# Threat actor profiling

## Preliminaries

Threat actors refer to cyber criminals and Advanced Persistent Threats (APTs) that have an interest on attacking an organization to obtain something of value to them. Valuable assets often include data they can sell for profit or operations they can hold for ransom.

To put in place effective defenses against these adversaries, we first need to understand who they are and how they operate.

### Baseline questions

- Which groups are likely to attack organization X?
- How will they likely attack X?
- What mitigations or detections can X create to defend against them?

## Prerequisites
Load MITRE ATT&CK Enterprise using the ETL CLI of SATRAP as explained in the user manual (at `docs/manual/interfaces.md`).

## Preparation
Set up the DB parameters and import the toolkit of SATRAP.

In [None]:
from satrap.service.satrap_analysis import CTIanalysisToolbox
from satrap.commons.format_utils import format_dict, tabulate_groups, tabulate_stix_obj
from satrap.settings import TYPEDB_SERVER_ADDRESS, DB_NAME

satrap = CTIanalysisToolbox(TYPEDB_SERVER_ADDRESS, DB_NAME)

## Investigation

We start searching for groups that have been related with a specific sector or whose description contains relevant keywords. If no keywords are given, the function returns all the groups in ATT&CK.

In [None]:
# Modify the keywords as needed
groups = satrap.mitre_attack_groups(["manufacturing"])
print(f"{len(groups)} groups found")
print(tabulate_groups(groups))

In [None]:
group_ids = [group.group_id for group in groups]
for group in group_ids:
    info = satrap.search_by_mitre_id(group)
    for data in info:
        print(tabulate_stix_obj(data))
    

Which techniques do these groups use?

In [None]:
tech = satrap.techniques_used_by_groups(group_ids)
print(f"{len(tech)} techniques used by groups {group_ids}")
display(tech)

Do they have techniques in common?

Learning this can help to prioritize those techniques that are more wide spread amongst our groups of interest.

In [None]:
intersect = satrap.get_techniques_used_by_all(group_ids)
print(f"{len(intersect)} techniques used by groups {group_ids}")
print(format_dict(intersect))

In [None]:
try:
	intersect = satrap.get_techniques_used_by_all(group_ids,True)
	print(f"{len(intersect)} techniques used by groups {group_ids}")
	print(format_dict(intersect))
except Exception as err:
	print(err)