OVERVIEW
Mapping and enumeration the Mitre TTP helps us to proactively secure or to harden our internal network, even after a greater evolution of cyber security, it’s been too complicated to manually map the TTP’S for recently discovered attacks.
Features of MITRE Mapping
List of common advantages of MITRE Mapping
- To understand the threat actors Behaviors and rely on TTP’s rather than Ioc’s ( Indicator of compromise ).
- Indicators of attack ( IOA ) leverages security operations to clarify threats and maps to an appropriate attack accordingly.
- Used to understand post-compromise detection and Helps to Identify, Detect, Monitor, and Respond against real-time cyber attacks
- Red teams can simulate adversaries TTP’s and Security operations can try to detect such behaviors with correlation rules, Threat hunting.
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
List of tool for Mitre Mapping
- ATTACK NAVIGATOR
- TRAM
ATTACK NAVIGATOR
Mitre Attack Navigator an open source web based tool, which is typically used to visualize defensive coverage, red/blue team planning, by default it get presented with three Attack layers to map [Enterprise, Mobile, ICS]
The features of the navigator are to manually map a MITRE ATTACK TTP to virtualize before being execute it,
TRAM
TRAM → Threat Report Attack Mapper is an open-source automated MITRE ATTACK mapper developed by ATT&CK, which basically parse the information from the given resource and generates an illustrated output, which has been used for a threat hunting report or to harden the network based on the mapped behavior.
GIT REPO → https://github.com/mitre-attack/tram
Feature & Advantage
- Open source tool
- Easy to configure & deploy
- Easy export in multiple format [PDF, JSON]
Also Read: Latest Cyber Security News – Hacker News !
Requirements
- python3 (3.7+)
- Google Chrome is our only supported/tested browser
Installation & Deployment
- git clone https://github.com/mitre-attack/tram.git
- Pip3 install -r requirement.txt
Configuring Tokenizers
To resolve the above-mentioned issue just download & configure Tokenizers as instructed below
Also Read: Advanced Hunting to Find the Ransomware
- mkdir /root/nltk_data
- cd /root/nltk_data
- mkdir tokenizers
- cd tokenizer
- wget https://github.com/nltk/nltk_data/blob/gh-pages/packages/tokenizers/punkt.zip?raw=true
- Unzip <file_name>
Configuring data_svc.py
- cd tramp
- cd service/
- rm data_svc.py
- Visit https://github.com/mitre-attack/tram/tree/7d357fd5a6c0435ada9c60e58d17ce887b7b4689
- nano data_svc.pv [Paste & replace the code from the above mentioned git repo]
Python3 tram.py
By default, tram gets executed on port 9999
Generating an Attack MAP
The following steps are required to generate the mitre map
- Search for some good resource
- Copy the url mitre att&ck
- Paste it in Tram dashboard & Assign an relevant tile
- Submit
The Mapping
After all the process the TRAM automatically extract the required information from the given resource and extract the TTP found on the resource
And later it can be downloaded in two format PDF & JSON format, the JSON format help to view on Attack navigator by opening the upload existing layer option in Attack Navigator
Conclusion
Mitre mapping is considered more important in the case of Defensive, it probably helps us to understand the attack patterns and to implement the proactive defense, in such cases Attack navigators and tramps play a vital role in it.