| name | analyzing-threat-actor-ttps-with-mitre-attack |
| description | MITRE ATT&CK 是基于真实世界观察的全球可访问的对手战术、技术和过程(TTP)知识库。本技能涵盖系统性地将威胁行为者行为映射到 ATT&CK 框架、使用 ATT&CK Navigator 构建技术覆盖热力图、识别检测差距,以及生成将观察到的 IOC 关联到 Enterprise、Mobile 和 ICS 矩阵中特定对手技术的可执行情报报告。 |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | ["threat-intelligence","cti","ioc","mitre-attack","stix","ttp-analysis","threat-actors"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
使用 MITRE ATT&CK 分析威胁行为者 TTP
概述
MITRE ATT&CK 是基于真实世界观察的全球可访问的对手战术、技术和过程(TTP)知识库。本技能涵盖系统性地将威胁行为者行为映射到 ATT&CK 框架、使用 ATT&CK Navigator 构建技术覆盖热力图、识别检测差距,以及生成将观察到的 IOC 关联到 Enterprise、Mobile 和 ICS 矩阵中特定对手技术的可执行情报报告。
前置条件
- Python 3.9+,安装
mitreattack-python、attackcti、stix2 库
- MITRE ATT&CK Navigator(网页版或本地部署)
- 了解 ATT&CK 矩阵结构:战术、技术、子技术
- 访问威胁情报报告或 MISP/OpenCTI 获取威胁行为者数据
- 熟悉 STIX 2.1 Attack Pattern 对象
核心概念
ATT&CK 矩阵结构
ATT&CK Enterprise 矩阵将对手行为组织为 14 个战术("为什么"),其下包含技术("如何做")和子技术(具体实现)。每个技术都关联了数据源、检测方法、缓解措施,以及来自已观察威胁组织的真实过程示例。
威胁组织画像
ATT&CK 收录了超过 140 个威胁组织(如 APT28、APT29、Lazarus Group、FIN7),记录了其技术使用情况。每个组织画像包含别名、目标行业、关联攻击活动、所用软件,以及含过程级详情的技术映射。
ATT&CK Navigator
ATT&CK Navigator 是用于创建自定义 ATT&CK 矩阵可视化的 Web 工具。分析人员创建层(JSON 文件),用分数、颜色、注释和元数据标注技术,以可视化威胁行为者覆盖范围、检测能力或风险评估。
实践步骤
步骤 1:以编程方式查询 ATT&CK 数据
from attackcti import attack_client
import json
lift = attack_client()
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
apt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
group = apt29[0]
print(f"Group: {group['name']}")
print(f"Aliases: {group.get('aliases', [])}")
print(f"Description: {group.get('description', '')[:200]}")
步骤 2:将威胁行为者映射到 ATT&CK 技术
from attackcti import attack_client
lift = attack_client()
apt29_techniques = lift.get_techniques_used_by_group("G0016")
technique_map = {}
for entry in apt29_techniques:
tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
tech_name = entry.get("name", "")
description = entry.get("description", "")
tactic_refs = [
phase.get("phase_name", "")
for phase in entry.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech_name,
"tactics": tactic_refs,
"description": description[:300],
}
print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")
步骤 3:生成 ATT&CK Navigator 层
import json
def create_navigator_layer(group_name, technique_map, description=""):
"""为威胁组织生成 ATT&CK Navigator 层 JSON。"""
techniques_list = []
for tech_id, info in technique_map.items():
techniques_list.append({
"techniqueID": tech_id,
"tactic": info["tactics"][0] if info["tactics"] else "",
"color": "#ff6666",
"comment": info["description"][:200],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": description or f"Techniques attributed to {group_name}",
"filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "Observed technique", "color": "#ff6666"},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layer
layer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")
步骤 4:识别检测差距
from attackcti import attack_client
lift = attack_client()
all_techniques = lift.get_enterprise_techniques()
data_source_coverage = {}
for tech in all_techniques:
tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
data_sources = tech.get("x_mitre_data_sources", [])
for ds in data_sources:
if ds not in data_source_coverage:
data_source_coverage[ds] = []
data_source_coverage[ds].append(tech_id)
detected_techniques = {"T1059", "T1071", "T1566"}
actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
print(f"\n=== APT29 检测差距分析 ===")
print(f"行为者技术总数: {len(actor_techniques)}")
print(f"已检测: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"差距: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\n未检测技术:")
for tech_id in sorted(gaps):
if tech_id in technique_map:
print(f" {tech_id}: {technique_map[tech_id]['name']}")
步骤 5:跨组织技术对比
from attackcti import attack_client
lift = attack_client()
groups_to_compare = {
"G0016": "APT29",
"G0007": "APT28",
"G0032": "Lazarus Group",
}
group_techniques = {}
for gid, gname in groups_to_compare.items():
techs = lift.get_techniques_used_by_group(gid)
tech_ids = set()
for t in techs:
tid = t.get("external_references", [{}])[0].get("external_id", "")
if tid:
tech_ids.add(tid)
group_techniques[gname] = tech_ids
all_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\n所有 {len(all_groups)} 个组织共同的技术: {len(common_to_all)} 个")
for tid in sorted(common_to_all):
print(f" {tid}")
for gname, techs in group_techniques.items():
unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
print(f"\n{gname} 独有技术: {len(unique)} 个")
验收标准
- 成功通过 TAXII 服务器或本地副本查询 ATT&CK 数据
- 威胁行为者已映射到具体技术并附有过程示例
- ATT&CK Navigator 层 JSON 有效且正确渲染
- 检测差距分析识别出未监控的技术
- 跨组织比较揭示共同和独特 TTP
- 输出结果可供检测工程优先级排序使用
参考资料