center-for-threat-informed-defense / attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
https://ctid.io/attack-flow
Apache License 2.0
556 stars 86 forks source link

Attack-Defense trees modeling with Attack Flow #57

Open banzo opened 1 year ago

banzo commented 1 year ago

Hello, we are looking for a solution to build and model Attack Defense Trees.

We discovered Attack Flow at the EU MITRE ATT&CK® Community Workshop X. We are wondering if it would make sense to extend Attack Flow to include the Defense aspects.

xtheorycrafter commented 1 year ago

Seb, what do you mean by including defence aspects? Can you share an example?Sent from my iPhoneOn 15 Dec 2022, at 00:23, Sebastien Dupont @.***> wrote: Hello, we are looking for a solution to build and model Attack Defense Trees. We discovered Attack Flow at the EU MITRE ATT&CK® Community Workshop X. We are wondering if it would make sense to extend Attack Flow to include the Defense aspects.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>

banzo commented 1 year ago

Thank you for your response.

By defense aspects I mean mechanisms such as IDS, access control, etc. In MITRE Att&ck, I guess it would be similar to the Mitigations.

Here is a sample ADT, where attack nodes are in red and defense nodes are in green (source).

image

mticmtic commented 1 year ago

We have had discussions about how to account for defensive actions, but haven't settled on anything yet. This area gets a bit tricky, however, because there is a large amount of defensive actions that someone can take against 1 offensive action. This could quickly bloat the ontology. We will continue our discussions until we find an appropriate way to model defensive actions, along with ATT&CK.

juancerezo commented 6 months ago

Hello everyone,

I hope this can help. Currently, I am working to improve cybersecurity processes using Attack Flow Builder, to perform what @banzo indicates, what I am using are STIX Objects. To indicate how to perform searches and produce detections I suggest using Indicator and for actions in the @banzo 's diagram Course of Action could be used.

STIX SDO Indicator spec: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070633 STIX SDO Course of Action spec: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070624

I think that could be the right approach.

Regards