If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly (usually, the interactive graphs). Please view the post on dogesec.com for the full interactive viewing experience.
tl;dr
Here’s an easy way to search and filter data in various CTI frameworks including; MITRE ATT&CK, MITRE CWE, MITRE CAPEC, MITRE ATLAS, DISARM, and more!
Overview
The MITRE ATT&CK team recently announced they were upgrading their TAXII 2.0 server to TAXII 2.1.
TAXII is great for downloading the entire knowledgebase, but not suited to search and filtering.
Typically we have tended to default to grabbing the ATT&CK STIX object, like those for Enterprise here, uploading them to ArangoDB, and then querying them as needed.
I walked through examples of this in the post. PSA: MITRE ATT&CK is More Than Tactics and Techniques.
This allows for powerful queries to search and filter the data, but is not particularly user friendly to those who don’t understand the Arango query language.
We wanted something in the middle that could act as a source of data for all our products, as well as something others in the community could use for their needs too.
The result; CTI Butler, a web API that exposes a variety of CTI frameworks.
In this post I’ll explain how you can get started in minutes with CTI Butler.
Before I continue
We offer a fully hosted web version of CTI Butler which includes many additional features over those in the backend engine. You can find out more about the web version here.
Install and download data
I won’t explain the install steps here, all of that is covered in the CTI Butler GitHub repository.
Once running, you can explore the API using the interactive Swagger interface at: http://127.0.0.1:8006/api/schema/swagger-ui/#/
The first step, post-install, is to add the data for the frameworks you want to use.
You can do this using the POST endpoint for each endpoint.
For example to add version 15.1 of MITRE ATT\&CK Enterprise;
curl -X 'POST' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"version": "15_1",
"ignore_embedded_relationships": true
}'
The ignore_embedded_relationships
allows you to tell CTI Butler not to create new relationships for embedded STIX references, e.g. created_by_ref
. Most users of CTI Butler will want to set this to true
.
If you want to skip this process and install all available versions of the datasets, you can run this script we’ve built;
python3 utilities/import_all_data.py \
--ignore_embedded_relationships True
At the time of writing CTI Butler supports the following frameworks;
- MITRE ATT&CK Enterprise
- MITRE ATT&CK ICS
- MITRE ATT&CK Mobile
- MITRE CAPEC
- MITRE CWE
- MITRE ATLAS
- Locations
- TLP
- DISARM
For the following examples I’ll use MITRE ATT&CK Enterprise to demonstrate the features of CTI Butler.
Managing multiple versions of frameworks
You can see all the versions of the framework have been ingested, and which is the latest.
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/versions/' \
-H 'accept: application/json'
{
"latest": "15.1",
"versions": [
"15.1",
"15.0",
"14.1",
"14.0",
"13.1",
"13.0",
"12.1",
"12.0",
"11.3",
"11.2",
"11.1",
"11.0",
"10.1",
"10.0",
"9.0",
"8.2",
"8.1",
"8.0",
"7.2",
"7.1",
"7.0",
"6.3",
"6.2",
"6.1",
"6.0",
"5.2",
"5.1",
"5.0",
"4.0",
"3.0",
"2.0",
"1.0"
]
}
The latest
version will be the version that is returned by all other endpoints unless a specific version in the list is specified.
Searching and filtering objects
The objects endpoints allow for rich filtering of the datasets.
For example, here I filter the ATT&CK Enterprise objects to only include those with exploit
in the name, and are STIX attack-pattern
objects (ATT&CK Techniques and Sub-techniques);
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/objects/?name=exploit&type=attack-pattern' \
-H 'accept: application/json'
{
"page_size": 50,
"page_number": 1,
"page_results_count": 9,
"total_results_count": 9,
"objects": [
{
"created": "2020-02-20T15:37:27.052Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.\n\nAdversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems. ",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1499.004",
"url": "https://attack.mitre.org/techniques/T1499/004"
},
{
"source_name": "Sucuri BIND9 August 2015",
"url": "https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html",
"description": "Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019."
}
],
"id": "attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "impact"
}
],
"modified": "2022-05-11T14:00:00.188Z",
"name": "Application or System Exploitation",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"type": "attack-pattern",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Sensor Health: Host Status",
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow"
],
"x_mitre_detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_impact_type": [
"Availability"
],
"x_mitre_is_subtechnique": true,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Windows",
"Azure AD",
"Office 365",
"SaaS",
"IaaS",
"Linux",
"macOS",
"Google Workspace"
],
"x_mitre_version": "1.2"
},
CTI Butler stores all data as STIX 2.1 objects making it very simple to sync it with other security tooling. In fact, a number of security tools already integrate with CTI Butler to power their enrichments to these knowledge-bases.
Tracking changes to objects
One of the areas where CTI Butler really shines is being to compare versions.
If I take the sub-techniques T1499.004
(Application or System Exploitation
) shown above, I can see all versions of it that exist in the database;
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/objects/T1499.004/versions/' \
-H 'accept: application/json'
[
{
"modified": "2022-05-11T14:00:00.188Z",
"versions": [
"15.1",
"15.0",
"14.1",
"14.0",
"13.1",
"13.0",
"12.1",
"12.0",
"11.3",
"11.2",
"11.1"
]
},
{
"modified": "2022-03-25T18:11:13.604Z",
"versions": [
"11.0"
]
},
{
"modified": "2021-03-29T16:09:41.559Z",
"versions": [
"10.1",
"10.0",
"9.0"
]
},
{
"modified": "2020-03-29T02:07:27.508Z",
"versions": [
"8.2",
"8.1",
"8.0",
"7.2",
"7.1",
"7.0"
]
}
]
The response tells me T1499.004
was introduced in ATT&CK 7.0, and has changed four times since being introduced.
Examining relationships between framework objects
CTI Butler is built on a graph database making it possible to easily traverse connections between objects.
This request returns all relationships T1499.004
is found in;
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/objects/T1499.004/relationships/' \
-H 'accept: application/json'
{
"page_size": 50,
"page_number": 1,
"page_results_count": 8,
"total_results_count": 8,
"relationships": [
{
"created": "2022-03-30T14:26:51.834Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Monitor for third-party application logging, messaging, and/or other artifacts that may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
"external_references": [
{
"source_name": "Sucuri BIND9 August 2015",
"description": "Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019.",
"url": "https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html"
}
],
"id": "relationship--499da978-fa64-469e-901a-0d5db2b8b2f3",
"modified": "2022-03-30T14:26:51.834Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"relationship_type": "detects",
"source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
"spec_version": "2.1",
"target_ref": "attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
"type": "relationship",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
Here we can see the Data Component, Application Log Content (x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa
), is linked to T1499.004, Application or System Exploitation (among other things).
Examining relationships between frameworks
One of the biggest challenges with all these frameworks is that they are often treated in silo’s.
For example, ATT&CK techniques can be linked to CAPEC techniques.
CTI Butler provides the ability to join frameworks so they can be traversed like this. It does this with the help of another of our tools Arango CTI Processor.
You can trigger Arango CTI Processor using the CTI Butler API like so;
curl -X 'POST' \
'http://127.0.0.1:8006/api/v1/arango-cti-processor/capec-attack/' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"ignore_embedded_relationships": true
}'
Where capec-attack
is the Arango CTI Processor mode I want to trigger relationships for.
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/attack-enterprise/objects/T1499.004/relationships/' \
-H 'accept: application/json'
Now if I run the same request as before, I can see 9 results are returned (1 more than previously);
{
"page_size": 50,
"page_number": 1,
"page_results_count": 9,
"total_results_count": 9,
"relationships": [
{
"created": "2014-06-23T00:00:00.000Z",
"created_by_ref": "identity--2e51a631-99d8-52a5-95a6-8314d3f4fbf3",
"description": "CAPEC-25 uses technique T1499.004",
"id": "relationship--5c3a67e5-c0c4-5676-a6db-2ebc324d1905",
"modified": "2022-09-29T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--2e51a631-99d8-52a5-95a6-8314d3f4fbf3"
],
"relationship_type": "technique",
"source_ref": "attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8",
"target_ref": "attack-pattern--2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
"type": "relationship"
},
Here we can see CAPEC-25 uses the ATT&CK sub-technique T1499.004.
For reference, here’s CAPEC-25;
curl -X 'GET' \
'http://127.0.0.1:8006/api/v1/capec/objects/CAPEC-25/' \
-H 'accept: application/json'
{
"page_size": 50,
"page_number": 1,
"page_results_count": 1,
"total_results_count": 1,
"objects": [
{
"created": "2014-06-23T00:00:00.000Z",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"description": "The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.",
"external_references": [
{
"external_id": "CAPEC-25",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/25.html"
},
{
"external_id": "CWE-412",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/412.html"
},
{
"external_id": "CWE-567",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/567.html"
},
{
"external_id": "CWE-662",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/662.html"
},
{
"external_id": "CWE-667",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/667.html"
},
{
"external_id": "CWE-833",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/833.html"
},
{
"external_id": "CWE-1322",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1322.html"
},
{
"description": "Endpoint Denial of Service: Application or System Exploitation",
"external_id": "T1499.004",
"source_name": "ATTACK",
"url": "https://attack.mitre.org/wiki/Technique/T1499/004"
},
{
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1",
"source_name": "reference_from_CAPEC"
},
{
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"external_id": "REF-101",
"source_name": "reference_from_CAPEC",
"url": "http://en.wikipedia.org/wiki/Deadlock"
},
{
"description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)",
"external_id": "REF-609",
"source_name": "reference_from_CAPEC",
"url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html"
}
],
"id": "attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8",
"modified": "2022-09-29T00:00:00.000Z",
"name": "Forced Deadlock",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"spec_version": "2.1",
"type": "attack-pattern",
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Resource Consumption (A successful forced deadlock attack compromises the availability of the system by exhausting its available resources.)"
]
},
"x_capec_domains": [
"Software"
],
"x_capec_example_instances": [
"An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock)"
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The adversary initiates an exploratory phase to get familiar with the system.</p></li><li> <p>The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.</p></li><li> <p>If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [REF-101]",
"The target host exposes an API to the user."
],
"x_capec_skills_required": {
"Medium": "This type of attack may be sophisticated and require knowledge about the system's resources and APIs."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.9"
}
]
}
CTI Butler
One API. Much CTI. CTI Butler is the API used by the world's leading cyber-security companies.
Discuss this post
Head on over to the DOGESEC community to discuss this post.
Never miss an update
Sign up to receive new articles in your inbox as they published.