search

center-for-threat-informed-defense / attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
https://ctid.io/attack-flow
Apache License 2.0
527 stars 84 forks source link

Adding attack flow for The DFIR Report's BumbleBee Round 2 #53

Closed anvilogic-KLo closed 1 year ago

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

codecov[bot] commented 1 year ago

Codecov Report

Base: 99.75% // Head: 99.75% // No change to project coverage :thumbsup:

Coverage data is based on head (afb390f) compared to base (a3800be). Patch has no changes to coverable lines.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #53 +/- ## ======================================= Coverage 99.75% 99.75% ======================================= Files 8 8 Lines 825 825 ======================================= Hits 823 823 Misses 2 2 ``` Help us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=center-for-threat-informed-defense). Have a feature suggestion? [Share it here.](https://app.codecov.io/gh/feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=center-for-threat-informed-defense)

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

mehaase commented 1 year ago

Thank you for the PR! A couple items of feedback:

  1. The technique_ref is for the STIX ID of the ATT&CK technique (or any other STIX attack-pattern). The text you have in there typically goes in the name field. We will improve this aspect in the next release.
  2. I'm making a note to myself that the relative time offsets are important to your flow, and that we do not have proper representation in our file format.
  3. The actions should point to assets, not the other way around. We'll add something in the Builder to make this clearer.
  4. You can also add multiple actions to a single asset, which is helpful for showing when the attacker pivots.
  5. Not sure if you're aware, but you can also include the commands executed by attaching a process object to an action. I included one example of this for the first action.

I'm uploading a copy with some of these changes applied. Please take a look.

DFIR - BumbleBee Round 2.afb.txt

anvilogic-KLo commented 1 year ago

Good evening Mark and CTID team,

Thank you for the feedback and the workshop session for Attack flow, definitely an insightful conversation. I’ll note these changes for the next iterations. To give some insight the attached afb file, is our modifications to the builder to accommodate fields we use at Anvilogic

Thank you again for the time today!

Respectfully, Kevin

On Dec 7, 2022, at 1:57 PM, Mark E. Haase @.***> wrote:

Thank you for the PR! A couple items of feedback:

  1. The technique_ref is for the STIX ID of the ATT&CK technique (or any other STIX attack-pattern). The text you have in there typically goes in the name field. We will improve this aspect in the next release.
  2. I'm making a note to myself that the relative time offsets are important to your flow, and that we do not have proper representation in our file format.
  3. The actions should point to assets, not the other way around. We'll add something in the Builder to make this clearer.
  4. You can also add multiple actions to a single asset, which is helpful for showing when the attacker pivots.
  5. Not sure if you're aware, but you can also include the commands executed by attaching a process object to an action. I included one example of this for the first action.

I'm uploading a copy with some of these changes applied. Please take a look.

DFIR - BumbleBee Round 2.afb.txt https://github.com/center-for-threat-informed-defense/attack-flow/files/10179153/DFIR.-.BumbleBee.Round.2.afb.txt

— Reply to this email directly, view it on GitHub https://github.com/center-for-threat-informed-defense/attack-flow/pull/53#issuecomment-1341429947, or unsubscribe https://github.com/notifications/unsubscribe-auth/A2ZVYGP42RZHNH5LV7N46UDWMDMZHANCNFSM6AAAAAARXOY7Y4 . You are receiving this because you authored the thread.Message ID: @.*** com>

mehaase commented 1 year ago

Closing this PR and finishing this flow in #75.