ATTACK
The ATTACK object provides a simple interface for loading and interacting with the ATT&CK framework.
Initialization
We provide two methods of loading the ATTACK object, either from a local repository through load(), or by downloading the ATTACK object from a remote repository using download().
The recommended way of initializing an ATTACK object is through load() as this assures that your project works with a consistent version of the MITRE ATT&CK framework and avoids repeated downloading of the CTI sources.
Example
# Import ATT&CK
from py_attack import ATTACK
# Load from local repository - recommended
attack = ATTACK.load(
path = "path/to/local/cti/{domain}-attack/{domain}-attack.json",
domains = ['enterprise', 'ics', 'mobile', 'pre'],
)
# Download from online source
attack = ATTACK.download(
url = "https://raw.githubusercontent.com/mitre/cti/master/{domain}-attack/{domain}-attack.json",
domains = ['enterprise', 'ics', 'mobile', 'pre'],
)
Domains
You can get, set and delete MITRE ATTACKDomain s according to its DomainTypes (see types).
Example
# Import ATT&CK
from py_attack import ATTACK, ATTACKDomain
# Load from local repository - recommended
attack = ATTACK.load(
path = "path/to/local/cti/{domain}-attack/{domain}-attack.json",
domains = ['enterprise', 'ics', 'mobile', 'pre'],
)
# Get enterprise domain
enterprise = attack['enterprise']
# Delete enterprise domain
del attack['enterprise']
# Set enterprise domain
attack['enterprise'] = ATTACKDomain.load(
path = "path/to/local/cti/{domain}-attack/{domain}-attack.json",
domain = 'enterprise',
)
# Iterate over all domains
for domain in attack:
...
# Show number of domains
print(len(attack))
Iterators
Similar to ATTACKDomain, ATTACK provides iterators to iterate over all concepts for each ATTACKDomain of the ATTACK object.
The ATTACK object supports iterators for the following concepts: matrices, tactics, techniques, sub_techniques, groups, software, procedures, relationships and mitigations,.
All of these are easily accessible via the following iterator properties:
Example
# Import ATT&CK
from py_attack import ATTACK
# Load from local repository - recommended
attack = ATTACK.load(
path = "path/to/local/cti/{domain}-attack/{domain}-attack.json",
domains = ['enterprise', 'ics', 'mobile', 'pre'],
)
# Iterate over different concepts
for concept in attack.concepts:
...
for matrices in attack.matrices:
...
for tactics in attack.tactics:
...
for techniques in attack.techniques:
...
for sub_techniques in attack.sub_techniques:
...
for groups in attack.groups:
...
for software in attack.software:
...
for procedures in attack.procedures:
...
for relationships in attack.relationships:
...
for mitigations in attack.mitigations:
...
Graph
All concepts within the ATTACK have defined relations between them.
E.g., each domain specifies groups that use techniques to achieve tactics using specific software.
These concepts and relations can therefore be modeled in a graph provided by the graph property.
Because all these concepts are related, we provide a method to find concepts that are (in)directly related to a given concept:
Example
# Import ATT&CK
from py_attack import ATTACK
# Load from local repository - recommended
attack = ATTACK.load(
path = "path/to/local/cti/{domain}-attack/{domain}-attack.json",
domains = ['enterprise', 'ics', 'mobile', 'pre'],
)
# Get domain graph
graph = attack.graph
# Get concepts related to given ID T1087
related = attack.related_concepts('T1087')