Merge pull request #87 from rabobank-cdc/dev-campaigns

Campaigns

Author: rubinatorz

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.10-slim-bullseye
 
-LABEL version="1.7.0"
+LABEL version="1.8.0"
 
 # copy DeTT&CT and install the requirements
 COPY . /opt/DeTTECT

README.md

@@ -2,7 +2,7 @@
 <img src="https://github.com/rabobank-cdc/DeTTECT/wiki/images/logo.png#gh-light-mode-only" alt="DeTT&CT" width=30% height=30%>
 
 #### Detect Tactics, Techniques & Combat Threats
-Latest version: [1.7.0](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-170)
+Latest version: [1.8.0](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-170)
 
 To get started with DeTT&CT, check out one of these resources:
 - This [page](https://github.com/rabobank-cdc/DeTTECT/wiki/Getting-started) on the Wiki.

constants.py

@@ -4,19 +4,22 @@
 
 APP_NAME = 'DeTT&CT'
 APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
-VERSION = '1.7.0'
+VERSION = '1.8.0'
 
-EXPIRE_TIME = 60 * 60 * 24
+EXPIRE_TIME = 60 * 60 * 24 * 7
 
 # MITRE ATT&CK data types for custom schema and STIX
 DATA_TYPE_CUSTOM_TECH_BY_GROUP = 'mitre_techniques_used_by_group'
 DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE = 'mitre_techniques_used_by_software'
+DATA_TYPE_CUSTOM_TECH_IN_CAMPAIGN = 'mitre_techniques_used_in_campaign'
 DATA_TYPE_CUSTOM_SOFTWARE_BY_GROUP = 'mitre_software_used_by_group'
+DATA_TYPE_CUSTOM_SOFTWARE_IN_CAMPAIGN = 'mitre_software_used_in_campaign'
 DATA_TYPE_STIX_ALL_TECH = 'mitre_all_techniques'
 DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = 'mitre_all_techniques_enterprise'
 DATA_TYPE_STIX_ALL_TECH_ICS = 'mitre_all_techniques_ics'
 DATA_TYPE_STIX_ALL_TECH_MOBILE = 'mitre_all_techniques_mobile'
 DATA_TYPE_STIX_ALL_GROUPS = 'mitre_all_groups'
+DATA_TYPE_STIX_ALL_CAMPAIGNS = 'mitre_all_campaigns'
 DATA_TYPE_STIX_ALL_SOFTWARE = 'mitre_all_software'
 DATA_TYPE_STIX_ALL_RELATIONSHIPS = 'mitre_all_relationships'
 DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS = 'mitre_all_mitigations_enterprise'
@@ -83,6 +86,7 @@
 
 # Overlay types as used within the group functionality
 OVERLAY_TYPE_GROUP = 'group'
+OVERLAY_TYPE_CAMPAIGN = 'campaign'
 OVERLAY_TYPE_VISIBILITY = 'visibility'
 OVERLAY_TYPE_DETECTION = 'detection'
 

dettect.py

@@ -161,29 +161,43 @@ def _init_menu():
                                          description='Create threat actor group heat maps, compare group(s) and '
                                          'compare group(s) with visibility and detection coverage.',
                                          help='threat actor group mapping')
-    parser_group.add_argument('-g', '--groups', help='specify the ATT&CK Groups to include. Group can be its ID, '
-                                                     'name or alias (default is all groups). Multiple Groups can be '
-                                                     'provided with extra \'-g/--group\' arguments. Another option is '
-                                                     'to provide a YAML file with a custom group(s)',
+    parser_group.add_argument('-g', '--groups', help='specify the ATT&CK Groups to include. A group can be its ID, name or alias. '
+                                                     'If no group is specified, all groups are used (except when a -c/--campaign '
+                                                     'is specified). The -g/--groups and -c/--campaign options complement each other. '
+                                                     'Multiple Groups can be provided with extra -g/--group arguments. Another '
+                                                     'option is to provide a YAML file with a custom group(s)',
+                              default=None, action='append')
+    parser_group.add_argument('-c', '--campaigns', help='specify the ATT&CK Campaigns to include. A campaign can be its ID or name. '
+                                                     'If no campaign is specified, all campaigns are used (except when a -g/--group '
+                                                     'is specified). The -c/--campaign and -g/--groups options complement each other. '
+                                                     'Multiple Campaigns can be provided with extra -c/--campaign arguments.',
                               default=None, action='append')
     parser_group.add_argument('-d', '--domain', help='specify the ATT&CK domain (default = enterprise). This argument '
                                                      'is ignored if a domain is specified in the Group YAML file.',
                               required=False, choices=['enterprise', 'ics', 'mobile'])
-    parser_group.add_argument('-o', '--overlay', help='specify what to overlay on the group(s) (provided using the '
-                                                      'arguments \-g/--groups\): group(s), visibility or detection. '
-                                                      'When overlaying a GROUP: the group can be its ATT&CK ID, '
-                                                      'name or alias. Multiple Groups can be provided with extra '
-                                                      '\'-o/--overlay\' arguments. Another option is to provide a '
+    parser_group.add_argument('-o', '--overlay', help='specify what to overlay: group(s), campaign(s), visibility or detection. '
+                                                      'Default overlay type is Groups, to change it use -t/--overlay-type. '
+                                                      'When overlaying a Group: it can be its ATT&CK ID, name or alias. '
+                                                      'When overlaying a Campaign: it can be its ID or name. '
+                                                      'Multiple Groups or Campaigns can be provided with extra '
+                                                      '-o/--overlay arguments. Another option is to provide a '
                                                       'YAML file with a custom group(s). When overlaying VISIBILITY '
-                                                      'or DETECTION provide a YAML with the technique administration.)',
+                                                      'or DETECTION provide a YAML with the technique administration. ',
                                                       action='append')
     parser_group.add_argument('-t', '--overlay-type', help='specify the type of overlay (default = group)',
-                              choices=['group', 'visibility', 'detection'], default='group')
-    parser_group.add_argument('--software-group', help='add techniques to the heat map by checking which software is '
-                                                       'used by group(s), and hence which techniques the software '
-                                                       'supports (does not influence the scores). If overlay group(s) '
-                                                       'are provided, only software related to those group(s) are '
-                                                       'included', action='store_true', default=False)
+                              choices=['group', 'campaign', 'visibility', 'detection'], default='group')
+
+    software_parse_group = parser_group.add_mutually_exclusive_group()
+    software_parse_group.add_argument('--software', help='add techniques to the heat map by checking which software is used by '
+                                                 'groups/campaigns, and hence which techniques the software '
+                                                 'supports (does not influence the scores). If overlay groups/campaigns '
+                                                 'are provided, only software related to those groups/campaigns are '
+                                                 'included. Cannot be used together with --include-software',
+                                      action='store_true', default=False)
+    software_parse_group.add_argument('--include-software', help='include techniques that software supports in the scores for '
+                                                         'groups/campaigns in scope. Cannot be used together with --software',
+                                      action='store_true', default=False)
+
     parser_group.add_argument('-p', '--platform', action='append', help='specify the platform (default = all). Multiple platforms '
                               'can be provided with extra \'-p/--platform\' arguments. The available platforms '
                               ' can be listed from the generic mode: \'ge --list-platforms\'')
@@ -300,8 +314,8 @@ def _menu(menu_parser):
     # TODO add Group EQL search capabilities
     elif args.subparser in ['group', 'g']:
         layer_settings = _parse_layer_settings(args.layer_settings)
-        generate_group_heat_map(args.groups, args.overlay, args.overlay_type, args.platform,
-                                args.software_group, args.search_visibility, args.search_detection, args.health,
+        generate_group_heat_map(args.groups, args.campaigns, args.overlay, args.overlay_type, args.platform,
+                                args.software, args.include_software, args.search_visibility, args.search_detection, args.health,
                                 args.output_filename, args.layer_name, args.domain, layer_settings,
                                 include_all_score_objs=args.all_scores)
 

generic.py

@@ -94,13 +94,30 @@ def _convert_stix_groups_to_dict(stix_attack_data):
     :return: list with dictionaries containing all groups from the input stix_attack_data
     """
     attack_data = []
-    for stix_tech in stix_attack_data:
-        tech = json.loads(stix_tech.serialize(), object_hook=_date_hook)
+    for stix_group in stix_attack_data:
+        group = json.loads(stix_group.serialize(), object_hook=_date_hook)
 
         # Add group_id as key, because it's hard to get from STIX:
-        tech['group_id'] = get_attack_id(stix_tech)
+        group['group_id'] = get_attack_id(stix_group)
 
-        attack_data.append(tech)
+        attack_data.append(group)
+
+    return attack_data
+
+def _convert_stix_campaigns_to_dict(stix_attack_data):
+    """
+    Convert the STIX list with Campaign to a dictionary for easier use in python and also include the campaign_id.
+    :param stix_attack_data: the MITRE ATT&CK STIX dataset with campaigns
+    :return: list with dictionaries containing all campaigns from the input stix_attack_data
+    """
+    attack_data = []
+    for stix_campaign in stix_attack_data:
+        campaign = json.loads(stix_campaign.serialize(), object_hook=_date_hook)
+
+        # Add campaign_id as key, because it's hard to get from STIX:
+        campaign['campaign_id'] = get_attack_id(stix_campaign)
+
+        attack_data.append(campaign)
 
     return attack_data
 
@@ -191,6 +208,43 @@ def load_attack_data(data_type):
                         })
 
         attack_data = all_group_use
+    elif data_type == DATA_TYPE_CUSTOM_TECH_IN_CAMPAIGN:
+        # First we need to know which technique references (STIX Object type 'attack-pattern') we have for all
+        # campaigns. This results in a dict: {campaign_id: Cxxxx, technique_ref/attack-pattern_ref: ...}
+        campaigns = load_attack_data(DATA_TYPE_STIX_ALL_CAMPAIGNS)
+        relationships = load_attack_data(DATA_TYPE_STIX_ALL_RELATIONSHIPS)
+        all_campaigns_relationships = []
+        for c in campaigns:
+            for r in relationships:
+                if c['id'] == r['source_ref'] and r['relationship_type'] == 'uses' and \
+                        r['target_ref'].startswith('attack-pattern--'):
+                    # more information on the campaign can be added. Only the minimal required data is added.
+                    all_campaigns_relationships.append(
+                        {
+                            'campaign_id': get_attack_id(c),
+                            'name': c['name'],
+                            'technique_ref': r['target_ref'],
+                            'x_mitre_domains': c['x_mitre_domains'] if 'x_mitre_domains' in c.keys() else ['enterprise-attack']
+                        })
+
+        # Now we start resolving this part of the dict created above: 'technique_ref/attack-pattern_ref'.
+        # and we add some more data to the final result.
+        all_campaigns_use = []
+        techniques = load_attack_data(DATA_TYPE_STIX_ALL_TECH)
+        for cr in all_campaigns_relationships:
+            for t in techniques:
+                if t['id'] == cr['technique_ref']:
+                    all_campaigns_use.append(
+                        {
+                            'campaign_id': cr['campaign_id'],
+                            'name': cr['name'],
+                            'technique_id': get_attack_id(t),
+                            'x_mitre_platforms': t.get('x_mitre_platforms', None),
+                            'x_mitre_domains': cr['x_mitre_domains'],
+                            'matrix': t['external_references'][0]['source_name']
+                        })
+
+        attack_data = all_campaigns_use
 
     elif data_type == DATA_TYPE_STIX_ALL_TECH:
         stix_attack_data = mitre.get_techniques()
@@ -216,6 +270,10 @@ def load_attack_data(data_type):
         # Combine groups from all matrices together:
         attack_data = _convert_stix_groups_to_dict(groups_enterprise + groups_ics + groups_mobile)
 
+    elif data_type == DATA_TYPE_STIX_ALL_CAMPAIGNS:
+        campaigns = mitre.get_campaigns()
+        attack_data = _convert_stix_campaigns_to_dict(campaigns)
+
     elif data_type == DATA_TYPE_STIX_ALL_SOFTWARE:
         attack_data = mitre.get_software()
     elif data_type == DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE:
@@ -283,6 +341,42 @@ def load_attack_data(data_type):
                         })
         attack_data = all_group_use
 
+    elif data_type == DATA_TYPE_CUSTOM_SOFTWARE_IN_CAMPAIGN:
+        # First we need to know which software references (STIX Object type 'malware' or 'tool') we have for all
+        # campaigns. This results in a dict: {campaign_id: Cxxxx, software_ref/malware-tool_ref: ...}
+        campaigns = load_attack_data(DATA_TYPE_STIX_ALL_CAMPAIGNS)
+        relationships = load_attack_data(DATA_TYPE_STIX_ALL_RELATIONSHIPS)
+        all_campaigns_relationships = []
+        for campaign in campaigns:
+            for r in relationships:
+                if campaign['id'] == r['source_ref'] and r['relationship_type'] == 'uses' and \
+                        (r['target_ref'].startswith('tool--') or r['target_ref'].startswith('malware--')):
+                    all_campaigns_relationships.append(
+                        {
+                            'campaign_id': get_attack_id(campaign),
+                            'name': campaign['name'],
+                            'software_ref': r['target_ref'],
+                            'x_mitre_domains': campaign['x_mitre_domains']
+                        })
+
+        # Now we start resolving this part of the dict created above: 'software_ref/malware-tool_ref'.
+        # and we add some more data to the final result.
+        all_campaign_use = []
+        software = load_attack_data(DATA_TYPE_STIX_ALL_SOFTWARE)
+        for campaign in all_campaigns_relationships:
+            for s in software:
+                if s['id'] == campaign['software_ref']:
+                    all_campaign_use.append(
+                        {
+                            'campaign_id': campaign['campaign_id'],
+                            'name': campaign['name'],
+                            'software_id': get_attack_id(s),
+                            'x_mitre_platforms': s.get('x_mitre_platforms', None),
+                            'x_mitre_domains': campaign['x_mitre_domains'],
+                            'matrix': s['external_references'][0]['source_name']
+                        })
+        attack_data = all_campaign_use
+
     elif data_type == DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS:
         attack_data = mitre.get_enterprise_mitigations()
         attack_data = mitre.remove_revoked_deprecated(attack_data)
@@ -983,3 +1077,19 @@ def check_platform(arg_platforms, filename=None, domain=None):
 
         return False
     return True
+
+
+def merge_group_dict(dict1, dict2):
+    """
+    Merge the techniques from dict2 with the techniques in dict1.
+    :param dict1 The first dictionary
+    :param dict2 The other dictionary
+    """
+    for group_name, values in dict2.items():
+        if group_name not in dict1.keys():
+                dict1[group_name] = values
+        else:
+            for technique in values['techniques']:
+                if technique not in dict1[group_name]['techniques']:
+                    dict1[group_name]['techniques'].add(technique)
+                    dict1[group_name]['weight'][technique] = 1