• Stars
    star
    167
  • Rank 226,635 (Top 5 %)
  • Language
    CSS
  • License
    MIT License
  • Created almost 7 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ATOM/Playbook Viewer

What started out as the “Adversary Playbook” has now evolved into the ability to visualize threats without having attribution to a specific adversary or threat group. The idea is still rather straightforward: just as we create offensive and defensive playbooks for sports, our adversaries also have offensive playbooks that they execute to compromise organizations. They may not write them down, but they exist. Through observation and data sharing, defenders can create their own version of the Adversary's playbook, and then use that playbook to better defend their network with defensive playbooks.

The "Adversary Playbook" is now renamed to Actionable Threat Objects and Mitigations or ATOMs. The goal is to organize the tools, techniques, and procedures that an adversary uses into a structured format, which can be shared with others, and built upon. To achieve this goal, we didn’t want to develop a proprietary structure that would be exclusive to Palo Alto Networks. Instead, we identified two frameworks that would enable us to not only structure our data, but also enable us to share it with others.

To learn more about the change to ATOMs, visit our blog page here: https://unit42.paloaltonetworks.com/actionable-threat-objects-and-mitigations/

Framework Description
STIX 2.0 Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).
ATT&CK MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

STIX 2.0 is the latest iteration of the STIX format. It has been re-designed to simplify the creation of documents and uses JSON rather than XML. STIX 2.0 provides a list of objects to represent types of information typically generated for cyber threat intelligence (CTI). For instance, STIX includes objects for intrusion sets, malware, and indicators, among others. STIX standardizes the information and attributes stored within objects based on the object type, as well as the relationships available between the various object types. The standardized objects and their relationships between each other allows this intelligence to be sharable and easily consumable without having to write complicated parsing tools.

MITRE’s ATT&CK framework provide names, descriptions, and links to examples of the high-level tactics adversaries’ use during an operation, as well as the techniques the adversary uses to achieve them. For example, the ATT&CK framework has a tactic called ‘Launch’ that refers to an adversary attempting to penetrate a network. One technique associated with this tactic is called “Spear phishing messages with malicious attachments”, which describes how the adversary would launch an attack on the network. This provides common definitions and understandings of how a specific goal is accomplished by attackers.

To meld these frameworks together, we looked at how Mitre mapped their ATT&CK data to STIX 2.0 and then chose appropriate objects for additional Playbook components.

STIX 2.0 Object Playbook Component
Intrusion Set Adversary
Report Playbook
Report Play
Campaign Campaign
Kill-Chain-Phase ATT&CK Tactic
Attack-Pattern ATT&CK Technique
Indicator Indicator
Malware Adversary Malware
Tool Adversary Tool

If you want to try this tool out, view it here: https://pan-unit42.github.io/playbook_viewer/

For example, Evasive Serpens, also known as Oilrig, is evasive-serpens.json, and the direct link is: https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens

Playbook Structure

The structure of an ATOM is described in detail here.