pprpst
commented
5 years ago I already tried solution from issue #85 . CHanging URL to "attack-old.mitre.org" did not worked.
Closed pprpst closed 5 years ago
pprpst
commented
5 years ago I already tried solution from issue #85 . CHanging URL to "attack-old.mitre.org" did not worked.
cl-mitre
commented
5 years ago It appears that attack-old.mitre.org is currently down, and although I am trying to track down what exactly happened to it, I don't have any information about when/if it will be coming back up, due to the heavy changes to ATT&CK between the initial release of this project and now. That being said, the message you saw has less of an impact than you might initial think - it simply states how large the internal ATT&CK database is. As this functionality is only used when cross-referencing and sorting the steps (the actual actions within CALDERA), an outdated collection should not actually impact you directly in any manner when running CALDERA.
I can say that the next open-source update to CALDERA addresses this problem on both the default state and update fronts, though I sadly do not currently have a predicted release date for that update.
pprpst
commented
5 years ago @cl-mitre Thanks for your answer. It clears some things out. But is also raises another question. Form this "Contains 10 Tactics, 127 Techniques and 51 Groups" I would expect that "View Adversaries" page would contain 51 adversaries. There are only 4 (Alice, Bob,Charlie and Lazarus Group) I would also expect to see 127 Tactics listed on "View Steps" page, there are only 29 steps listed there.
So the question ... is my database of steps, adversaries and tactics up to date ?
cl-mitre
commented
5 years ago The tricky thing here is that it is and it isn't. The steps you have are the complete set of released CALDERA steps, but the adversaries and tactics lists you have are out of date since newer versions of ATT&CK have been released since the initial release of CALDERA, but these updates do not actually give CALDERA anything new to work with by default. The list below should illustrate the difference between steps/CALDERA adversaries and ATT&CK groups/tactics, as they refer to different aspects of CALDERA.
Hopefully that clears things up a little bit.
pprpst
commented
5 years ago Well, this explains things. But it also makes it bit disappointing. I would expect automation tool released by MITRE would be better aligned to ATT&CK framework and used the same terminology and definitions. For example if I want to test Technique T1121 (Regsvcs and Regasm to proxy execution) this would be already defined in Caldera, which is not the case ...
Interestingly, tests for most of techniques are available and well aligned to ATT&CK, for example : https://github.com/redcanaryco/atomic-red-team Is there a way to port RedCanary atomic tests to Caldera as steps ? automatically .. not manually :-)
pprpst
commented
5 years ago I guess no :-)
cl-mitre
commented
5 years ago Not at the moment, no, given that the current version of RedCanary came out after the release of the version of CALDERA available here (and their initial release came out barely a month before our public release). Our internal build for the next public release currently contains a framework that should make this very doable, however.
pprpst
commented
5 years ago Looking forward to new version then :-). Any idea on ETA ?
privateducky
commented
5 years ago @pprpst new open-source upgrade has been completed. let me know how it fares for you!
Hi MITRE colleagues ... thanks for all good work.
I just installed Caldera first time. In Settings in "ATT&CK Integration" I see this :
Does not seem right. I hope there are more definitions available, and are more recently updated :-) When I try to update I get this in console :
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): attack.mitre.org DEBUG:urllib3.connectionpool:https://attack.mitre.org:443 "GET /api.php?action=ask&format=json&query=%5B%5BCategory%3ATactic%5D%5D HTTP/1.1" 404 2201 Traceback (most recent call last): File "/root/caldera/caldera/app/api.py", line 122, in entrypoint resp = await decorated(req, token, req.match_info) File "/root/caldera/caldera/app/api.py", line 84, in decorated results = await f(req, kwargs) File "/root/caldera/caldera/app/api.py", line 627, in load_attack attack.refresh_attack() File "/root/caldera/caldera/app/attack.py", line 12, in refresh_attack tactic_results = grab_site("{}/{}".format(attack_url, 'api.php'), params=params, stream=False, mode='attack').json() File "/usr/local/lib/python3.6/dist-packages/requests/models.py", line 897, in json return complexjson.loads(self.text, kwargs) File "/usr/lib/python3/dist-packages/simplejson/init.py", line 518, in loads return _default_decoder.decode(s) File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 370, in decode obj, end = self.raw_decode(s) File "/usr/lib/python3/dist-packages/simplejson/decoder.py", line 400, in raw_decode return self.scan_once(s, idx=_w(s, idx).end()) simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)