Cover Image for Customizing Your Security Stack: Coding with MITRE ATT&CK

Customizing Your Security Stack: Coding with MITRE ATT&CK

11.29.22 | By Brian Greunke

Ascent’s DevOps team designs custom software and automation flows, incorporating cyber threat intelligence (CTI) into products and hardened client environments. This blog outlines highly technical instructions for retrieving and implementing raw MITRE ATT&CK data into your tech stack.

We’ve discussed resources + reasons WHY we build MITRE ATT&CK into our software and tools. Now, let’s discuss HOW we can do that.

The code snippets below outline how to incorporate the data and tools provided by MITRE and demonstrate a breadth of the potential opportunities for further customization.

Example 1: Connect to a TAXII Server to get technique data

MITRE provides a TAXII server to which developers can connect and retrieve information. If we enumerate all the Collections in the response, we will see they align to the ATT&CK Matrices (Enterprise, Mobile, ICS). We can query into the Enterprise collection to gather technique details.


Example 2: Get STIX data about a technique

MITRE also provides STIX dumps in JSON format in a GitHub repo. You will notice we are using an object ID to retrieve details about a specific technique. Because the data is deterministic (per version), we know the details about this technique will always be the same, using this specific ID.


Example 3: Get the data in Excel

Sometimes a spreadsheet is the fastest way to get the information you need. We can grab ATT&CK data and write it to a file for later consumption.


Example 4: Build an ATT&CK Navigator Layer

Using the mitreattack-python package we can build custom Navigator layers from data programmatically. These generated layers can be loaded into ATT&CK Navigator for custom views of defensive coverage, threat capabilities, or even a combination of the two.


Interested in guided DevOps?

We believe DevOps is a critical element to resilient cybersecurity infrastructure. Want to learn more, but without all the code? Ascent offers a free MITRE ATT&CK Master Class where Brad Palm, Director for Software, covers the business use case for incorporating ATT&CK into your risk discussions.

Ascent is a world class cybersecurity organization driven to save the world from cybercrime. We interpret and incorporate ATT&CK data into our risk based, intel-driven, threat-informed strategy. Interested in this approach for your organization? Reach out to to request a MasterClass or to explore partnership with our DevOps team.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
Why Purdue Model Level 0 Is the Most Important to Secure

February 6, 2024 – If you had to divide a business into operating layers and prioritize by importance, how would you do it? Cybersecurity strategy must rank which risk is most likely to topple a business’ continuity.

Enabling Microsoft Security Copilot

December 19, 2023 – Security Copilot is Microsoft’s generative AI complement to its unified security platform. Here’s how to plan a security-aware implementation.

How to Respond to the United States AI Executive Order

December 12, 2023 – How should businesses respond to the United States’ AI Executive Order?