search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

Import json from attack-flow builder #201

Closed ovcrash closed 3 months ago

ovcrash commented 1 year ago

Describe the bug This is not a bug, but more of a question. Is it possible to import JSON from the attack-flow-builder directly into VECTR?

https://center-for-threat-informed-defense.github.io/attack-flow/overview/

The JSON format exported from the attack-flow-builder seems not far off, to be compatible with VECTR.

Anyone got this working? Thanks

SRAPSpencer commented 1 year ago

You currently can't import this directly. The ability to do so will come down to if attack flow output has sufficient information to create a meaningful campaign. For example ATT&CK Navigator layers currently do not. If you wanted to try to get the JSON imported you've got a few options.

You could use the API, there's a similar example here using other source content here https://github.com/antman1p/RecodedFuture-to-ATTCK Documentation on the API here https://docs.vectr.io/graphql/

If you wanted to try to transform the JSON into a format VECTR accepts

YAML Index Schema Version 1 (ISV1) (https://github.com/SecurityRiskAdvisors/indexes) Atomic Red Index (https://github.com/redcanaryco/atomic-red-team) Note: The large Index.yaml collection is the only supported import file.

JSON Vectr Import / Export data MITRE Enterprise ATT&CK CTI (https://github.com/mitre/cti)

thebleucheese commented 3 months ago

Unfortunately, the Attack-flow data formats don't contain enough actionable procedure-level information (or to put it in CTI parlance, aren't enriched enough) to be able to run as Test Cases. In general, STIX2 is a great format for communicating CTI, but it requires a additional information that's rarely included. Even MITRE's enterprise-attack CTI data is a few steps away from being actionable. We commonly see CTI professionals taking MITRE's ATT&CK data and enriching it with detailed threat reports when they need to make actionable tests for simulation by Purple Teams or other internal testing groups.

Marking this as complete because unfortunately, there's not much we can do with importing attack-flow. However, in the future there's always an option for us to export attack-flow or use it for data viz like the escalation path.