search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

MITRE Filter Not Properly Mapped in Heat Map #207

Open TaigaWalker opened 1 year ago

TaigaWalker commented 1 year ago

Describe the bug When a user is accessing an assessment, the MITRE Enterprise Tactics kill chain in example, and clicks MITRE filters in the Heat Map view and select Windows as their platform, all of the test cases are not tied to Windows. There are some test cases that are Linux or macOS related, but fall under the Windows platform filter.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Assessments'
  2. Click on 'Any Assessment'
  3. Change report type to 'Heat Map'
  4. On the right side of the page, click 'Mitre Filters' and select the Platform 'Windows'

Expected behavior If Windows is the desired Platform filter, all unit tests should only be tied to Windows.

Screenshots image

Desktop (please complete the following information):

Additional context N/A

carlvonderheid commented 1 year ago

Thanks for the details. This is actually not a bug. We are using the "Platforms" that are tied to Mitre Technique ID to come up with that filter. In your case, you are using technique T1136 (https://attack.mitre.org/techniques/T1136/), the Platforms are: image

TaigaWalker commented 1 year ago

Thanks for the follow up! When you mention that you are using the "Platforms" tied to a specific MITRE Technique ID, could that lead to misrepresentation of the filter then? As an end-user who uses Vectr daily, I assumed it was tied to command parameters tied to a specific Platform, OS for example, rather than the technique having x amount of listed Platforms. Would you recommend me leveraging the tagging feature in Vectr? I guess I could manually tag each assessment based off of their platform? If this is a good route, is there any mechanism to filter by Tag?

carlvonderheid commented 1 year ago

So everything under the "Mitre Filters" button is meant to show/hide columns and cells on the heatmap, not the TestCases that are associated with the techniques.

I re-opened this and will label it with a feature request and future release. I think what we should do is keep the Mitre Filters as they are, and instead add this to the "Report Filters" (which apply to all reporting screens...not just the heatmap), and you can just show applicable TestCases on the Heatmap that way. There are probably a few filters we will want to add instead of just "Red Team Automation Platform", but that one for sure.

image

TaigaWalker commented 1 year ago

I agree with the Mitre Filters being kept as they are and adding it to the Report filters. When you mention "show applicable TestCases on the Heatmap", are you insinuating that in a future release with this feature request, there will be a filter available, lets call it "Platform", where I can filter on a specific OS, like Windows, and it will only show me all TestCases where the command operator is tied to Windows?

SRAPSpencer commented 1 year ago

I can't speak for Carl but I believe this is what he meant. As to your previous question you can filter by tags in reporting today. If you click the filter button in the top right the filter section expands. Clicking Report Filters shows detailed options, going to the Tags tab you can filter by Tags you have created. image image

TaigaWalker commented 1 year ago

Understood. Thanks for following up and confirming the above, Paul.

Kind Regards,

Taiga Walker, Information Security Analyst Appian.com | @.***

On Thu, Jan 19, 2023 at 8:40 AM Paul Spencer @.***> wrote:

I can't speak for Carl but I believe this is what he meant. As to your previous question you can filter by tags in reporting today. If you click the filter button in the top right the filter section expands. Clicking Report Filters shows detailed options, going to the Tags tab you can filter by Tags you have created. [image: image] https://user-images.githubusercontent.com/57723275/213457086-16a4b4d4-025c-4164-8db8-b31765e4312e.png [image: image] https://user-images.githubusercontent.com/57723275/213457303-2da2959c-1428-4cef-88a4-1774f6e46543.png

— Reply to this email directly, view it on GitHub https://github.com/SecurityRiskAdvisors/VECTR/issues/207#issuecomment-1396990601, or unsubscribe https://github.com/notifications/unsubscribe-auth/A4WWE7Q5QRQKFKGSMVJCPFTWTE743ANCNFSM6AAAAAATZVHQHE . You are receiving this because you authored the thread.Message ID: @.***>

--

This message and any attachments are solely for the intended recipient. If you are not the intended recipient, disclosure, copying, use, or distribution of the information included in this message is prohibited -- please immediately and permanently delete this message.