This repository was created for the FIRST Threat-Informed Defense workshop.
The workshop will start with the process of taking in new threat intel reports and identifying MITRE ATT&CK techniques. From there we will integrate the new techniques into the ATT&CK Workbench to allow us to centralize our ATT&CK-connected threat intel. We will model the intel to help us understand the full sequence of events described in the intel and develop and test approaches to mitigation.
This session will be hands on. Attendees should bring laptops that they can install and run Docker containers on.
This session will leverage publicly available research developed by the Center for Threat-Informed Defense:
- Attack Flow - https://ctid.mitre-engenuity.org/our-work/attack-flow/
- ATT&CK Workbench - https://ctid.mitre-engenuity.org/our-work/attack-workbench/
- Intro A short overview of the Cetner for Threat-Informed Defense, our R&D program, and how to get involved.
- Identifying ATT&CK Techniques in CTI reports: We will read through a CTI report and see how we can turn prose into TTPs.
- Extending & Customizing ATT&CK: ATT&CK Workbench is a publicly available tool that allows you to extend ATT&CK by importing your own adversaries, techniques, or red team activities. We will identify each of them from the CTI report and add them into Workbench. -- ATT&CK Navigator import extended ATT&CK matrix from workbench, import 800-53 controls, look at gaps. -- Custom ATT&CK Website show your extended information in traditional ATT&CK view. Website allows for more detail.
- Building Attack Flows with ATT&CK: Attack Flow creates a common language to describe and visualize a series of adversary attacks. Building off the CTI that was added to Workbench, we will build an Attack Flow to visualize the attack.
- Using Security Controls to Identify Gaps: Now that we’ve identified an adversary, visualized the ATT&CK, we will show how to mitigate that attack with security controls, and then validate those controls with red team activities.
A Chrome extension for working with ATT&CK: https://chrome.google.com/webstore/detail/attck-powered-suit/gfhomppaadldngjnmbefmmiokgefjddd?hl=en&authuser=0
The hands-on mapping exercise will use this report: https://www.ic3.gov/Media/News/2021/210521.pdf
Parts of our workshop will require setup and installation of the ATT&CK Workbench, a local copy of the ATT&CK Navigator, and a local copy of the ATT&CK website.
Please follow these steps carefully to ensure a successful install.
We recommend GitHub Desktop for simplicity, but any git client will work
You can download NodeJS here
Docker Desktop for Windows
Docker Desktop for Mac
Download Python here
npm install -g @angular/cli
Mac - $ python -m ensurepip --upgrade
Windows - py -m ensurepip --upgrade
All repos should be under the same parent folder.
The ATT&CK Workbench is comprised of three Git repositories.
Through Github Desktop:
https://github.com/center-for-threat-informed-defense/attack-workbench-frontend.git
Through git CLI:
git clone https://github.com/center-for-threat-informed-defense/attack-workbench-frontend.git
Through Github Desktop:
https://github.com/center-for-threat-informed-defense/attack-workbench-rest-api.git
Through git CLI:
git clone https://github.com/center-for-threat-informed-defense/attack-workbench-rest-api.git
Through Github Desktop:
https://github.com/center-for-threat-informed-defense/attack-workbench-collection-manager.git
Through git CLI:
git clone https://github.com/center-for-threat-informed-defense/attack-workbench-collection-manager.git
To eliminate timeouts, replace ./attack-workbench-frontend/nginx/nginx.conf
with this updated .conf file
To make the Workbench database persistent, replace ./attack-workbench-frontend/docker-compose.yml
with this updated file
Through Github Desktop:
https://github.com/mitre-attack/attack-navigator.git
Through git CLI:
git clone https://github.com/mitre-attack/attack-navigator.git
To point Navigator at your workbench, replace ./attack-navigator/nav-app/src/assests/config.json
with this updated file
Through Github Desktop:
https://github.com/mitre-attack/attack-website.git
Through git CLI:
git clone https://github.com/mitre-attack/attack-website.git
To point Website at your local instance of Workbench and Navigator, replace ./attack-website/modules/site_config.py
with this updated file
YOU MUST START THE DOCKER DAEMON BEFORE RUNNING DOCKER COMPOSE
You can do this by starting docker desktop.
- Navigate to the
./attack-workbench-frontend
directory (containing thedocker-compose.yml
file) - Run the command:
docker-compose up
This command will build all of the necessary Docker images and run the corresponding Docker containers.
With the docker-compose running you can access the ATT&CK Workbench application by visiting the URL localhost
in your browser. To shut down Workbench, open a new terminal to ./attack-workbench-frontend
and run
docker-compose down
- Navigate to
./attack-navigator/nav-app
- Run
npm install
- Run
ng serve
within./attack-navigator/nav-app
- Browse to
localhost:4200
in browser
- Navigate to
./attack-website
- Create a virtual environment:
- macOS and Linux:
python3 -m venv env
- Windows:
py -m venv env
- macOS and Linux:
- Activate the virtual environment:
- macOS and Linux:
source env/bin/activate
- Windows:
env/Scripts/activate.bat
- macOS and Linux:
- Install requirement packages:
pip3 install -r requirements.txt
- Update local ATT&CK data:
python3 update-attack.py
Note:update-attack.py
, has many optional command line arguments which affect the behavior of the build. Runpython3 update-attack.py -h
for a list of arguments and an explanation of their functionality. - Serve the html to
localhost:8000
:cd output
python3 -m pelican.server
Refreshing website content - to refresh the website based on modified ATT&CK Workbench data run the following commands from your ATT&CK Website directory:
- Stop the pelican server by pressing
ctrl-c
in the terminal window for the running website. - Update your web pages:
cd ..
python3 update-attack.py
- Serve the html to
localhost:8000
:cd output
python3 -m pelican.server
ATT&CK Navigator Layer from NIST 800-53 Mappings - nist800_53_r5 overview