Member-only story
10 best MITRE ATT&CK sources in one click with Pandas
MITRE ATT&CK is a source of knowledge about adversarial tactics and techniques. It is a common domain language in the world of cyber security. Which data source will give us the best cost effect? It depends. Every organization is different. We use different operating systems, network devices, and applications. We also have a different group of adversaries😁. This article will use pandas Python library and make a simple notebook.
Link to repo at the bottom 👇
MITRE ATT&CK? Why do I care?
Budgets are rarely unlimited, as are human resources, hardware, network bandwidth, and the capabilities of our SIEM. We need to choose wisely the data sources we want to collect. As it happens, we can find defined data sources and their components in MITRE. Need to convince management that you need to collect more events from Windows/Sysmon? This article can help you find arguments for that :-)
Why pandas?
Because it is a popular library for data transformation and analysis. Admittedly, I prefer Spark/PySpark… but I don’t want to bring use a sledgehammer to crack a nut. This article is an encouragement to use analytical tools other than “the protein interface” (a human) and a left mouse button.
Source
MITRE is not only a website. There are analytical tools and repositories on GitHub. We will use the technique — data component mapping (link).
Input data
Every organization is different. Let’s assume that the result of our calculations will be calculated based on platforms and techniques. Platforms are the systems we use. A summary of the most important techniques should be provided by your CTI team. The techniques in the example below are randomly chosen.
my_platforms = ['Windows', 'Linux','Network'] # or None
my_techniques = ['T1204', 'T1053', 'T1543', 'T1134' ,'T1112','T1110','T1003', 'T1135', 'T1046'] # or NoneDownloading and loading data into pandas
import pandas as pd
import yaml
import requests
url =…
