# Add other AMITT standards to AMITTsite

This code explores the places online that have AMITT standards embedded in them, ready to 

* a) grab the ids, fetures etc for each object, so we can push AMITTsite objects to repos using these standards.
* b) know where and what to send AMITT object updates.

In [2]:
import json
import pandas as pd
import requests
import glob

## Explore AMITT STIX SEP

Explores the AMITT SEP for STIX.  These objects should be the red team techniques.  

Takes objects from guthub repository https://github.com/cogsec-collaborative/cti-sep-repository - this should be cloned into directory github_cogseccollab_amitt_cti

(yes, we could have used requests to grab the files directly from the repo, but later). 

In [3]:
datadir = '../../github_cogseccollab_amitt_cti'

glob.glob('{}/amitt/*/*.json'.format(datadir))

['../../github_cogseccollab_amitt_cti/amitt/identity/identity--fcf30df9-73fd-4d75-92c7-f871a09303e0.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--b09ba394-f1de-4555-a5e0-aa19adba1a28.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--3d10cc2d-7f32-486e-af1c-3a88ffcf991e.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--bd96e085-c94e-4f59-a448-0599210cc7af.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--e6d25a9e-a205-4b57-bed4-e953a46d431f.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--b8df621b-b001-4fc8-bd97-03eeacaf4ecf.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--f051cd1c-84dc-45d5-abae-0507c5d91abd.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--5d624c7f-4356-4092-aeee-e4e5cd2ac164.json',
 '../../github_cogseccollab_amitt_cti/amitt/identity/identity--0c14232e-3d34-4a61-a266-824da667560b.json',
 '../../github_cogseccollab_amitt_cti

In [4]:
# Get contents of file that lists all the AMITT objects

f = open(datadir+'/amitt/amitt-attack.json',)
data = json.load(f)
data

{'type': 'bundle',
 'id': 'bundle--d700c722-48c5-4cdb-a3ac-cc8c0d95c0fe',
 'spec_version': '2.0',
 'objects': [{'type': 'x-amitt-tactic',
   'id': 'x-amitt-tactic--a906aa36-c586-4994-97d3-e1566b559522',
   'created_by_ref': 'identity--dcb70c08-a4b0-4d2d-8141-b28ca5f0a43a',
   'created': '2019-12-08T02:27:58.307Z',
   'modified': '2019-12-08T02:27:58.307Z',
   'name': 'Strategic Planning',
   'description': 'Defining the desired end state that is the set of required conditions that defines achievement of all objectives.',
   'external_references': [{'source_name': 'amitt-attack',
     'url': 'https://github.com/misinfosecproject/amitt_framework/blob/master/tactics/TA01.md',
     'external_id': 'TA01'}],
   'object_marking_refs': ['marking-definition--c32b1522-2b13-4159-8a40-56fd4151016d'],
   'x_amitt_shortname': 'strategic-planning'},
  {'type': 'x-amitt-tactic',
   'id': 'x-amitt-tactic--29de5849-2be8-49e2-aefe-2655f7fcb411',
   'created_by_ref': 'identity--dcb70c08-a4b0-4d2d-8141-b28

In [5]:
# Pull json for all the objects in the repo into one dictionary
objects = {}
for obj in data['objects']:
    summary = obj['type']
    objects[obj['id']] = obj
    if 'name' in obj: 
        summary = '{}: '.format(obj['name']) + summary
    if 'external_references' in obj:
       summary = '{} '.format(obj['external_references'][0]['external_id']) + summary
    if obj['type'] != 'relationship':
        print(summary)

# unfinished - look at standards for relationships between objects        
for obj in data['objects']:
    if obj['type'] == 'relationship':
        continue

TA01 Strategic Planning: x-amitt-tactic
TA02 Objective Planning: x-amitt-tactic
TA03 Develop People: x-amitt-tactic
TA04 Develop Networks: x-amitt-tactic
TA05 Microtargeting: x-amitt-tactic
TA06 Develop Content: x-amitt-tactic
TA07 Channel Selection: x-amitt-tactic
TA08 Pump Priming: x-amitt-tactic
TA09 Exposure: x-amitt-tactic
TA10 Go Physical: x-amitt-tactic
TA11 Persistence: x-amitt-tactic
TA12 Measure Effectiveness: x-amitt-tactic
T0001 5Ds (dismiss, distort, distract, dismay, divide): attack-pattern
T0002 Facilitate State Propaganda: attack-pattern
T0003 Leverage Existing Narratives: attack-pattern
T0004 Competing Narratives: attack-pattern
T0005 Center of Gravity Analysis: attack-pattern
T0006 Create Master Narratives: attack-pattern
T0007 Create fake Social Media Profiles / Pages / Groups: attack-pattern
T0008 Create fake or imposter news sites: attack-pattern
T0009 Create fake experts: attack-pattern
T0010 Cultivate ignorant agents: attack-pattern
T0011 Hijack legitimate accoun

In [8]:
# Print out last object
obj

{'type': 'relationship',
 'id': 'relationship--9b50a885-6609-4408-9598-3042dea855a2',
 'created': '2019-12-08T02:27:58.419Z',
 'modified': '2019-12-08T02:27:58.419Z',
 'relationship_type': 'attributed-to',
 'source_ref': 'x-opencti-incident--eea22c6e-c3f1-4258-915e-3c1fcfc87678',
 'target_ref': 'identity--200339dd-63e4-4cf3-ba0c-82257564bbc5'}

## Explore AMITT MISP galaxy objects

Explore the AMITT MISP galaxy (this should contain AMITT techniques). 

The repo this investigates is the AMITT cluster in https://github.com/MISP/misp-galaxy/ 

In [9]:
url = 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/misinfosec-amitt-misinformation-pattern.json'
r = requests.get(url, allow_redirects=True)
mispjson = r.json()
print('{}'.format(mispjson['values']))

[{'description': 'Nimmo\'s "4Ds of propaganda": dismiss, distort, distract, dismay (MisinfosecWG added divide in 2019). Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.', 'meta': {'external_id': 'T0001', 'kill_chain': ['misinformation-tactics:Strategic Planning'], 'refs': ['https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0001.md']}, 'uuid': '16556f68-fe4f-43c8-a8a4-6fc205d80251', 'value': '5Ds (dismiss, distort, distract, dismay, divide)'}, {'description': 'Organize citizens around pro-state messaging. Paid or volunteer groups coordinated to push state propaganda (examples include 2016 Diba Facebook Expedition, coordinated to overcome China’s Great Firewall to flood the Facebook pages of Taiwanese politicians and news agencies with a pro-PRC message).', 'meta': {'external_id':

In [10]:
for v in mispjson['values']:
    print('{}: {}'.format(v['meta']['external_id'], v['value']))

T0001: 5Ds (dismiss, distort, distract, dismay, divide)
T0002: Facilitate State Propaganda
T0003: Leverage Existing Narratives
T0004: Competing Narratives
T0005: Center of Gravity Analysis
T0006: Create Master Narratives
T0007: Create fake Social Media Profiles / Pages / Groups
T0008: Create fake or imposter news sites
T0009: Create fake experts
T0010: Cultivate useful idiots
T0011: Hijack legitimate account
T0012: Use concealment
T0013: Create fake websites
T0014: Create funding campaigns
T0015: Create hashtag
T0016: Clickbait
T0017: Promote online funding
T0018: Paid targeted ads
T0019: Generate information pollution
T0020: Trial content
T0021: Memes
T0022: Conspiracy narratives
T0023: Distort facts
T0024: Create fake videos and images
T0025: Leak altered documents
T0026: Create fake research
T0027: Adapt existing narratives
T0028: Create competing narratives
T0029: Manipulate online polls
T0030: Backstop personas
T0031: YouTube
T0032: Reddit
T0033: Instagram
T0034: LinkedIn
T0035: P

# Explore general MISP Objects

This code looks at the new objects CogSecCollab added to MISP last year, and grabs their ids and features so we can push data up to a MISP instance via the MISP API.  

Assumes you've cloned the repo https://github.com/MISP/misp-objects.git into folder github_misp_misp-objects

Objects of potential interest are: 
* **Disinfo objects**: narrative, 
* **Social media objects**:  blog, facebook-account, facebook-group, facebook-page, facebook-post, instant-message, instant-message-group, meme-image, microblog, parler-account, parler-comment, parler-post, reddit-account, reddit-comment, reddit-post, reddit-subreddit, short-message-service, social-media-group, telegram-account, twitter-account, twitter-list, twitter-post, user-account, youtube-channel, youtube-comment, youtube-playlist, youtube-video
* **Documents**: forged-document, image, leaked-document, publication, 
* **General objects**: geolocation, impersonation, news-agency, news-media, organization, person, translation, url, whois, 

In [13]:
mispdir = '../../github_misp_misp-objects'

objectjsons = {}
mispjsonfiles = glob.glob(mispdir + '/objects/*/definition.json')

for mispfile in mispjsonfiles:
    with open(mispfile) as json_file:
        filejson = json.load(json_file)
        objectjsons[filejson['name']] = filejson

print('{}'.format('\n'.join(sorted(set(objectjsons.keys())))))

ail-leak
ais-info
android-app
android-permission
annotation
anonymisation
asn
attack-pattern
authentication-failure-report
authenticode-signerinfo
av-signature
bank-account
bgp-hijack
bgp-ranking
blog
boleto
btc-transaction
btc-wallet
cap-alert
cap-info
cap-resource
coin-address
command
command-line
cookie
cortex
cortex-taxonomy
course-of-action
covid19-csse-daily-report
covid19-dxy-live-city
covid19-dxy-live-province
cowrie
cpe-asset
credential
credit-card
crypto-material
cytomic-orion-file
cytomic-orion-machine
dark-pattern-item
ddos
device
diameter-attack
dkim
dns-record
domain-crawled
domain-ip
elf
elf-section
email
employee
exploit-poc
facebook-account
facebook-group
facebook-page
facebook-post
facial-composite
fail2ban
favicon
file
forensic-case
forensic-evidence
forged-document
ftm-Airplane
ftm-Assessment
ftm-Asset
ftm-Associate
ftm-Audio
ftm-BankAccount
ftm-Call
ftm-Company
ftm-Contract
ftm-ContractAward
ftm-CourtCase
ftm-CourtCaseParty
ftm-Debt
ftm-Directorship
ftm-Document
ft

In [1]:
# Look at a specific object format
objectid = 'narrative'

print('Keys: {}\n'.format(objectjsons[objectid].keys()))
print('Attributes: {}\n'.format(objectjsons[objectid]['attributes'].keys()))
objectjsons[objectid]

NameError: name 'objectjsons' is not defined

# Check standard STIX format also

STIX json is in https://github.com/oasis-open/cti-stix2-json-schemas