### Basic MITRE ATT&CK Data Analysis

#### Step 1: Import Python Modules

In [2]:
import pandas as pd
import janitor as jn

#### Step 2: Define Settings
- Disabling display restrictions can be helpful for initial analysis. 

In [3]:
pd.set_option('display.max_rows', None)
pd.set_option('display.max_columns', None)

#### Step 3: Download the MITRE Enterprise ATT&CK Data Set
- The data is downloaded from an Excel file and each sheet converted into a separate Pandas data frame. 

In [4]:
url_attack = 'https://attack.mitre.org/docs/enterprise-attack-v10.1/enterprise-attack-v10.1.xlsx'
df_datasources = pd.read_excel(url_attack, sheet_name='datasources')
df_tactics = pd.read_excel(url_attack, sheet_name='tactics')
df_techniques = pd.read_excel(url_attack, sheet_name='techniques')
df_relationships = pd.read_excel(url_attack, sheet_name='relationships')
df_mitigations = pd.read_excel(url_attack, sheet_name='mitigations')
df_software = pd.read_excel(url_attack, sheet_name='software')
df_groups = pd.read_excel(url_attack, sheet_name='groups')

#### Step 4: Clean-Up Column Names

In [5]:
df_techniques.columns

Index(['ID', 'name', 'description', 'url', 'created', 'last modified',
       'version', 'tactics', 'detection', 'platforms', 'data sources',
       'is sub-technique', 'sub-technique of', 'contributors',
       'system requirements', 'permissions required', 'effective permissions',
       'defenses bypassed', 'impact type', 'supports remote'],
      dtype='object')

In [6]:
# Clean MITRE Enterprise ATT&CK DATA
df_datasources = jn.clean_names(df_datasources)
df_tactics = jn.clean_names(df_tactics)
df_techniques = jn.clean_names(df_techniques)
df_relationships = jn.clean_names(df_relationships)
df_mitigations = jn.clean_names(df_mitigations)
df_software = jn.clean_names(df_software)
df_groups = jn.clean_names(df_groups)

In [7]:
df_techniques.columns

Index(['id', 'name', 'description', 'url', 'created', 'last_modified',
       'version', 'tactics', 'detection', 'platforms', 'data_sources',
       'is_sub_technique', 'sub_technique_of', 'contributors',
       'system_requirements', 'permissions_required', 'effective_permissions',
       'defenses_bypassed', 'impact_type', 'supports_remote'],
      dtype='object')

In [None]:
df_relationships[df_relationships['target_id'].isin(list_of_techniques) &  (df_relationships["source_type"] == 'mitigation')]

In [None]:
df_techniques.head(10)

### References

https://attack.mitre.org/

https://attack.mitre.org/docs/enterprise-attack-v10.1/enterprise-attack-v10.1.xlsx

In [19]:
#df_techniques.info()
df_techniques.dtypes

id                        object
name                      object
description               object
url                       object
created                   object
last_modified             object
version                  float64
tactics                   object
detection                 object
platforms                 object
data_sources              object
is_sub_technique            bool
sub_technique_of          object
contributors              object
system_requirements       object
permissions_required      object
effective_permissions     object
defenses_bypassed         object
impact_type               object
supports_remote          float64
dtype: object

In [8]:
df_relationships.head(10)

Unnamed: 0,source_id,source_name,source_type,mapping_type,target_id,target_name,target_type,mapping_description
0,,Active DNS,datacomponent,detects,T1583,Acquire Infrastructure,technique,
1,,Active DNS,datacomponent,detects,T1584,Compromise Infrastructure,technique,
2,,Active DNS,datacomponent,detects,T1584.002,DNS Server,technique,
3,,Active DNS,datacomponent,detects,T1583.001,Domains,technique,
4,,Active DNS,datacomponent,detects,T1584.001,Domains,technique,
5,,Active Directory Credential Request,datacomponent,detects,T1558.004,AS-REP Roasting,technique,
6,,Active Directory Credential Request,datacomponent,detects,T1558.001,Golden Ticket,technique,
7,,Active Directory Credential Request,datacomponent,detects,T1558.003,Kerberoasting,technique,
8,,Active Directory Credential Request,datacomponent,detects,T1550.002,Pass the Hash,technique,
9,,Active Directory Credential Request,datacomponent,detects,T1550.003,Pass the Ticket,technique,
