Hello and welcome to Thread, the open-source project that is changing cyber threat intelligence (CTI) mapping! We are thrilled that you have dropped by to learn more about what Thread has to offer and how you can get involved in this exciting community.
Behind Thread is a passionate team of cybersecurity enthusiasts who believe in the power of collaborative, open-source solutions. Our aim is to empower individuals, security professionals, and organisations with streamlined threat intelligence processes, making the digital world a safer place for all.
Whether you are here to explore Thread as a user, potential contributor, or simply out of curiosity, we extend a warm welcome. Your interest and involvement mean a lot to us, and we cannot wait to embark on this cybersecurity journey together. So, let us dive in and discover how Thread can revolutionise the way we approach CTI!
Thread is an open-source initiative dedicated to enhancing cyber threat intelligence (CTI) mapping by automating the process of linking cybersecurity reports and articles to MITRE ATT&CK®. Our mission is to empower security professionals, organisations, and analysts by providing efficient, empowering, and community-driven CTI capabilities.
Thread is a tool for analysts to map finished reports and articles about cyber attacks to MITRE ATT&CK®.
Thread was originally forked from TRAM when it was in its beta phase, and we wanted to build upon it. Therefore, further changes to the original TRAM repo may not be incorporated into Thread as the codebases have largely diverged.
Thread is not just another cybersecurity tool; it redefines how we approach CTI mapping. We have distilled the essence of Thread's unique value proposition into an experience that is efficient, empowering, and community-driven.
Efficiency Unleashed: Bid farewell to tedious, manual processes of mapping reports to MITRE ATT&CK tactics, techniques, and procedures (TTPs) that consume hours of your valuable time. Thread's intelligent algorithms work tirelessly to automate the mapping of TTPs. What used to be a painstaking endeavour now takes mere minutes. With Thread, you will liberate yourself from data wrangling and reclaim your focus for strategic insights.
Empowerment in Your Hands: Thread is all about putting the power of threat intelligence back where it belongs – in your hands. Take control of your security posture by refining and verifying threat data. Our platform ensures that your decisions are based on data that you know is relevant to you. Say goodbye to relying on outdated or inaccurate information; with Thread, you are in control.
Community Collaboration: Thread is being built into an open-source community committed to advancing the field of CTI. By choosing Thread, you become part of a network of cybersecurity experts who share your passion for creating a safer digital world. Together, we forge a path towards a future where CTI is agile, collaborative, and precise.
If you want to use Thread right now, feel free to use the web version at https://app.arachne.digital/thread.
We recommend using a virtual environment for installing Python package dependencies.
Please note: if your environment has multiple Python interpreters (e.g. python
is for Python 2.x/3.x and python3
is for Python 3.y, please adjust some of the commands below accordingly. For example, pip
may be python3 -m pip install ...
and python main.py
may be python3 main.py
).
Start by cloning this repository.
git clone https://github.com/arachne-threat-intel/thread.git
Install our submodule dependencies. Steps are listed here.
Before installing the required Python packages, consider which database you would like to use.
From the root of this project, install the Python package requirements.**
pip install -r requirements.txt
If not using SQLite (default database options): Revisit the database docs (stated earlier) to set up the database before running Thread for the first time.
Then start the application.
python main.py
Once the server has started, point your browser to localhost:9999, and you can then enter a URL on the home page. It currently takes several minutes to analyse a report, so please do not leave the page while it processes.
Configuration defaults can be changed here.
You are also welcome to check our test-suite via:
python -m unittest discover tests/
In the same directory, you may also run our lint tests. You need to install Ruff (via pip install ruff
; more info here). You can then do the following command:
ruff check .
We use ruff
to format our code. You can do this by running the following command:
ruff format
** For package maintenance, you may find the command below useful. Please be warned this has risks such as code-breakages from an upgraded package version where this command upgraded multiple packages at once causing debugging to be difficult.
pip install --upgrade -r requirements.txt
On Thread's homepage, enter a web page URL (sorry no PDFs yet) to process it and begin a report based on it. It takes a few minutes to analyse a URL, this is dependent on the amount of text found from the URL. You are advised to periodically check if your submission is still in the queue.
If you see an error in the queue, this means the website did not like us trying to fetch its contents, or something on the site could not be parsed. We will periodically check for these errors and work on improvements to the submission process.
When the URL has been processed and its report is ready, a new card will appear (in the Needs Review column). Each card will have two buttons:
You will also have the option to delete reports that 1. are not in the queue or 2. those in the queue that have an error.
You can use Thread via https://app.arachne.digital/thread.
If you use Thread via our Arachne website, your reports will be visible to others and accessible by the Arachne team. To reduce its visibility, you can flag reports as private on report-submission (please note, these reports will still be accessible by the Arachne team); you will need to sign up for an account on the Arachne website and remain logged-in during report-submission.
Alternatively, you can clone this repo, set it up, and use it locally to ensure all your reports stay only on your machine.
Thread's prediction model will try its best to find ATT&CK techniques in the report, but since our current data set is very limited, our models are not 100% accurate, so the tool requires you to review and refine the technique prediction.
When you click on a sentence in the report, you can do the following:
As more data is fed to the tool and is reviewed, any rebuilt models are expected to become more accurate with these predictions.
If you have made changes you are not happy with and cannot undo them easily (e.g., deleted a sentence), you can rollback a report via the homepage (found in the In Review column).
Once you have reviewed the entire report, Thread’s results can be exported as a PDF by clicking the Export PDF button on the top centre of the page. This will create a PDF containing a raw text version of the report, and a table with the ATT&CK technique and its corresponding sentence. This can be done for all reports out of the queue but those not in the Completed column will be considered draft reports.
Thread is a project that brings together a diverse and passionate community of cybersecurity experts to start to revolutionise the world of CTI. At its core, Thread aims to simplify and speed up CTI mapping, a crucial component of effective cybersecurity. By collaborating with this vibrant community, we are on a mission to empower not only cybersecurity professionals but also organisations and analysts across the globe. Our primary goal is to provide them with the tools they need to map TTPs swiftly and accurately to the MITRE ATT&CK framework.
This initiative does not stop at mere efficiency; it is about fundamentally enhancing threat detection and fortifying your security posture. We recognise that time-consuming manual mapping has long been a significant hurdle in the world of cybersecurity. By harnessing the collective expertise of our community, we are determined to tackle this issue head-on. Our commitment to working open is a testament to our belief in the power of collaboration and giving back to the open-source community.
Arachne Digital's ethos revolves around supporting the projects we utilise. We have pledged to contribute in various ways, from sharing a portion of our profits to dedicating developer resources for bug fixes and maintenance. Moreover, when we encounter abandoned projects, we will attempt to step in, fork, and maintain these repositories. Our mission is clear: to ensure the longevity of valuable open-source resources and foster a thriving ecosystem of collaborative cybersecurity research. Thread is more than just a tool; it is a catalyst for change in the world of cybersecurity, and we invite everyone, regardless of their background, to join us on this exciting journey of discovery and innovation. Together, we can strengthen our collective defence against the ever-evolving landscape of cyber threats.
Creating and maintaining Thread, your go-to platform for CTI mapping, requires a diverse set of resources. Some of these resources are provided by Arachne Digital, the for profit company that maintains Thread. However, the collective is strong through diversity, which is why Arachne Digital is opening Thread up to the community. From design and development to community building and infrastructure, here is what powers Thread:
The Thread community has adopted the Contributor Covenant. Before contributing, please read the code of conduct. By contributing to the Thread community, you agree to the code of conduct.
We welcome your help as part of the Thread community!
Read our contribution guidelines for further information.
To get access to our Arachne Digital Slack channel, email contact[at]arachne[dot]digital with a bit about who you are and how you want to get involved.
You can contact us by emailing us at contact[at]arachne[dot]digital.
If you have found any security issues with Thread, we ask that you please contact us directly (so we can work on it without it being discovered and exploited). We will be transparent about any security issues in our documentation.
If you have found any other bugs with Thread, please feel free to contact us or raise an issue here in our GitHub repo.
If you have any questions or comments about Thread, please feel free to contact us via the email address above.
We have mentioned MITRE ATT&CK, TTPs and CTI mapping a great deal, but why are these things even relevant to cybersecurity? What does CTI mapping yield?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive knowledge base used globally in the cybersecurity community. It provides a structured framework to understand the TTPs employed by cyber threat actors (CTAs).
TTPs are the building blocks of threat intelligence. Here is what you need to know about them:
TTPs are like the DNA of cyber threats. By identifying and understanding them, you gain insight into the methods employed by threat actors. This knowledge is invaluable for enhancing your security posture.
To give you a primer in these concepts, or if videos are just more your thing, check out Putting MITRE ATT&CK™ into Action with What You Have, Where You Are, an amazing presentation by Katie Nickels.
We extend our sincere appreciation to the dedicated individuals whose contributions have made Thread a thriving open-source community and a valuable resource for the cybersecurity community!
Copyright 2024 Arachne Digital
Licensed under the Apache License, Version 2.0.
Please see our NOTICE and LICENSE files for further information.