In [None]:
import requests
import json
url = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
response = requests.get(url)
data = response.json()
print(type(data))


<class 'dict'>


In [None]:
print(data.keys())


dict_keys(['type', 'id', 'objects', 'spec_version'])


In [None]:
techniques = []
for obj in data["objects"]:
    if obj.get("type")=="attack-pattern":
        techniques.append(obj)
print("Total attack techniques:",len(techniques))


Total attack techniques: 835


In [None]:
print(techniques[0].keys())


dict_keys(['type', 'id', 'created', 'created_by_ref', 'external_references', 'object_marking_refs', 'modified', 'name', 'description', 'kill_chain_phases', 'x_mitre_attack_spec_version', 'x_mitre_deprecated', 'x_mitre_detection', 'x_mitre_domains', 'x_mitre_is_subtechnique', 'x_mitre_modified_by_ref', 'x_mitre_platforms', 'x_mitre_version'])


In [None]:
def threat_score(tech):
    score = 5   # Base score
    name = tech.get("name", "").lower()
    description = tech.get("description", "").lower()
    if "credential" in name:
        score += 3
    if "execution" in name:
        score += 2
    if "privilege" in name:
        score += 3
    if "persistence" in name:
        score += 2
    if "lateral" in name:
        score += 2

    if "administrator" in description:
        score += 2
    if "remote" in description:
        score += 2
    if "bypass" in description:
        score += 2
    if "stealth" in description:
        score += 1

    return score


In [None]:
print("Example Technique:")
print("Name:", techniques[0].get("name"))
print("Score:", threat_score(techniques[0]))


Example Technique:
Name: Extra Window Memory Injection
Score: 9


In [None]:
scored_techniques = []
for tech in techniques:
    name = tech.get("name", "Unknown Technique")
    score = threat_score(tech)
    scored_techniques.append((name, score))
print("Total Scored Techniques:", len(scored_techniques))


Total Scored Techniques: 835


In [None]:
print(scored_techniques[:5])


[('Extra Window Memory Injection', 9), ('Scheduled Task', 9), ('Socket Filters', 5), ('Indicator Removal from Tools', 5), ('Archive via Utility', 7)]


In [None]:
scored_techniques.sort(key=lambda x: x[1], reverse=True)
print("Top 10 Highest-Risk Techniques:\n")
for name, score in scored_techniques[:10]:
    print(f"{name} — Score: {score}")


Top 10 Highest-Risk Techniques:

Additional Cloud Credentials — Score: 12
Bypass User Account Control — Score: 11
Distributed Component Object Model — Score: 11
Component Object Model and Distributed COM — Score: 11
Valid Accounts — Score: 11
SID-History Injection — Score: 11
Pass the Hash — Score: 11
Access Token Manipulation — Score: 11
Credentials from Web Browsers — Score: 10
Credentials from Web Browsers — Score: 10


In [None]:
print("Critical Threats (Score >= 8.9):\n")
for name, score in scored_techniques:
    if score >= 8.9:
        print(f"{name} — Score: {score}")


Critical Threats (Score >= 8.9):

Extra Window Memory Injection — Score: 9
Scheduled Task — Score: 9
Boot or Logon Initialization Scripts — Score: 9
PubPrn — Score: 9
Steal Web Session Cookie — Score: 9
Bypass User Account Control — Score: 11
SID-History Injection — Score: 9
Application Access Token — Score: 9
Spearphishing Link — Score: 9
Application Deployment Software — Score: 9
Indirect Command Execution — Score: 9
Additional Local or Domain Groups — Score: 9
Application Shimming — Score: 9
Credentials from Web Browsers — Score: 10
System Binary Proxy Execution — Score: 9
DLL Search Order Hijacking — Score: 9
CMSTP — Score: 9
SMB/Windows Admin Shares — Score: 9
Extra Window Memory Injection — Score: 9
Disable or Modify System Firewall — Score: 9
Browser Session Hijacking — Score: 9
Hybrid Identity — Score: 9
Rogue Domain Controller — Score: 9
Modify Registry — Score: 9
Credentials from Web Browsers — Score: 10
Default Accounts — Score: 9
At (Linux) — Score: 9
Distributed Component 

### Explanation

This threat scoring system helps cybersecurity analysts prioritize the most dangerous attack techniques from a large dataset.  
Each technique is assigned a risk score based on keywords in its name and description, such as credential access, privilege escalation, and stealth behavior.  
Higher scores indicate techniques that are more impactful and harder to detect.  
This allows security teams to focus their investigation on critical threats first instead of analyzing all techniques manually.
