ATTACKdatamap - A Datasource Assessment On An Event Level To Show Potential Coverage Or The MITRE ATT&CK Framework


A datasource assessment on an event level to show potential coverage of the "MITRE ATT&CK" framework.
This tool is developed by me and has no affiliation with "MITRE" nor with its great "ATT&CK" team, it is developed with the intention to ease the mapping of data sources to assess one's potential coverate.
More details in a blogpost here

Start
This tool requires module ImportExcel, Install it like this PS C:\> Install-Module ImportExcel
Import the module with Import-Module .\ATTACKdatamap.psd1

Request-ATTACKjson
Generates a JSON file to be imported into the ATT&CK Navigator. The mitre_data_assessment.xlsx file contains all Techniques, which can be updated via Invoke-ATTACK-UpdateExcel.
Each technique contains DataSources, which are individually scored by me with a weight. The DataSourceEventTypes need to be scored per environment.
This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description.
EXAMPLE
PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json
This is all gathered into a JSON file which can be opened here; MITRE ATT&CK Navigator/enterprise/

Invoke-ATTACK-UpdateExcel
This generates all MITRE ATT&CK relevant fields into a table and creates or updates the REF-DataSources worksheet in an Excel sheet
EXAMPLE
PS C:\> Invoke-ATTACK-UpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx
The -AttackPath and -Excelfile parameters are optional

Get-ATTACKdata
This downloads the MITRE ATT&CK Enterprise JSON file
EXAMPLE
PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json
The -AttackPath parameter is optional


Disqus Comments