From 556853b9bd7fe5590db6c85afb5ff27e60888fb1 Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Wed, 10 Jul 2024 09:47:40 -0400 Subject: [PATCH] TAT-142 Add logo to site, 508 compliance, and misc formatting * feat(TAT-142): Update favicon * feat(TAT-142): add logo to homepage and footer, update default text on homepage * feat(TAT-142): 508 compliance: add alt text to images, add labels to elements * feat(TAT-142):more accessibility fixes, move css to scoped block * bugfix(TAT-142): add conditional to delete icons for static lists, set attack version as a store value * Edited some of the static text * Pre-release repo cleanup and update README * style(TAT-142): misc formatting to make site consistent across pages, improve 508 compliance and mobile view * feat(TAT-142): apply markdown to all text blocks, fix errors with parsing spreadsheet (from updating to latest ATT&CK) * style(TAT-142): set max width for footer --------- Co-authored-by: arobbins Co-authored-by: Mark E. Haase --- Calculator.md | 29 - Makefile | 20 + Methodology.md | 270 - README.md | 141 +- index.html | 11 +- public/favicon-dark.ico | Bin 0 -> 82726 bytes public/favicon-light.ico | Bin 0 -> 82726 bytes public/favicon.ico | Bin 4286 -> 0 bytes scripts/update_techniques.js | 11 +- ...ite.png => ctid-logo-horizontal-white.png} | Bin src/assets/logo-horizontal-white.svg | 11 + src/assets/logo-line-white.svg | 11 + src/assets/logo-vertical-white.svg | 11 + src/components/CalculatorFilters.vue | 6 +- src/components/DownloadListButton.vue | 2 +- src/components/NavigationFooter.vue | 84 +- src/components/NavigationMenu.vue | 6 +- src/components/SectionItem.vue | 20 +- src/components/TopTenDetails.vue | 50 +- src/components/TopTenSidebar.vue | 2 +- src/data/Techniques.json | 13150 +++++++++------- src/index.css | 29 +- src/stores/calculator.store.ts | 4 + src/views/CalculatorPage.vue | 4 +- src/views/HelpPage.vue | 77 +- src/views/HomePage.vue | 40 +- src/views/MethodologyPage.vue | 11 +- src/views/TopTen.vue | 3 +- 28 files changed, 7353 insertions(+), 6650 deletions(-) delete mode 100644 Calculator.md create mode 100644 Makefile delete mode 100644 Methodology.md create mode 100644 public/favicon-dark.ico create mode 100644 public/favicon-light.ico delete mode 100644 public/favicon.ico rename src/assets/{logo-horizontal-white.png => ctid-logo-horizontal-white.png} (100%) create mode 100644 src/assets/logo-horizontal-white.svg create mode 100644 src/assets/logo-line-white.svg create mode 100644 src/assets/logo-vertical-white.svg diff --git a/Calculator.md b/Calculator.md deleted file mode 100644 index 4cd0130..0000000 --- a/Calculator.md +++ /dev/null @@ -1,29 +0,0 @@ -

Understanding the Spreadsheet

- -The [Top ATT&CK Techniques backend spreadsheet](https://github.com/center-for-threat-informed-defense/top-attack-techniques/releases/tag/v1.0.0) is the backend for the Top ATT&CK Techniques calculator. This README will explain how can you modify this spreadsheet to have the Top 10 Calculator completely customized to your needs. You should only change cells that are highlighted in yellow. Other changes could break the functionality, so do so at your own risk. - -

TOP 10 TECHNIQUES

-B15:19 = You can change your monitoring coverage, which will update the Top Technique score and the Ransomware Top Technique score. The options are None, Low, Medium, High. - -

Methodology

-F:G = These columns are to adjust the Choke Point score for each technique. Column F is how many techniques happen immediately before that row's technique and column G is how many techniques happen immediately after that row's technique. -M:M = This is our Sightings data and is hardcoded. YOU WON'T BE ABLE TO CHANGE THESE VALUES YET. -N:Q, S, U = These columns are to adjust the Actionability score. Each column represents the number of analytics or controls for each technique. -AN = These columns allow you to update the Ransomware Top Technique score. AN is to mark how many ransomware groups have been seen using that row's technique. - -

Coverage Definitions

-This sheet describes our definitions for the different levels of network, process, file, hardware, and cloud coverage. This was borrowed from Cyb3rWard0g's work on "How Hot is your Hunt Team" - -

Techniques

-This sheet is from the ATT&CK page and includes all relavent data for each technique - -

Parameters

-This sheet has values that feed our components in the Methodology sheet. - -D2:D5 = changes the upper and lower bounds for Actionability. D6 changes the weighted ratio of detections to mitigations. 1 Mitigations = 2 Detections - -D8:D11 = changes the upper and lower bounds for Choke Point. D12 changes the weighted ratio of before to after techniques. 1 before = 1 after - -D14 = sets the date for which the prevalence methodology should use as ""today's date."" This should reflect the latest date that you have data for prevalence. - -D21:22 = sets the upper and lower bounds for the ransomware list. The upper bound is how many different groups are in the ransomware data set diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..70c5d59 --- /dev/null +++ b/Makefile @@ -0,0 +1,20 @@ +# +# See `make help` for a list of all available commands. +# + +.DEFAULT_GOAL := help +ROOTDIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + +.PHONY: help +help: ## Show Makefile help + @grep -hE '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \ + awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | \ + sort + +.PHONY: build +build: ## Build the application + npm run build + +.PHONY: serve +serve: ## Run the dev server + npm run dev diff --git a/Methodology.md b/Methodology.md deleted file mode 100644 index 5e18008..0000000 --- a/Methodology.md +++ /dev/null @@ -1,270 +0,0 @@ -# Top Attack Technique Methodology - -A top technique list should be actionable and driven by threat intelligence. Which drove the direction of our prioritized list and methodology to consist of algorithms, math, and analysis on the backend. The Centerโ€™s methodology is composed of three different components - **actionability**, **choke point**, and **prevalence**. Algorithms for each component were created to determine a techniqueโ€™s weight within a specific component, and then each component weight is combined to give an overall confidence score. - -![Screen Shot 2022-05-03 at 12 45 21 PM](https://user-images.githubusercontent.com/86126040/166500489-9a55d85a-f836-4279-aec6-bd93d8e96b8e.png) - -
- -## Table of Contents - - - [Prevalence](#prevalence) - - [Why do we want to include Prevalence](#why-do-we-want-to-include-prevalence) - - [Framing the Analysis](#framing-the-analysis) -- [Top Attack Technique Methodology](#top-attack-technique-methodology) - - [Table of Contents](#table-of-contents) - - [Prevalence](#prevalence) - - [Why do we want to include Prevalence](#why-do-we-want-to-include-prevalence) - - [Framing the Analysis](#framing-the-analysis) -- [Choke Point](#choke-point) - - [Why do we want to include Chokepoints](#why-do-we-want-to-include-chokepoints) - - [Executive Summary](#executive-summary) - - [Framing the Analysis](#framing-the-analysis-1) - - [Proposal for the choke point metric:](#proposal-for-the-choke-point-metric) - - [Utility functions](#utility-functions) - - [Attribute weighting](#attribute-weighting) - - [Plotting Chokepoint](#plotting-chokepoint) -- [Actionability](#actionability) - - [Why do we want to include Actionability](#why-do-we-want-to-include-actionability) - - [Finding Actionability:](#finding-actionability) - - [Framing the Analysis](#framing-the-analysis-2) - - [Defining Attribute Weighting](#defining-attribute-weighting) - - [How to Get Weights from Weighting Ratios (Optional Reading)](#how-to-get-weights-from-weighting-ratios-optional-reading) - - [What if we have more than two attributes? (Optional Reading)](#what-if-we-have-more-than-two-attributes-optional-reading) - -
- -## Prevalence - -Prevalence: the frequency of which an attacker uses a specific MITRE ATT&CK technique over a period of time. - -### Why do we want to include Prevalence - -This methodology allows us to see which techniques are actually being observed during cyber intrusions. With this knowledge, defenders can tailor their detection tools to look for those techniques that have the highest frequency and are the most current. - -The prevalence methodology is populated with data from the Sightings Ecosystem. Each Sighting represents one or more ATT&CK techniques used by an adversary on (or to target) victim infrastructure. For more information on Sightings, click here. - -There are a few limitations with our data that are important to understand. First, our data is limited to the data that was shared with us by our contributors. This data is not all-inclusive and is not representative of all attacks around the world. Second, our data is scoped from 1 April, 2019 to 31 July, 2021. Finally, our data is limited to how our contributors map data to ATT&CK. It is unclear if an increase in a certain technique means that it occurred more often or if it was detections simply improved. - -When looking at our data, it is important to remember that defending against our most observed techniques will not protect you from all adversary activity. It will only protect you from the adversary activity most observed by Sightings contributors. Despite these barriers, the Sightings data has given great insights into techniques that are frequently used by adversaries and its inclusion in our Top ATT&CK Techniques methodologies is helps insert real-world data into our analysis. - -## Framing the Analysis - -**Proposal for the prevalence metric:** - -For a technique that has attack times {t0, t1, โ€ฆ , tn}, we calculate the techniqueโ€™s un-normalized prevalence score as: ![Prev1](https://user-images.githubusercontent.com/86126040/166496655-165e31c0-2831-41d1-babb-6349935a6ffb.png) Where ๐‘ค is the time weighting function which assigns a weight (between zero and one) to an attack based on its proximity to the present time (๐‘ก๐‘›๐‘œ๐‘ค). It is defined by - -![Prev2](https://user-images.githubusercontent.com/86126040/166496797-6db935f9-f33a-40a2-bc14-c8606389dd56.png) -Here, ฮ”๐‘ก is the time between the attack and the present time. We have three parameters in the weighting function that can be adjusted: - -- ๐‘“๐‘ข๐‘™๐‘™ is the number of days into the past (relative to the present) for which we want attacks to be given full weighting. The weighting of attacks will start to decline if they occur more than ๐‘“๐‘ข๐‘™๐‘™ days into the past -- ๐‘‘๐‘’๐‘๐‘™๐‘–๐‘›๐‘’ is the number of days after ๐‘“๐‘ข๐‘™๐‘™ has been reached over which the weighting decreases to its minimum value. This controls the "steepness" of the falloff -- ๐‘ค๐‘š๐‘–๐‘› is the minimum weight an attack can have. Attacks that occurred more than ๐‘“๐‘ข๐‘™๐‘™+๐‘‘๐‘’๐‘™๐‘๐‘–๐‘›๐‘’ days into the past will have a weighting of ๐‘ค๐‘š๐‘–๐‘›. This controls the "strength" of the weighting -The combination of these three parameters control the strength and rate of weighting. For example, if we want weighting to gradually decrease to zero over a long period of time, then we may set ๐‘ค๐‘š๐‘–๐‘›:=0 and ๐‘‘๐‘’๐‘๐‘™๐‘–๐‘›๐‘’ to be large. - -The weighting function and its parameters may sound complicated in text, but it is best understood visually: -Prev3 -Some examples of the weighting function using various parameters are given below: -Prev4 - -Normalizing prevalence scores - -Since only a few techniques make up a large majority of all sightings, we need to be careful about accounting for these outliers when we put the prevalence scores on a zero-to-one scale. - -![Prev5](https://user-images.githubusercontent.com/86126040/166499610-e09418f5-6eab-48f5-9d9e-c6fbf1da1b1a.png) -This is a histogram of the distribution of prevalence scores across all techniques for which we have attack times. Note that there are a few techniques that have a prevalence score that is FAR greater than the scores for every other technique. If we normalize the scores using the min-max normalization described above, those few techniques would get a score somewhere around 0.8-1.0, while the vast majority of techniques would get a score close to zero. - -For now, we can take care of this by scaling according to a specified โ€œpercentile cutoff.โ€ For example, if we set the cutoff equal to 0.9, then techniques that have a score in the 90th percentile and above (i.e. in the top 10% of techniques) will receive a score equal to 1, while techniques that are below the 90th percentile will be scaled using the score of the 90th percentile as the โ€œmax.โ€œ - -Limitations - -There are several important considerations when reading the Sightings results. First and foremost, there was a limited number of contributors. This means our data does not provide a comprehensive view of the threat landscape. There are techniques not present in our dataset which may be relevant to organizations depending on their environment and relative risk. - -The data received was limited to the visibility of the companies who graciously contributed their data to the Sightings Ecosystem. Each contributor has different visibility because of demographics of their customer base, the location of their sensor technology (e.g., external to the network or on an email server), and their relative ability to detect specific activity. We hoped to overcome these limitations by recruiting a large number of contributors, but our limited number means there remains a visibility bias in our results. - -Our results are further limited by how our contributors map techniques to ATT&CK. Depending on when techniques are mapped in an incident investigation and how formalized the mapping process is, it is not unrealistic to think that several Sightings may have been mis-mapped. - -Aggregating data from multiple contributors also impacted our results. When we aggregated the data, we lost context on the adversaries and detections. We did not have deep insight into how the techniques are detected, which meant that we struggled to determine whether an increase in activity was caused -by increased adversary activity or by improved detections. - -# Choke Point - -Choke Point: a specific technique where many other techniques converge or diverge, and eliminating that specific technique would cause disruption to an adversary - -## Why do we want to include Chokepoints - -Analyzing chokepoints can assist defenders to pinpoint critical techniques needed to be successful in an attack. These techniques serve as the common denominator amongst in otherwise disparate attacks. For instance, T1047 (WMI) can serve as a choke point because there are a many other techniques that can be executed after an adversary executes WMI. Defending against malicious WMI usage can limit the potential attack path that an adversary might have used. - -## Executive Summary - -The MITRE team subjectively analyzed open-source threat reports and cyber incidents to identify techniques that had many techniques achieve multiple objectives, and common techniques that had many other techniques leading up to it and happening after it. We created one-to-many, many-to-one, and many-to-many mappings to help us find out choke points. MITRE ATT&CK Tactics were first used to narrow scope and help determine likelihood of chokepoint techniques. The team defined preceding and subsequent techniques for each chokepoint. Total count of preceding and subsequent techniques are assigned an attribute. The attribute is the confidence level, confidence level is the techniqueโ€™s probability to offer more avenues for a successful attack. - -Future Recommendations: In depth chokepoint analysis may require ML/AI components to visualize and predict all viable paths an attacker could take. An attack graph would display a representation of paths an adversary has successfully achieved a goal. At a high level, a type of representation would resemble a web where techniques branch out and co-occurrences can be identified. The attack graph can implement userโ€™s implemented controls to better define what pathways are more likely to be explored by an attacker - -Limitations: The method we used to find choke points is highly subjective. Our analysis was done by manually examining each technique, searching for references in CTI, and identifying before and after techniques. For some techniques, - -## Framing the Analysis - -To help limit the scope of techniques to review, the team first looked at MITRE ATT&CK Tactics that could potentially produce low Choke Point confidence levels. Tactics at the beginning and end of a cyber kill chain would not have many before and after techniques to produce high probability of an effective attack flow. Techniques under the Reconnaissance and Resource Development Tactics received a baseline of 0:1 to indicate at least one technique would take place after them. Techniques under the Impact Tactic received a baseline of 1:0 indicating at least one technique had taken place prior to them. Impact techniques are scoped as the adversaries cumulative objective so follow-on techniques were not considered. All other Tactics received a 1:1 baseline as at least one technique would occur before and after their facilitation. - -The MITRE team considered choke point to be the middle technique where many other techniques could go into and come out of in an attack flow proceeding. -![CP1](https://user-images.githubusercontent.com/86126040/166457990-f0629a02-0929-4872-acd4-bfe0a8ce84b6.png) -MITRE Technique T1055: Process Injection is a great example of many techniques calling Process Injection as the next technique in succession for the cyber attack then proceeding to any number of other techniques afterwards. -![CP2](https://user-images.githubusercontent.com/86126040/166458032-4f0ffff5-1ca1-4d26-b36a-e3cc54855942.png) -MITRE Technique T1491: Defacement is a great example of how only one technique could funnel into another and there wouldnโ€™t be a following technique after Defacement. - -By utilizing the same equation as Actionability, this allows us to understand and interpret the confidence level of choke point and to set parameters. This method is much clearer to see what the inputs are and how changing them will change the output. This method also does not make any assumptions about the structure of the connections between techniques beyond the data that was initially used. - -### Proposal for the choke point metric: - -The chokepoint formula for a technique is written as ![CP3](https://user-images.githubusercontent.com/86126040/166458124-ecd002b2-4904-4d97-8fc6-8b304b7d9b31.png) -Here ๐‘ฅ๐‘ and ๐‘ฅ๐‘Ž are the number of before and after techniques for the technique in question, while ๐‘ข๐‘ and ๐‘ข๐‘Ž are their โ€œutilityโ€œ functions. Finally, ๐‘ค๐‘ and ๐‘ค๐‘Ž are the weights for before and after techniques, which are define further below using relative weighting ratios. - -### Utility functions - - -For each potential chokepoint, we have two attributes: the number of before techniques it has, and the number of after techniques it has. In order to combine them, we define โ€œutilityโ€œ functions ๐‘ข๐‘ and ๐‘ข๐‘Ž for # before and # after, respectively. These functions define the "value" of different values have the form -![CP4](https://user-images.githubusercontent.com/86126040/166491936-8c850ff3-cf42-4f5c-bbfa-80d7f6394089.png) -Where ๐‘ฅ is the value of some attribute (ex: # of before techniques), and ๐‘ข๐‘๐‘๐‘’๐‘Ÿ and ๐‘™๐‘œ๐‘ค๐‘’๐‘Ÿ are the upper and lower "cutoffs" for that attribute. Values below the lower cutoff have zero utility, values above the upper cutoff have maximum utility. We set these to the smallest "useful" number of before or after techniques - -[note: the upper cutoff should be no larger than the largest value for its attribute, and the lower cutoff should be no lower than the smallest value for its attribute.] - -Examples of potential utility functions are illustrated below: -CP5 - -### Attribute weighting - - -We define the weights ๐‘ค๐‘ and ๐‘ค๐‘Ž by a "weighting ratio" which is set by asking how many after techniques is "worth" one before technique: -![CP6](https://user-images.githubusercontent.com/86126040/166492276-6c988b84-2942-4df4-83f7-b741dfbaab31.png) -If you want them to be weighted equally, set this equal to 1. If you want before techniques to be worth 1.2 after techniques, set this equal to 1.2. Below is how to go from this ratio to the actual weights ๐‘ค๐‘ and ๐‘ค๐‘Ž. - -First, we find the un-normalized weights ๐‘คโ€ฒ๐‘ and ๐‘คโ€ฒ๐‘Ž. Set -![CP7](https://user-images.githubusercontent.com/86126040/166492781-160192ce-7581-4954-9e65-7f30cf610e0b.png) -Then normalize so that they add up to 1 to get the actual weights: -![CP8](https://user-images.githubusercontent.com/86126040/166492859-552330fc-b246-42b5-9094-aee64c3d81d2.png) - Here is how the expression for ๐‘คโ€ฒ๐‘ and ๐‘คโ€ฒ๐‘Ž was derived: - The chokepoint formula is ![CP9](https://user-images.githubusercontent.com/86126040/166492908-f2c7f3f3-b882-4e41-9ddf-18b2ff49bbd4.png) -if ๐‘™๐‘œ๐‘ค๐‘’๐‘Ÿ๐‘ โ‰ค ๐‘ฅ๐‘ โ‰ค ๐‘ข๐‘๐‘๐‘’๐‘Ÿ๐‘ and ๐‘™๐‘œ๐‘ค๐‘’๐‘Ÿ๐‘Ž โ‰ค ๐‘ฅ๐‘Ž โ‰ค ๐‘ข๐‘๐‘๐‘’๐‘Ÿ๐‘Ž (i.e. they are both in the main "linear domain") then we can write this as ![CP10](https://user-images.githubusercontent.com/86126040/166492963-222ef713-8e1f-41a4-b650-eb381f7f1567.png) -In order to be weighted according to the ratio we specified, the weights ๐‘ค๐‘ and ๐‘ค๐‘Ž should be set so that the following relation is satisfied: -![CP11](https://user-images.githubusercontent.com/86126040/166493013-73844486-792b-4f39-bc0a-13d0967ee377.png) -the derivatives of ๐ถ are: -![CP12](https://user-images.githubusercontent.com/86126040/166493050-e72c298e-4273-4ac7-8540-340f9e779c89.png) -When we plug these into the above relation, we see that the relation to be satisfied becomes -![CP13](https://user-images.githubusercontent.com/86126040/166493079-33fb8d79-5d5a-42b7-a927-464b837b0b32.png) - So we can set ๐‘ค๐‘:=1 and use the above relations to find a value for ๐‘ค๐‘Ž. - -### Plotting Chokepoint - - -We can make a scatter plot of the number of before and after techniques among the potential chokepoints: -![CP14](https://user-images.githubusercontent.com/86126040/166493139-d278b9b7-f4d3-4386-91a6-43e7aab8681f.png) -And we can overlay this with a contour plot of the actual chokepoint function (patches of the same color have roughly the same chokepoint score) -![CP15](https://user-images.githubusercontent.com/86126040/166493191-62203dce-faab-4fef-bc07-cd006be6f77c.png) - and we can compare this with a plot of what the chokepoint function would look like had we not used utility functions to scale the number of before and after techniques - ![CP16](https://user-images.githubusercontent.com/86126040/166493218-213ab408-c63e-457f-aa95-5026dec08bd3.png) - -# Actionability - -Actionability: The opportunity for a defender to detect or mitigate against each ATT&CK technique based on publicly available analytics and security controls. - -## Why do we want to include Actionability - -Itโ€™s important to understand how a defender can take action to protect themselves against a specific technique. Depending on the amount of publicly available detections and mitigations per technique, this allows the defender the ability respond to an incident faster, or to prevent the incident all together. - -### Finding Actionability: - - -We broke down actionability into two categories: detections and mitigations. - -For detections, we reviewed several publicly available analytic resources and mapped each of them to ATT&CK. The repositories we used were MITREโ€™s Cyber Analytic Repository, Elastic, Sigma HQ's rules , and Splunk Detections. - -For mitigations, we reviewed security controls from two publicly available repositories and mapped each of them to ATT&CK. The repositories we used were CIS Critical Security Controls and NIST 800-53 Security Controls. - -We then made a total count of all detections and mitigations available for each ATT&CK technique. Techniques that have a greater amount of detections and mitigations are weighted more heavily than those with a lower amount. If a technique has a limited number of ways to detect or protect against it, we believe defending against those techniques will provide diminishing returns and more attention should be placed elsewhere. - -For instance, T1014 (rootkit) has zero detections or mitigations in the repositories that we referenced. Since rootkits are better identified by heuristics and forensics than analytics and security controls, a disproportionate amount of resources would need to be used to detect or prevent against them. Those resources could be better allocated defending against techniques that are more easily detected, but just as dangerous. - -There are a few limitations to this methodology. First, we did not search each repository to see if each analytic or control was still valid or if there were duplicates. Second, we did not differentiate for analytics that are similarly related. For instance, an analytic looking for Powershell executing an encoded command and one for Powershell executing Mimikatz would both count for T1053 (command and scripting interpreter). We tried to account for these limitations by setting upper bounds. After a certain point, the value of each additional analytic and control does not provide the same value to the defender. Because of this, any detections and controls over 100 and 55, respectively, do not change the weighted list. - -Finally, we recognize that for some, defending against rootkits, or other similarly stealthy techniques, is just as, if not more, important than other techniques. We tried to account for this by allowing users to choose which analytics and controls should be included in the weighted list. - -We then made a total count of all detections and mitigations available for each ATT&CK technique. Techniques that have a greater amount of detections and mitigations are weighted more heavily than those with a lower amount. If a technique has a limited number of ways to detect or protect against it, we believe defending against those techniques will provide diminishing returns and more attention should be placed elsewhere. - -![Acionability1](https://user-images.githubusercontent.com/86126040/166447108-ba373eb2-9ce9-4f27-b167-59888aee6514.png) -You can see there are quite a few outliers, especially for detections. Keep in mind that there are known to be duplicates, so there is likely some double counting. - -## Framing the Analysis - -This approach is based on techniques for "Multiple-criteria decision-making." - -Attribute Utilities - -Each technique has two attributes for determining actionability: the number of available detections, and the number of available mitigations. In order to combine them into a single score, we'll need to normalize using a "utility" function ๐‘ข for each of these attributes. This will map the value of an attribute to a number between 0 and 1 which indicates how much that value contributes to actionability. - -For simplicity and interoperability, We would recommend using a piecewise linear utility function, like this: ![Actionability2](https://user-images.githubusercontent.com/86126040/166447290-ff0c2a48-f1b5-4a5e-8248-b329a49b99bb.png) -Here, ๐‘ฅ is the value of some attribute (ex: # mitigations), ๐‘ข๐‘๐‘๐‘’๐‘Ÿ and ๐‘™๐‘œ๐‘ค๐‘’๐‘Ÿ are the upper and lower "cutoffs" for that attribute. Values below the lower cutoff have zero utility, values above the upper cutoff have maximum utility. - -For example, if 130 detection methods are not much more "valuable" than 100, then we may consider specifying an upper cutoff of 100 for detections. Conversely, if 10 detection methods isn't much more valuable than 0 methods then we might set the lower cutoff to be 10. Moreover, using cutoffs like this will prevent cases where a technique has a very large number of detections but absolutely no mitigations might still get a high actionability score. - -[notes: upper cutoff should be no larger than the largest value for its attribute, and lower cutoff should be no lower than the smallest value for its attribute] - -Bottom line: For each attribute (# detections and # mitigations), set the lower cutoff to the smallest value that "usefully" contributes to actionability (default to the lowest value), and set the upper cutoff to the largest value that "usefully" contributes to actionability (default to something close to the largest value). - -These cutoffs need to be specified for multiple reasons: - -- In order to combine mitigations and detections into a single function, they must both be on the same scale. If we were to scale them according to the smallest and largest values for each, then the scaling would be determined by the (likely double-counted) outliers -- Prevent a technique with no mitigations but many detections from receiving an inflated actionability score -- Prevent the weighting from changing when new data (potentially a very large outlier) gets added -For my example scores I'm using cutoffs of 0 and 100 for detections, and 0 and 55 for mitigations. - -Examples of potential utility functions are illustrated below: -Actionability3 - -### Defining Attribute Weighting - - -We then define weights for each of the attributes to rank their importance. Once we have the weights defined, the Actionability score is computed as: -![Actionability4](https://user-images.githubusercontent.com/86126040/166447417-33624986-5fc8-47a6-a45b-f80708ca1aaf.png) - so in our case with number of detections and number of mitigations as our attributes, it will be: - ![Actionability5](https://user-images.githubusercontent.com/86126040/166447456-5e00dbe3-4959-4aa5-a2b0-07348f564343.png) -Where ๐‘ฅ๐‘‘ and ๐‘ฅ๐‘š are the raw counts of detections and mitigations, ๐‘ค๐‘‘ and ๐‘ค๐‘š are their weights, and ๐‘ข๐‘‘ and ๐‘ข๐‘š are their utility functions. - -Since we are using utility functions, we need to be careful with how we define the weights. - -Bottom line: to make sure the weights have a "physical" meaning, we will define them using weighting ratios -![Actionability6](https://user-images.githubusercontent.com/86126040/166447498-3a6b7ea6-cf65-45b8-9be1-4ceba3f7b971.png) -If we want 1 mitigation to be worth 2 detections, then we'd set ![Actionability7](https://user-images.githubusercontent.com/86126040/166447525-6ca66218-df6a-446e-bcf6-143ccfa2ccf1.png) =2. This method can be extended to problems with more than two attributes. - -### How to Get Weights from Weighting Ratios (Optional Reading) - -The actionability formula is: -![Actionability8](https://user-images.githubusercontent.com/86126040/166456729-94cc416b-1982-4d8d-befd-684aff2cebc1.png) -(i.e. they are both in the main "linear domain") then we can write this as -![Actionability10](https://user-images.githubusercontent.com/86126040/166456940-a17e7965-e676-40ce-a981-953acc038bca.png) -If we want each mitigation to be worth two detections, then we should set the ๐‘ค๐‘š and ๐‘ค๐‘‘ so that the following relation is satisfied (if the ratio is changed, then you would change the 2 here to whatever the new ratio is): -![Actionability11](https://user-images.githubusercontent.com/86126040/166457059-bee04736-206b-4d7d-91fc-8c5758df7d14.png) -the derivatives of A are: -![Actionability12](https://user-images.githubusercontent.com/86126040/166457130-940ffd8d-480c-4a28-b59b-5ebf6faffbce.png) -When we plug these into the above relation, we see that the relation to be satisfied becomes -![Actionability13](https://user-images.githubusercontent.com/86126040/166457195-2d0b22fb-f2bc-4abb-be25-2a3fb8e42d0c.png) -So we can set ๐‘ค๐‘š:=1 and use the above relations to find a value for ๐‘ค๐‘‘. -![Actionability14](https://user-images.githubusercontent.com/86126040/166457258-7cb9e50e-bf1e-4ffd-a5d5-7d1af2bba3f0.png) -Then, to ensure actionability ranges from zero to one, we just need to normalize the weights so that they add up to one (i.e. we want ๐‘ค๐‘‘ + ๐‘ค๐‘š = 1.) We can do this by dividing each un-normalized weight by the sum of all weights: -![Actionability15](https://user-images.githubusercontent.com/86126040/166457353-9cc9459b-d28d-403d-92fe-1b79ce2f61ec.png) -where ๐‘คโ€ฒ๐‘š and ๐‘คโ€ฒ๐‘‘ are the values of ๐‘ค๐‘š and ๐‘ค๐‘‘ before normalizing. - -### What if we have more than two attributes? (Optional Reading) - - -For actionability we may want to incorporate some weighting for the number of ATT&CK datasources each technique has. Furthermore, this method might be used for one of the other scores, which may have more than two attributes. It is not too difficult to generalize this to work with three or more attributes. - -Suppose we have 5 attributes, named ๐‘Ž, ๐‘, ๐‘, ๐‘‘, and ๐‘’, and each attribute has an upper and lower cutoff. The steps to defining their weights are: -![d13f8e0a-5df5-4084-b4be-171b64f6246c](https://user-images.githubusercontent.com/86126040/166452540-e2e38716-4d6e-4744-a2a2-4d834e888785.png) -This is a contour plot of actionability scores -- patches of the same color have (roughly) the same value of actionability - -- Actionability ranges from zero to one. This will make things much easier when it comes time to combine the scores from actionability, chokepoint and so on. -- You can see that the highest score that a technique with no mitigations can have is about 0.45 -![Actionability16](https://user-images.githubusercontent.com/86126040/166452592-07ca9b02-0aab-4f4d-b466-ff85209f67f7.png) -Here's what actionability would look like if we didn't use utility functions to scale detections and mitigations. We can see that actionability is now unbounded, which will make things difficult to combine later on. Also, even if a technique has zero mitigations, it could still recieve a high actionability score if its detections is high enough. -![Actionability18](https://user-images.githubusercontent.com/86126040/166452611-7f60e40a-f29d-403a-878d-6c4872c7f546.png) diff --git a/README.md b/README.md index 5db091a..fbd30dd 100644 --- a/README.md +++ b/README.md @@ -1,133 +1,70 @@ # Top ATT&CK Techniques -Top ATT&CK Techniques provides defenders with a systematic approach to -prioritizing ATT&CK techniques. Our open methodology considers technique -prevalence, common attack choke points, and actionability to enable defenders to -focus on the ATT&CK techniques that are most relevant to their organization. +Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing +MITRE ATT&CKยฎ techniques. Our methodology considers technique prevalence, common +attack choke points, and actionability to enable defenders to focus on the ATT&CK +techniques that are most relevant to their organization. **Table of Contents:** - [Getting Started](#getting-started) -- [Overview](#overview) -- [Limitations](#limitations) - [Getting Involved](#getting-involved) - [Questions and Feedback](#questions-and-feedback) -- [How Do I Contribute?](#how-do-i-contribute) - [Notice](#notice) ## Getting Started -To get started, try using the web-based calculator. If you want to go deeper, review the -methodology and consult the Excel calculator spreadsheet to see the underlying data and -computations. - -| Resource | Description | -| ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- | -| [Web Calculator](https://top-attack-techniques.mitre-engenuity.org/) | A web-based calculator for building customized priority lists of techniques tailored to your needs. | -| [Methodology](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/Methodology.md) | An overview of the algorithms and analysis that went into creating the calculator. | -| [Excel Calculator](https://github.com/center-for-threat-informed-defense/top-attack-techniques/raw/main/Calculator.xlsx) | The Excel version of the Top ATT&CK Techniques calculator. | -| [Excel Calculator README](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/Calculator.md) | Guidance for using the Top ATT&CK Techniques Excel calculator. | - -## Overview - -The Top ATT&CK Techniques Calculator makes it easy to build customized lists of -high-priority ATT&CK techniques lists. The prioritization is based on a -[methodology](./Methodology.md) that incorporate technique prevalence, choke point -analysis and actionability. - -image - -Users can create a top 10 technique list tailored to their -organization. The user inputs include filters for the operating system, security -controls, detection analytics, and modifiers for process and network monitoring -coverage. The calculator displays the top 10 techniques and provides the option -to export every technique in v14 of ATT&CK in JSON format. - -image - -Along with giving defenders a tool to help prioritize techniques, the project -wanted to put our methodology to practical use and produce a top 10 list that -was focused on a specific topic. A ransomware list was selected because -ransomware is wide-reaching, indiscriminate, and relevant. This list is the -Centerโ€™s assessment of which techniques a defender should prioritize to protect -themselves against a ransomware attack. - -To create this ransomware list, the projectโ€™s methodology was used and -supplemented by adding a separate component that is specific to the Centerโ€™s -ransomware analysis. To feed this component, CTI (Cyber Threat Intelligence) -reporting on 22 different ransomware families was reviewed and extracted -techniques that were used during ransomware attacks. The more times a technique -was seen across the 22 groups, the higher the weight. - -## Limitations - -ATT&CK was never created with the intent of assigning values to each technique. -It is a compendium of things adversaries have done and gives defenders a common -lexicon. Therefore, quantifying the data within ATT&CK is a bit precarious. This -project applied discrete values to abstract ideas and generated a weighted score -for every technique. - -The data used for this analysis was hardly perfect, which led to some flawed -inputs. Flawed inputs lead to flawed outputs, which means that this top 10 list -should not be seen as a declaration that you only need to defend against the top -10 techniques. This list should serve as a starting point for a more holistic -approach to systematically improving defensive capabilities. - -There are certainly gaps and errors with our approach, but in the Center, we are -always trying to advance the state of threat-informed defense. This is our first -attempt at creating a methodology to prioritize ATT&CK techniques and we plan to -make improvements. To do that, we need your feedback. Please share with us what -is working, what isnโ€™t working, and how we can make this more beneficial to you. +The website hosts all of the resources for this project. The website is linked below +along with some shortcuts to important pages on the website. + +| Resource | Description | +| ----------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | +| [Web Site](https://top-attack-techniques.mitre-engenuity.org/) | The website hosts the calculator, methodology, and ransomware top 10 list. | +| [Ransomware Top 10](https://top-attack-techniques.mitre-engenuity.org/top-10-lists) | A curated top 10 list created by our expert ATT&CK analysts. | +| [Calculator](https://top-attack-techniques.mitre-engenuity.org/calculator) | An interactive calculator for producing your own, customized top 10 lists. | +| [Methodology](https://top-attack-techniques.mitre-engenuity.org/methodology) | An overview of the algorithms and analysis that power the calculator. | ## Getting Involved There are several ways that you can get involved with this project and help advance threat-informed defense: -- **Review the methodology, use the calculator, and tell us what you think.** - We welcome your review and feedback on the calculator and our methodology. -- **Help us prioritize improvements.** Let us know where we can improve. Your - input will help us prioritize improvements. -- **Share your use cases.** We are interested in hearing from you about your use - cases and ideas. Tell us how you leveage the Top ATT&CK Techniques resources - and share your ideas for improving upon this foundation. +- **Review the Ransomware Top 10 list.** + If ransomware is a threat that your organization is tracking and working to mitigate, consult our Ransomware Top 10 list align your effort with our analytical process. +- **Make your own top 10 list.** Use the calculator to create your own customized top 10 + list of ATT&CK techniques. +- **Spread the word.** If you find Top ATT&CK Techniques valuable, share your experience + with your industry peers. ## Questions and Feedback -Please submit issues for any technical questions/concerns or contact -ctid@mitre-engenuity.org directly for more general inquiries. - -Also see the guidance for contributors if are you interested in contributing or -simply reporting issues. - -## How Do I Contribute? +Please submit [issues on +GitHub](https://github.com/center-for-threat-informed-defense/top-attack-techniques/issues) +for any technical questions or requests. You may also contact +[ctid@mitre-engenuity.org](mailto:ctid@mitre-engenuity.org?subject=Question%20about%20top-attack-techniques) +directly for more general inquiries about the Center for Threat-Informed Defense. -We welcome your feedback and contributions to help advance our methodology. -Please see the guidance for contributors if are you interested in [contributing -or simply reporting issues.](/CONTRIBUTING.md) - -Please submit -[issues](https://github.com/center-for-threat-informed-defense/top-attack-technique/issues) -for any technical questions/concerns or contact ctid@mitre-engenuity.org -directly for more general inquiries. +We welcome your contributions to help advance Top ATT&CK Tehcniques in the form +of [pull +requests](https://github.com/center-for-threat-informed-defense/top-attack-techniques/pulls). +Please review the [contributor +notice](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/CONTRIBUTING.md) +before making a pull request. ## Notice -Copyright 2022 MITRE Engenuity. Approved for public release. Document number -CT0047 +ยฉ 2022, 2024 MITRE Engenuity. Approved for public release. Document number(s) CT0047. -Licensed under the Apache License, Version 2.0 (the "License"); you may not use -this file except in compliance with the License. You may obtain a copy of the -License at +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this +file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software distributed -under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. See the License for the -specific language governing permissions and limitations under the License. - -This project makes use of ATT&CKยฎ +Unless required by applicable law or agreed to in writing, software distributed under +the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the specific language governing +permissions and limitations under the License. -[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/) +This project makes use of ATT&CKยฎ: [ATT&CK Terms of +Use](https://attack.mitre.org/resources/terms-of-use/) diff --git a/index.html b/index.html index b9373f2..fece48d 100644 --- a/index.html +++ b/index.html @@ -2,7 +2,16 @@ - + + diff --git a/public/favicon-dark.ico b/public/favicon-dark.ico new file mode 100644 index 0000000000000000000000000000000000000000..3278f5f034ae65f4e6806f64aa96d0f827ce0918 GIT binary patch literal 82726 zcmeI5ONbmr7{_~)VB#Yr3K1V*)<-aSF((mGh=_s@5IkrS6ay-FP>Bj6in#HCCVKJU zNpPbGMn&;)5f7q>A_+b~5d{xX!IPpFO(L4{|IPMPCbQkU-Cf`A)^7b8{@c|xRn=er zzWP_s&d$yh#aOYTSi82+e!RGIMNwQ;6vg=X)bU=`zooiOo66%2MRDW0qL`SNI^MWy ztT=K>QEXHnHPr}H_1YC0Ho2|W>ur^8E_I9c*Gd--)!AcKze&2fEDzdm)A8SuZAYed zy)U)jS(dGCQ2)5f`$p;y>v+(=e5m)83WNTGI@>=X?H{gC`5$S%`ah&|ZISMm?klxJ z`=;l&KGX8Ax`Wd2R(Jh%{XbUc&r2EKm!wCe(XFokYBe0zN*&)b+F8ey{YNiI?F#Ac z$o_Yg{r}V6WZS*c=;@{%TN`PEWVyPjl$FnyrnO(_3Ja+=to4d+NQYD&Xwc8rnQ>{e zWb0LbvxSEZ0z(8e_m?%4`DZTLzMygUO0U-Fb=6NuYo*5|JFaW{njU*fI$5%Hd8W2@ zPFoXymuA~OQG?T^&t_|=$L&6MhV(&$wtuP3Zw=ZF&i`qHwswAtmGjRIYpL>I==pb= z&_6GIEqzfVo2NFP=VJb!qH#}@Y#o?Mwx-O*`R$xTt89Id^Dj96HtT=W^|wv_U(_6U zL$Z5SmEKgn-S^f>b8-GA_w+HHd$rW`{@3{W>z#4*5uMkbdvJdEFXa4Nr8)Spv_~?} zR>>Z-=c;z^IXZzOOE%V!%!|Xv!{uWhi##peGa#V3bj((aH+?a3xh8nEdLJ$CRqEg$ z$DGR!>~#vgWLj*O!s`_0>3|Ia5P$##TnK2XT`!&6LH4`6J;yjfI;TT_JLgG~jd5zn z{%5P7{Vn4c>E{;uRc-BgnmsSNLi$l^JH`R^xn8pPpOb9NHZj=wzLkEGx@_;Mlf{3X zbg07s_IDEdTb{-LN{9Z|#ctfh4}a!QdjsKL)*seSpZnL#rTzZZzNzf~XRq<6aR0hk zaoD|hOH195Li{mLM2SEC`5XK-i`s8)_h0z8hp!&+FQ5NJ&L8`ov&)tW{|6QPF6rqO zdPZ$;mF#!d=-+>1_{a1m{;Ag=Vi?Bsg+Kh6KdhfIb0DU#!}_z$##pGWjDNHC-$*}5 z-#3)C{Z6ub_dZJ(cY)k=co9>`?L%$8w4N#0SG_<0uX=z1Rwwb2tWV=5P$##AOHaf zKmY;|fB*y_009U<00Izz00bZa0SG_<0*ju2-d(stTA8SpDXzfS%F^;gV>O1xax`AM zhT{^A+2XSAheBovuZT_Uqz)`9scjet*#gTuOs7EkN^Ex;(tGuHWL2#}S@W0!n#s6+7@qa`6MmNL%Zj%=OyP?GY(Z+5# z0RDHIwD{i*CH`+{-{@xe-)++3e>ar)Kib$02f+VslNSHGp~U|U?Hk<;|GQ1v#p?e( zZUlS>I;`QgN@0#$Sz0vT{}lpHxFDVnNFOGs_Z8FSQlMvLiTnp5@dfd;|4&L;;UdX@ zK#^sE{AZc=aM9#Hpvba7{IzTr~L)D6%Y&|18rUE}HxY6j>I? zf0k(v7ft>HiYyD{Kg+a-izfd8MV1BfpJm#^MU(%4BFh5#&ob@dqRD?ik!6AWXPNeJ z(d0j%$g)8GvrK!qX!0LWWLY5pS*AT)H2DuGvMiAQEYlt?n*0Y8Sr*8DmT3S3Z>yP$3hw^b|2I_cJiZqt6Xba_jeJ!j>Mq*aZ_&HA_K_z$Tj9c}DC z*M4hDS+o3cmF;gUKceGid+WpWh16`{EVKO+(x*~u*`GT8x7t6Xv2K<|qz4^QCN8+z`kYGq`e z_Li4VRM*C|ocOEMo)g=TKUAG_q>nSy)p>4Yf$F`Rq3-Xh^Gk+$&GA3VP}jycTN(f4 ze*LfV@9X>^}cB{+a4`wq$wWM6#Tc$N2MPLra!Tf5`ZK z=if>G&y;`V`%e7-qUOL($<9^NX_w0FymywA$M{*!=_QRlN6K{m>*V#PN5-*dG_I}P z86W=roPV=42OpMpNEWlx$(|e4{GXjQ{~w#>>5q0VOM>aGl}XsSGAT*6pH8J+D>jC` z%QlC-OE;%?$TJXV5U90nVJPc|k%RhlVtUoyAFNHQLkHVNtJUmt3Vmc6?vN%wr?^N5 zY!H9|1R&r-Kmuq#rxb z&#L=kb@_UG|FTs2Uh1@u18P$lt8B9OAkRtGXD2q;cwb9DNbR31W;q^j*gvfHhr8&* z{!g;5VgIXLv^N_MO4tv7=1=D_O#G66$e)$O)Y)yFpJ=??Ua>fT=Yg=0GoPiQoEr zmR=C{)E559Eykc)=k9))Z~wb6%^E8w3#4X)k-5_i*L2?~Gp^w_cZBr!{IXPWDY+ zr)39h5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z1Rwwb2tWV=5P$## zAOHafL{DJ6lFZPx{xb`y^2k87eC&I9>-Pl=CxeBwRSd_oF(XMVM4 zHjh=3XJyk%Qu{r~ML0er-`_OF|CQt}+1vhGEk&^RsJ=sXyKI~EzrNRB_Ysd=t+E3} zWGw&hmtC>>|4!K)lm8dv|E}^&TKwaGr+iKPcQr55&NXTIpZM=?z7qf4aZ8(@Q_6{d z;-B@O+Z-VO`{pb1zb{Ynf4)44e_y`Dzb{YXKVP22zb{|n-3I^W{nW`|>6JeR&f9`SK+GefbjqzC4Nle0dW8 zzI=&)U!KH&zC4M4U%te@FHhn>U!KIjFJI!{mnZR`FVD32xBLIP{VnGyK2u+AWxD?V zQ?CDZ<2jB0>%Sv=o)~YCwn~o{O6BBk+4GX*Hm4l>ia!7E9)2Y39^O*gd;O+?ch)9@ zMbo}jiG4Q#{`Z;xQ{sQ}M(_eZ!2fQ!5C8kbQS)3Bef}?S*iV{9{1g94lKi_iz>%Ws`@7^mY_IDIC{*UOl-_}j@ z`)|?w{!{PX$-f8rev|ZG0ku!QzXt#3I|tZR7a`L3KUD{R<)oqb&*U6p;$;M&wo?-cabyC{1CK)W8hLgeZ)f)%K zhBw9m6DuJA0SG_<0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa z0SG_<0uYFnK#i>@0(Hm#W`EB(HU~I{M>wNCuj-RxVm@#z0!8CdcS?(YI2M7}c+{Q7 IpKb{J12glz1ONa4 literal 0 HcmV?d00001 diff --git a/public/favicon.ico b/public/favicon.ico deleted file mode 100644 index df36fcfb72584e00488330b560ebcf34a41c64c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4286 zcmds*O-Phc6o&64GDVCEQHxsW(p4>LW*W<827=Unuo8sGpRux(DN@jWP-e29Wl%wj zY84_aq9}^Am9-cWTD5GGEo#+5Fi2wX_P*bo+xO!)p*7B;iKlbFd(U~_d(U?#hLj56 zPhFkj-|A6~Qk#@g^#D^U0XT1cu=c-vu1+SElX9NR;kzAUV(q0|dl0|%h|dI$%VICy zJnu2^L*Te9JrJMGh%-P79CL0}dq92RGU6gI{v2~|)p}sG5x0U*z<8U;Ij*hB9z?ei z@g6Xq-pDoPl=MANPiR7%172VA%r)kevtV-_5H*QJKFmd;8yA$98zCxBZYXTNZ#QFk2(TX0;Y2dt&WitL#$96|gJY=3xX zpCoi|YNzgO3R`f@IiEeSmKrPSf#h#Qd<$%Ej^RIeeYfsxhPMOG`S`Pz8q``=511zm zAm)MX5AV^5xIWPyEu7u>qYs?pn$I4nL9J!=K=SGlKLXpE<5x+2cDTXq?brj?n6sp= zphe9;_JHf40^9~}9i08r{XM$7HB!`{Ys~TK0kx<}ZQng`UPvH*11|q7&l9?@FQz;8 zx!=3<4seY*%=OlbCbcae?5^V_}*K>Uo6ZWV8mTyE^B=DKy7-sdLYkR5Z?paTgK-zyIkKjIcpyO z{+uIt&YSa_$QnN_@t~L014dyK(fOOo+W*MIxbA6Ndgr=Y!f#Tokqv}n<7-9qfHkc3 z=>a|HWqcX8fzQCT=dqVbogRq!-S>H%yA{1w#2Pn;=e>JiEj7Hl;zdt-2f+j2%DeVD zsW0Ab)ZK@0cIW%W7z}H{&~yGhn~D;aiP4=;m-HCo`BEI+Kd6 z={Xwx{TKxD#iCLfl2vQGDitKtN>z|-AdCN|$jTFDg0m3O`WLD4_s#$S diff --git a/scripts/update_techniques.js b/scripts/update_techniques.js index 04acb1f..8fec731 100644 --- a/scripts/update_techniques.js +++ b/scripts/update_techniques.js @@ -18,8 +18,9 @@ const DESTINATION_FILE = "src/data/Techniques.json"; tid: r.getCell(1).value, name: r.getCell(2).value, description: r.getCell(3).value, - url: r.getCell(4).hyperlink, - tactics: r.getCell(8).value.toString().split(", "), + url: r.getCell(4).hyperlink + ? r.getCell(4).hyperlink + : r.getCell(4).value, detection: r.getCell(9).value, platforms: r.getCell(10).value.toString().split(", "), data_sources: r.getCell(11).value @@ -47,9 +48,9 @@ const DESTINATION_FILE = "src/data/Techniques.json"; if (r.number > 1) { const m = { mid: r.getCell(1).value, - name: r.getCell(2).value, - description: r.getCell(3).value, - url: r.getCell(4).hyperlink, + name: r.getCell(3).value, + description: r.getCell(4).value, + url: r.getCell(5).hyperlink, }; mitigations.push(m); } diff --git a/src/assets/logo-horizontal-white.png b/src/assets/ctid-logo-horizontal-white.png similarity index 100% rename from src/assets/logo-horizontal-white.png rename to src/assets/ctid-logo-horizontal-white.png diff --git a/src/assets/logo-horizontal-white.svg b/src/assets/logo-horizontal-white.svg new file mode 100644 index 0000000..a55c3a6 --- /dev/null +++ b/src/assets/logo-horizontal-white.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/src/assets/logo-line-white.svg b/src/assets/logo-line-white.svg new file mode 100644 index 0000000..c5b0a3b --- /dev/null +++ b/src/assets/logo-line-white.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/src/assets/logo-vertical-white.svg b/src/assets/logo-vertical-white.svg new file mode 100644 index 0000000..7198d6c --- /dev/null +++ b/src/assets/logo-vertical-white.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/src/components/CalculatorFilters.vue b/src/components/CalculatorFilters.vue index 3f3df78..bed4d88 100644 --- a/src/components/CalculatorFilters.vue +++ b/src/components/CalculatorFilters.vue @@ -5,16 +5,16 @@ :header="calculatorStore.filterProperties[group].label">
+ aria-label="Select all" :input-id="`select_all_${group}`" @change="select(group)">
+ :binary="true" :aria-labelledby="option.id" class="my-auto"> - +
diff --git a/src/components/DownloadListButton.vue b/src/components/DownloadListButton.vue index 8b3870d..2bf72e7 100644 --- a/src/components/DownloadListButton.vue +++ b/src/components/DownloadListButton.vue @@ -73,7 +73,7 @@ export default defineComponent({ "versions": { "navigator": "4.8.0", "layer": "4.5", - "attack": 10.1, + "attack": this.calculatorStore.attackVersion, }, "sorting": 3, "description": "Top ATT&CK Techniques heatmap overview of ATT&CK", diff --git a/src/components/NavigationFooter.vue b/src/components/NavigationFooter.vue index 0049d9d..f8502e5 100644 --- a/src/components/NavigationFooter.vue +++ b/src/components/NavigationFooter.vue @@ -1,40 +1,52 @@ @@ -144,7 +136,7 @@ export default defineComponent({ .container-body, .container-header { - @apply py-4 px-6 + @apply py-3 px-6 } .container-body h3 { @@ -157,7 +149,6 @@ export default defineComponent({ img { object-fit: contain; - /* @apply xl:w-1/3 lg:w-1/2 w-full */ } .link-section h2 { @@ -165,6 +156,6 @@ img { } .btn-primary { - @apply my-2 + @apply my-2 py-3 } diff --git a/src/views/HomePage.vue b/src/views/HomePage.vue index 74b8bad..9368cbb 100644 --- a/src/views/HomePage.vue +++ b/src/views/HomePage.vue @@ -3,30 +3,29 @@
-

- Top ATT&CK Techniques -

-
-

+ + Top Attack Techniques +

+

Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing ATT&CK techniques. Our open methodology considers - technique prevalence, common attack choke points, and actionability + technique prevalence, common ATT&CK choke points, and actionability to enable defenders to focus on the ATT&CK techniques that are most relevant to their organization.

-
+
@@ -35,8 +34,8 @@

Want to Learn More?

-
-
+
+

The methodology page outlines the rationale behind the ATT&CK technique scores and ranking. A techniqueโ€™s score is calculated by @@ -47,7 +46,7 @@

-
+

The help page contains the answers to common questions and issues that may pop up for users of Top ATT&CK Techniques. It also has a @@ -76,6 +75,8 @@ import CalculatorSvg from "@/assets/calculator.svg"; import ListSvg from "@/assets/list.svg"; import BookSvg from "@/assets/book.svg"; import HelpSvg from "@/assets/help.svg"; +import LogoVertical from "@/assets/logo-vertical-white.svg"; +import LogoHorizontal from "@/assets/logo-horizontal-white.svg"; import { useCalculatorStore } from "@/stores/calculator.store"; import TopTenWrapper from "@/components/TopTenWrapper.vue"; @@ -88,6 +89,7 @@ export default defineComponent({ ListSvg, BookSvg, HelpSvg, + LogoVertical, LogoHorizontal }; }, computed: { @@ -100,4 +102,12 @@ export default defineComponent({ }); - + diff --git a/src/views/MethodologyPage.vue b/src/views/MethodologyPage.vue index 351e68b..bc13994 100644 --- a/src/views/MethodologyPage.vue +++ b/src/views/MethodologyPage.vue @@ -2,11 +2,10 @@

Methodology

-

A prioritized list of MITRE ATT&CK techniques should be actionable and driven - by threat intelligence. The Centerโ€™s methodology is composed of three different components - Actionability, - Choke - Point, and Prevalence. Algorithms for each component were created to determine a techniqueโ€™s weight within a - specific component, and then each component weight is combined to give an overall weight.

+

Our top 10 lists of MITRE ATT&CK techniques are designed to be actionable and + driven + by threat intelligence. The Centerโ€™s methodology is composed of three different components: Actionability, + Choke Point, and Prevalence.

@@ -64,7 +63,7 @@ export default defineComponent({ .container-body, .container-header { - @apply py-4 px-6 + @apply py-3 px-6 } .container-body h3 { diff --git a/src/views/TopTen.vue b/src/views/TopTen.vue index 688c5e6..5d894ce 100644 --- a/src/views/TopTen.vue +++ b/src/views/TopTen.vue @@ -2,7 +2,8 @@

Top 10 Lists

-

Explore the most prevalent techniques for different categories, determined by our ATT&CK analysts +

Browse top 10 lists compiled by our ATT&CK experts and tailored to specific threats such as + ransomware.