Over the last year or so, MITRE’s Attack Framework has acquired some significant traction with its use among incident responders and threat hunters alike. If you’ve been living under a rock though, MITRE’s Adversarial Tactics, Techniques, and Common Knowledge is a “curated knowledge base and model for cyber adversary behavior.”. Breach and Attack Simulation (BAS) If you’re not familiar with BAS, check out a primer on it here. Although BAS is a new category of cybersecurity tools, the ATT&CK framework has validated its need. Similarly to vendor bake-offs as mentioned above, MITRE ATT&CK can help your organization determine which BAS tool to implement.
Python module to interact with the MITRE attack framework
The MITRE Attack API python module provides a way for people to easily access data from the MITRE attack framework. With this module, you can manipulate data provided by the MITRE API. The 'AttackAPI' object has the following methods:
Method | Method Details |
---|---|
get_all_techniques() | Returns a list of dictionaries with each dictionary representing a technique and its important attributes |
get_all_groups() | Returns a list of dictionaries with each dictionary representing a group and its important attributes |
get_all_software() | Returns a list of dictionaries with each dictionary representing a software/tool and its important attributes |
get_all_subobjects() | Returns a list of dictionaries with each dictionary representing a technique subobject and its important attributes |
get_matrix() | Returns a list of dictionaries with each dictionary containing a single tactic to technique mapping |
get_attribution() | Returns a list of dictionaries with each dictionary representing a group with details on the software and techniques used by that group |
get_all() | Returns a list of dictionaries with a lot of the information above in a flat format, including all of the attribution data, as well as the technique data |
** Note: You can see all of the above methods in use in the 'Examples' section.
If you have pip installed, run
pip install mitreapi
Otherwise:
- Clone this repo
- Run
python setup.py install
in the root of the cloned repo directory
- Integrate with your code through
from mitreapi import AttackAPI
- The easiest way to use this package is with the pandas module, so if you dont have that run
pip install pandas
- Below is a trivial example of integration, look at the examples section for more information