = parser.parse_args()
analyzer = ATTACKAnalyzer()
if args.compare:
comparison = analyzer.compare_groups(args.compare)
print(json.dumps(comparison, indent=2))
with open(args.output, "w") as f:
json.dump(comparison, f, indent=2)
elif args.group and args.gap_analysis:
detected = set()
if args.detections:
with open(args.detections) as f:
detected = set(json.load(f))
analysis = analyzer.gap_analysis(args.group, detected)
print(json.dumps(analysis, indent=2))
with open(args.output, "w") as f:
json.dump(analysis, f, indent=2)
elif args.group and args.breakdown:
breakdown = analyzer.tactic_breakdown(args.group)
print(json.dumps(breakdown, indent=2))
elif args.group:
tech_map = analyzer.get_group_techniques(args.group)
layer = analyzer.create_navigator_layer(args.group, tech_map)
with open(args.output, "w") as f:
json.dump(layer, f, indent=2)
print(f"[+] Navigator layer saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()