Ascent’s DevOps team designs custom software and automation flows, incorporating cyber threat intelligence (CTI) into products and hardened client environments. This blog outlines highly technical instructions for retrieving and implementing raw MITRE ATT&CK data into your tech stack.
We’ve discussed resources + reasons WHY we build MITRE ATT&CK into our software and tools. Now, let’s discuss HOW we can do that.
The code snippets below outline how to incorporate the data and tools provided by MITRE and demonstrate a breadth of the potential opportunities for further customization.
Example 1: Connect to a TAXII Server to get technique data
MITRE provides a TAXII server to which developers can connect and retrieve information. If we enumerate all the Collections in the response, we will see they align to the ATT&CK Matrices (Enterprise, Mobile, ICS). We can query into the Enterprise collection to gather technique details.
Example 2: Get STIX data about a technique
MITRE also provides STIX dumps in JSON format in a GitHub repo. You will notice we are using an object ID to retrieve details about a specific technique. Because the data is deterministic (per version), we know the details about this technique will always be the same, using this specific ID.
Example 3: Get the data in Excel
Sometimes a spreadsheet is the fastest way to get the information you need. We can grab ATT&CK data and write it to a file for later consumption.
Example 4: Build an ATT&CK Navigator Layer
Using the mitreattack-python package we can build custom Navigator layers from data programmatically. These generated layers can be loaded into ATT&CK Navigator for custom views of defensive coverage, threat capabilities, or even a combination of the two.
Interested in guided DevOps?
We believe DevOps is a critical element to resilient cybersecurity infrastructure. Want to learn more, but without all the code? Ascent offers a free MITRE ATT&CK Master Class where Brad Palm, Director for Software, covers the business use case for incorporating ATT&CK into your risk discussions.
Ascent is a world class cybersecurity organization driven to save the world from cybercrime. We interpret and incorporate ATT&CK data into our risk based, intel-driven, threat-informed strategy. Interested in this approach for your organization? Reach out to MITRE@meetascent.com to request a MasterClass or to explore partnership with our DevOps team.