search

muchdogesec / arango_cti_processor

A small script that creates relationships between common CTI knowledge-bases in STIX 2.1 format.
https://www.dogesec.com/
Apache License 2.0
3 stars 0 forks source link

Removal of data from objects not working as expected #10

Closed himynamesdave closed 3 months ago

himynamesdave commented 4 months ago

See test 1.3.

https://github.com/muchdogesec/arango_cti_processor/tree/adding-tests/tests#test-13-perform-another-update-to-change-capec-attack-pattern---attck-attack-pattern-relationship-capec-attack

In this test we have

[
  {
    "_key": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a+2024-07-25T05:42:04.725297Z",
    "_id": "mitre_capec_vertex_collection/attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a+2024-07-25T05:42:04.725297Z",
    "_rev": "_iMfnHdO--B",
    "created": "2014-06-23T00:00:00.000Z",
    "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
    "description": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.",
    "external_references": [
      {
        "external_id": "CAPEC-158",
        "source_name": "capec",
        "url": "https://capec.mitre.org/data/definitions/158.html"
      },
      {
        "external_id": "CWE-311",
        "source_name": "cwe",
        "url": "http://cwe.mitre.org/data/definitions/311.html"
      },
      {
        "description": "Network Sniffing",
        "external_id": "T1040",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1040"
      },
      {
        "description": "Multi-Factor Authentication Interception",
        "external_id": "T1111",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1111"
      }
    ],
    "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a",
    "modified": "2024-01-15T00:00:00.000Z",
    "name": "UPDATE OBJECT 3RD TIME",
    "object_marking_refs": [
      "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
    ],
    "spec_version": "2.1",
    "type": "attack-pattern",
    "x_capec_abstraction": "Detailed",
    "x_capec_can_follow_refs": [
      "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964"
    ],
    "x_capec_child_of_refs": [
      "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec"
    ],
    "x_capec_consequences": {
      "Confidentiality": [
        "Read Data"
      ]
    },
    "x_capec_domains": [
      "Communications",
      "Software"
    ],
    "x_capec_prerequisites": [
      "The target must be communicating on a network protocol visible by a network sniffing application.",
      "The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication."
    ],
    "x_capec_resources_required": [
      "A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.)."
    ],
    "x_capec_skills_required": {
      "Low": "Adversaries can obtain and set up open-source network sniffing tools easily."
    },
    "x_capec_status": "Draft",
    "x_capec_typical_severity": "Medium",
    "x_capec_version": "3.9",
    "_bundle_id": "bundle--641bf5e8-d108-40be-9552-802e033aa4ea",
    "_file_name": "arango-cti-capec-attack-update-3.json",
    "_stix2arango_note": "v3.12",
    "_record_md5_hash": "02696fe777f5474565c54925a0accfd8",
    "_is_latest": true,
    "_record_created": "2024-07-25T05:42:04.725297Z",
    "_record_modified": "2024-07-25T05:42:04.725297Z"
  }
]

In the previous test it was 

 {
    "_key": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a+2024-07-25T05:41:48.366933Z",
    "_id": "mitre_capec_vertex_collection/attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a+2024-07-25T05:41:48.366933Z",
    "_rev": "_iMfnHdO--A",
    "created": "2014-06-23T00:00:00.000Z",
    "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
    "description": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.",
    "external_references": [
      {
        "external_id": "CAPEC-158",
        "source_name": "capec",
        "url": "https://capec.mitre.org/data/definitions/158.html"
      },
      {
        "external_id": "CWE-311",
        "source_name": "cwe",
        "url": "http://cwe.mitre.org/data/definitions/311.html"
      },
      {
        "description": "Network Sniffing",
        "external_id": "T1040",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1040"
      },
      {
        "description": "Multi-Factor Authentication Interception",
        "external_id": "T1111",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1111"
      },
      {
        "description": "Acquire Access",
        "external_id": "T1650",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1650"
      },
      {
        "description": "Hijack Execution Flow: ServicesFile Permissions Weakness",
        "external_id": "T1574.010",
        "source_name": "ATTACK",
        "url": "https://attack.mitre.org/wiki/Technique/T1574/010"
      }
    ],
    "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a",
    "modified": "2024-01-01T00:00:00.000Z",
    "name": "UPDATE OBJECT 2ND TIME",
    "object_marking_refs": [
      "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
    ],
    "spec_version": "2.1",
    "type": "attack-pattern",
    "x_capec_abstraction": "Detailed",
    "x_capec_can_follow_refs": [
      "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964"
    ],
    "x_capec_child_of_refs": [
      "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec"
    ],
    "x_capec_consequences": {
      "Confidentiality": [
        "Read Data"
      ]
    },
    "x_capec_domains": [
      "Communications",
      "Software"
    ],
    "x_capec_prerequisites": [
      "The target must be communicating on a network protocol visible by a network sniffing application.",
      "The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication."
    ],
    "x_capec_resources_required": [
      "A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.)."
    ],
    "x_capec_skills_required": {
      "Low": "Adversaries can obtain and set up open-source network sniffing tools easily."
    },
    "x_capec_status": "Draft",
    "x_capec_typical_severity": "Medium",
    "x_capec_version": "3.9",
    "_bundle_id": "bundle--7222bcf4-2bd1-454e-bc7e-82583f1f7e64",
    "_file_name": "arango-cti-capec-attack-update-2.json",
    "_stix2arango_note": "v3.11",
    "_record_md5_hash": "3c016e853de5e3c7e63547e61c955206",
    "_is_latest": false,
    "_record_created": "2024-07-25T05:41:48.366933Z",
    "_record_modified": "2024-07-25T05:41:48.366933Z"
  }
]

Thus test 2 Should return 15 results. oldest version (1.0) of CAPEC158 had 4 ATT&CK references, old version 1.1 had 5 ATT&CK references, old version 1.2 had 6 (2 of these still remain, each with 4 lines)

    def test_02_updated_capec158_old_relationships(self):
        query = """
        RETURN COUNT(
          FOR doc IN mitre_capec_edge_collection
              FILTER doc.source_ref == "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a"
              AND doc._is_latest == false
              AND doc._arango_cti_processor_note == "capec-attack"
              RETURN doc
        )
        """
        result_count = self.run_query(query)
        self.assertEqual(result_count, [15], f"Expected 13 documents, but found {result_count}.")

Then the new object should have 4 refs

Test 3 Should return 4 results because the new object has both T1040 (1 coa, 1 attack pattern) and T1111 (1 coa, 1 attack pattern)

    def test_03_updated_capec158_new_relationships(self):
        query = """
        RETURN COUNT(
          FOR doc IN mitre_capec_edge_collection
              FILTER doc.source_ref == "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a"
              AND doc._is_latest == true
              AND doc._arango_cti_processor_note == "capec-attack"
              RETURN doc
        )
        """
        result_count = self.run_query(query)
        self.assertEqual(result_count, [4], f"Expected 4 documents, but found {result_count}.")

Update behaviour for SROs created by this script described here: https://github.com/muchdogesec/arango_cti_processor/blob/adding-tests/docs/README.md#updating-sros-on-subsequent-runs

Can be tested using: https://github.com/muchdogesec/arango_cti_processor/blob/main/tests/tests.md#test-14-perform-another-update-to-change-capec-attack-pattern---attck-attack-pattern-relationship-capec-attack

himynamesdave commented 3 months ago

@fqrious on Slack you said

https://github.com/muchdogesec/arango_cti_processor/blob/adding-tests/docs/README.md#updating-sros-on-subsequent-runs

"Similarly, when a record is removed from a source object (e.g ATT&CK reference removed from a CAPEC object), the object removed between updates is marked at _is_latest=false, but no new object recreated for it (because it no longer exist in latest version of source object)"

This affects multiple projects, for example ATS is supposed to only return objects where _is_latest==true on manifest/objects, and if this is implemented, old SROs will just be missing from the manifest (unless version is set to all in query)

This is not quite right...

stix2arango logic is fairly simplistic. If md5 of object changes, add the new one (as _is_latest=true), and make is _is_latest=false for all old versions.

arango_taxii_server is slightly different...

Here it is only concerned with creating relationships (SROs) between objects being changed (by stix2arango imports)

Lets me use an example (test 1.3 https://github.com/muchdogesec/arango_cti_processor/blob/adding-tests/tests/README.md#test-13-perform-another-update-to-change-capec-attack-pattern---attck-attack-pattern-relationship-capec-attack)

1.2 

"external_references": [
                {
                    "external_id": "CAPEC-158",
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/158.html"
                },
                {
                    "external_id": "CWE-311",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/311.html"
                },
                {
                    "description": "Network Sniffing",
                    "external_id": "T1040",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1040"
                },
                {
                    "description": "Multi-Factor Authentication Interception",
                    "external_id": "T1111",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1111"
                },
                {
                    "description": "Acquire Access",
                    "external_id": "T1650",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1650"
                },
                {
                    "description": "Hijack Execution Flow: ServicesFile Permissions Weakness",
                    "external_id": "T1574.010",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1574/010"
                }
            ],
            "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a",
            "modified": "2024-01-01T00:00:00.000Z",

1.3

          "external_references": [
                {
                    "external_id": "CAPEC-158",
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/158.html"
                },
                {
                    "external_id": "CWE-311",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/311.html"
                },
                {
                    "description": "Network Sniffing",
                    "external_id": "T1040",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1040"
                },
                {
                    "description": "Multi-Factor Authentication Interception",
                    "external_id": "T1111",
                    "source_name": "ATTACK",
                    "url": "https://attack.mitre.org/wiki/Technique/T1111"
                }
            ],
            "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a",
            "modified": "2024-01-15T00:00:00.000Z",
            "name": "UPDATE OBJECT 3RD TIME",

2 of the ATT&CK references inside the CAPEC object (attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a) are removed between 1.2 and 1.3 with 2 remaining T1040 and T1111 (total 4 ATT&CK links). T1650 and T1574.010 are removed (total 2 ATT&CK links). This is now the same as the original stix-capec-v3.9.json object

stix2arango handles the logic of updating and ageing out these objects based on the md5 hashes changing for the id. This is the logic ATS uses and it works fine.

Now, in 1.2 arango_cti_processor created 6 SROs to link the capec objects to attack. In 1.2, you will also see arango_cti_processor created doc._is_latest == false for all relationship objects from previous tests

This logic works fine when objects are added.

e.g. in 1.0 4 objects created, in 1.1 5 objects created (4 marked as old from 1.0), in 1.2 6 objects created (5 marked as old from 1.1)

However, when objects are removed from the

To solve this, the behaviour of ACTIP could be to check for changes to an id of object (which would cause a s2a change) and then check if the relevant data for the mode (e.g. capec-attack a change in ATT&CK refs) has change, if change like this detected, mark all links ACTIP created relationships from this source objects (and correct mode) as is_latest=false and then recreate the new relationship objects