search

center-for-threat-informed-defense / attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
https://ctid.io/attack-flow
Apache License 2.0
522 stars 83 forks source link

Maastricht University Ransomware Attack Flow #116

Closed jonibim closed 6 months ago

jonibim commented 7 months ago

My first attempt on making an attack flow describing the Maastricht University ransomware attack that happened in 2019. The article are used for building the attack flow (in Dutch): https://www.maastrichtuniversity.nl/nl/file/foxitrapportreactieuniversiteitmaastrichtnl10-02pdf

Please let me know if I missed anything or did something wrong.

codecov[bot] commented 7 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (826971f) 99.64% compared to head (6c9f1c3) 99.64%.

:exclamation: Current head 6c9f1c3 differs from pull request most recent head c0d7dea. Consider uploading reports for the commit c0d7dea to get more accurate results

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #116 +/- ## ======================================= Coverage 99.64% 99.64% ======================================= Files 9 9 Lines 837 837 ======================================= Hits 834 834 Misses 3 3 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

mehaase commented 7 months ago

Thank you for submitting this new flow. This is an excellent application of the Attack Flow concepts combined with good writing and clear organization. I'm excited to get this merged into our corpus.

I have a few suggestions that I will leave here, but these are not mandatory. If you have the time and interest to make these adjustments, that's great, otherwise just let me know that you are done and I will merge this into our corpus.

There is a URL object in STIX that you could use here. The infrastructure object is fine, but if you use URL objects it will be easier to extract the URL IOCs.

Maastricht University Ransomware

The direction of the arrow between action and asset indicates if the asset's state is changed or consumed. this example has the asset pointing to the action, which means the action depends on the state of the asset. I think you intended to communicate that the action changes the asset's state (i.e. the new state is "compromised"), so the arrow should point from action to asset.

Maastricht University Ransomware (1)

This condition action appear to be reversed. If the condition "user opens excel attachment" is true, then that would lead to the "User Execution: Malicious File" action.

Maastricht University Ransomware (2)

jonibim commented 7 months ago

@mehaase Thank you for your feedback. I implemented your feedback and I as well did some (small) improvements on the attack flow :)

The full details of the changes I did are in the description of my last commit

sonarcloud[bot] commented 7 months ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

mehaase commented 6 months ago

Thank you @jonibim and my apologies for not seeing this earlier. I have just merged it in.