Cover Image for Customizing Your Security Stack: Coding with MITRE ATT&CK

Customizing Your Security Stack: Coding with MITRE ATT&CK

11.29.22 | By Brian Greunke

Ascent’s DevOps team designs custom software and automation flows, incorporating cyber threat intelligence (CTI) into products and hardened client environments. This blog outlines highly technical instructions for retrieving and implementing raw MITRE ATT&CK data into your tech stack.

We’ve discussed resources + reasons WHY we build MITRE ATT&CK into our software and tools. Now, let’s discuss HOW we can do that.

The code snippets below outline how to incorporate the data and tools provided by MITRE and demonstrate a breadth of the potential opportunities for further customization.

Example 1: Connect to a TAXII Server to get technique data

MITRE provides a TAXII server to which developers can connect and retrieve information. If we enumerate all the Collections in the response, we will see they align to the ATT&CK Matrices (Enterprise, Mobile, ICS). We can query into the Enterprise collection to gather technique details.


Example 2: Get STIX data about a technique

MITRE also provides STIX dumps in JSON format in a GitHub repo. You will notice we are using an object ID to retrieve details about a specific technique. Because the data is deterministic (per version), we know the details about this technique will always be the same, using this specific ID.


Example 3: Get the data in Excel

Sometimes a spreadsheet is the fastest way to get the information you need. We can grab ATT&CK data and write it to a file for later consumption.


Example 4: Build an ATT&CK Navigator Layer

Using the mitreattack-python package we can build custom Navigator layers from data programmatically. These generated layers can be loaded into ATT&CK Navigator for custom views of defensive coverage, threat capabilities, or even a combination of the two.


Interested in guided DevOps?

We believe DevOps is a critical element to resilient cybersecurity infrastructure. Want to learn more, but without all the code? Ascent offers a free MITRE ATT&CK Master Class where Brad Palm, Director for Software, covers the business use case for incorporating ATT&CK into your risk discussions.

Ascent is a world class cybersecurity organization driven to save the world from cybercrime. We interpret and incorporate ATT&CK data into our risk based, intel-driven, threat-informed strategy. Interested in this approach for your organization? Reach out to to request a MasterClass or to explore partnership with our DevOps team.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
How to Investigate Code Intent with ChatGPT

May 23, 2023 – AI and other LLMs will never replace human ingenuity, but it can reduce complexity, reduce cost, and make your processes more secure.

Identity and Devices: The Best Starting Pillars of Zero Trust

May 16, 2023 – Identity and devices are two of the most commonly discussed pillars because they are relevant starting points for nearly every organization.

Building AI and Machine Learning into Modern SOC Security

May 10, 2023 – Behind the scenes of these “chat” interfaces are models, some of which have been highly trained to understand code.