Hello everyone,
I'd like to share with the community a thing we did internally to use the MSV Library with the MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/).
This job was made in collaboration with my colleagues from the CSIRT team.
We had two objectives:
The approach we developed is very simple and it's the following:
We created two python scripts:
The other steps are to be done manually on the Navigator.
Refer to these links to understand how to do it:
https://attack.mitre.org/docs/training-cti/Comparing%20Layers%20in%20Navigator.pdf.
https://www.youtube.com/watch?v=78RIsFqo9pM
Here is an example.
We'd like to know which actions from MSV Library are related to Mitre Engenuity Insider Threat TTP Knowledge Base (https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/insider-threat...).
Running the first script we got the layer for MSV Library (set score to 2).
python3 MSV2Matrix.py --directorip <your ip> --user <your user> --password <your password> --score 2 --outfile <your filename>).
Import this layer to the Navigator.
Select Color Setup and set Low Value to 1 and High Value to 3.
From Matrix configuration remove "show aggregate scores" and select "show IDs". You will get something like this:
Hovering over colored techniques you will see a pop-up with VIDs related to that technique.
From the Navigator click the "+" to add a new tab and do the same loading the json layer from Engenuity (https://github.com/center-for-threat-informed-defense/insider-threat-ttp-kb/raw/main/docs/extra/gree...).
Select Color Setup and set colors in the same way you did for the first layer.
Last thing to do is to combine the two layers. Create a new Layer and set the Score Expression to "a+b".
The important thing here is to set the Metadata field to get data from the MSV Library layer.
Again select Color Setup and set colors in the same way you did for the first layer.
In this new layer you will see the overlapping techniques colored with the color set for score 3. These are the overlapping techniques between MSV Library and Engenuity layer. For these techniques you have at least an action in MSV Library.
You can now export the layer as a json file and run the second script:
python3 Layer2VIDList.py --json <your exported json file> --score 3
You will obtain a text file with the list of VIDs related to techniques in common between the two layers.
If you are interested in these python scripts send me a DM.
Disclaimer: I'm not a developer, I know only the basics of Python, so my code could be very basic and could contain errors. No warranties on the code quality ๐
Feel free to modify it as you want, but please share it again with the community.
For any questions, suggestions or criticism, please leave a comment.
Enjoy, Paolo
PS: I hope to see soon something similar integrated in the Director ๐