# Working with ATT&CK


## Background

pyattck can be used to query the ATT&CK TAXII server and interact with ATT&CK programatically. In this workbook, we show some basic usage of it, how to generate a coverage spreadsheet, and then how to generate a layer file for navigator.

* ATT&CK on Github
    * https://github.com/mitre/cti
    * https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json 

* pyattck
    * https://pyattck.readthedocs.io/en/latest/
    * https://swimlane.com/blog/swimlane-pyattack-works-with-mitre-att-ck-framework/

<hr>

## Part 1 - General usage

In [None]:
from pyattck import Attck

attack = Attck()

In [None]:
for tactic in attack.tactics:
    print(tactic.name)

## Exploring Tactics

In [None]:
example_tactic = attack.tactics[0]

In [None]:
example_tactic.name

In [None]:
print(example_tactic.description)

In [None]:
for technique in example_tactic.techniques:
    print(technique.id, technique.name)

## Exploring Techniques

In [None]:
example_technique = attack.techniques[5]

In [None]:
example_technique.name

In [None]:
example_technique.id

In [None]:
example_technique.description

In [None]:
example_technique.wiki

In [None]:
for actor in example_technique.actors:
    print(actor.name)

In [None]:
example_technique.detection

In [None]:
for technique in attack.techniques:
    print('\033[1m' + technique.name, '\033[0m' + '\n',technique.detection, '\n')

## Exploring Actors

In [None]:
for actor in attack.actors:
    print(actor.description, '\n')

In [None]:
for actor in attack.actors:
    print(actor.name)
    for technique in actor.techniques:
        print('-', technique.id, technique.name)

In [None]:
for actor in attack.actors:
    if actor.name == 'APT28':
        print('Techniques\n====')
        for technique in actor.techniques:
            print('-', technique.id, technique.name)
        print('Tools\n=====')
        for tool in actor.tools:
            print(tool.name, '-', tool.description.replace('\n', ' '))
        print('\nMalware\n=====')
        for malware in actor.malwares:
            print(malware.name, '-', malware.description)

<hr>

# Part 2 - Generate Coverage Spreadsheet

## Group Techniques by Data Source

In [None]:
from collections import defaultdict

def group_techniques_by_data_source(attack, actor_name=None):
    data_sources = defaultdict(list)
    for technique in attack.techniques:
        if actor_name:
            related_actors = [actor.name for actor in technique.actors]
            if actor_name not in related_actors:
                continue
        if technique.data_source:
            for data_source in technique.data_source:
                data_sources[data_source].append(technique.id)
    return data_sources

In [None]:
data_source_map = group_techniques_by_data_source(attack)

In [None]:
data_source_map.keys()

In [None]:
data_source_map['Authentication logs']

In [None]:
apt1_data_source_map = group_techniques_by_data_source(attack, actor_name='APT1')
apt1_data_source_map.keys()

In [None]:
apt1_data_source_map['Authentication logs']

## Generate the spreadsheet

In [None]:
import pandas as pd

def create_data_source_spreadsheet(data_source_map, fp='Data Source Coverage Spreadsheet.xlsx'):
    (pd.DataFrame([
        {'Data Source': data_source, 'Techniques': techniques}
         for data_source, techniques in data_source_map.items()])
     .assign(**{'Num of Techniques': lambda df: df.Techniques.str.len(),
                'Data Source Available?': '',
                'Comments': ''})
     .drop(columns=['Techniques'])
     .set_index('Data Source')
     .sort_index()
     .to_excel(fp))
    
    print(f'Wrote data source coverage spreadsheet to {fp}')

In [None]:
create_data_source_spreadsheet(data_source_map)

In [None]:
create_data_source_spreadsheet(apt1_data_source_map, fp='APT1 Data Source Coverage Spreadsheet.xlsx')