refactor(cti): refactoring for attacker (#12)

vulsio · Apr 20, 2022 · 386df10 · 386df10
1 parent 0e9061e
commit 386df10
Show file tree

Hide file tree

Showing 27 changed files with 2,211 additions and 1,303 deletions.
diff --git a/README.md b/README.md
@@ -36,52 +36,98 @@ Use "go-cti [command] --help" for more information about a command.
 ## Fetch MITRE ATT&CK and CAPEC
 ```console
 $ go-cti fetch threat
-INFO[04-15|00:19:57] Fetching Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings 
-INFO[04-15|00:19:57] Fetching MITRE ATT&CK... 
-INFO[04-15|00:19:59] Fetching CAPEC... 
-INFO[04-15|00:20:00] Fetching CWE... 
-INFO[04-15|00:20:04] Fetching NVD CVE...                      year=recent
-INFO[04-15|00:20:05] Fetching NVD CVE...                      year=modified
-INFO[04-15|00:20:06] Fetching NVD CVE...                      year=2002
-INFO[04-15|00:20:09] Fetching NVD CVE...                      year=2003
-INFO[04-15|00:20:10] Fetching NVD CVE...                      year=2004
-INFO[04-15|00:20:12] Fetching NVD CVE...                      year=2005
-INFO[04-15|00:20:15] Fetching NVD CVE...                      year=2006
-INFO[04-15|00:20:18] Fetching NVD CVE...                      year=2007
-INFO[04-15|00:20:21] Fetching NVD CVE...                      year=2008
-INFO[04-15|00:20:25] Fetching NVD CVE...                      year=2009
-INFO[04-15|00:20:28] Fetching NVD CVE...                      year=2010
-INFO[04-15|00:20:30] Fetching NVD CVE...                      year=2011
-INFO[04-15|00:20:34] Fetching NVD CVE...                      year=2012
-INFO[04-15|00:20:37] Fetching NVD CVE...                      year=2013
-INFO[04-15|00:20:41] Fetching NVD CVE...                      year=2014
-INFO[04-15|00:20:44] Fetching NVD CVE...                      year=2015
-INFO[04-15|00:20:47] Fetching NVD CVE...                      year=2016
-INFO[04-15|00:20:51] Fetching NVD CVE...                      year=2017
-INFO[04-15|00:20:56] Fetching NVD CVE...                      year=2018
-INFO[04-15|00:21:01] Fetching NVD CVE...                      year=2019
-INFO[04-15|00:21:08] Fetching NVD CVE...                      year=2020
-INFO[04-15|00:21:13] Fetching NVD CVE...                      year=2021
-INFO[04-15|00:21:18] Fetching NVD CVE...                      year=2022
-INFO[04-15|00:21:21] Fetched Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings ctis=1112 mappings=97710
-INFO[04-15|00:21:21] Insert Cyber Threat Intelligences and CVE-ID to CTI-ID Mappings into go-cti. db=sqlite3
-INFO[04-15|00:21:21] Inserting Cyber Threat Intelligences... 
-1112 / 1112 [--------------------------------------------------------------------------] 100.00% 2067 p/s
-INFO[04-15|00:21:22] Inserting CVE-ID to CTI-ID Mappings... 
-97710 / 97710 [-----------------------------------------------------------------------] 100.00% 10084 p/s
+INFO[04-20|11:39:27] Fetching Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings 
+INFO[04-20|11:39:27] Fetching MITRE ATT&CK... 
+INFO[04-20|11:39:30] Fetching CAPEC... 
+INFO[04-20|11:39:31] Fetching CWE... 
+INFO[04-20|11:39:34] Fetching NVD CVE...                      year=recent
+INFO[04-20|11:39:35] Fetching NVD CVE...                      year=modified
+INFO[04-20|11:39:37] Fetching NVD CVE...                      year=2002
+INFO[04-20|11:39:39] Fetching NVD CVE...                      year=2003
+INFO[04-20|11:39:40] Fetching NVD CVE...                      year=2004
+INFO[04-20|11:39:42] Fetching NVD CVE...                      year=2005
+INFO[04-20|11:39:43] Fetching NVD CVE...                      year=2006
+INFO[04-20|11:39:46] Fetching NVD CVE...                      year=2007
+INFO[04-20|11:39:48] Fetching NVD CVE...                      year=2008
+INFO[04-20|11:39:51] Fetching NVD CVE...                      year=2009
+INFO[04-20|11:39:53] Fetching NVD CVE...                      year=2010
+INFO[04-20|11:39:55] Fetching NVD CVE...                      year=2011
+INFO[04-20|11:39:58] Fetching NVD CVE...                      year=2012
+INFO[04-20|11:40:00] Fetching NVD CVE...                      year=2013
+INFO[04-20|11:40:03] Fetching NVD CVE...                      year=2014
+INFO[04-20|11:40:05] Fetching NVD CVE...                      year=2015
+INFO[04-20|11:40:08] Fetching NVD CVE...                      year=2016
+INFO[04-20|11:40:11] Fetching NVD CVE...                      year=2017
+INFO[04-20|11:40:15] Fetching NVD CVE...                      year=2018
+INFO[04-20|11:40:19] Fetching NVD CVE...                      year=2019
+INFO[04-20|11:40:23] Fetching NVD CVE...                      year=2020
+INFO[04-20|11:40:28] Fetching NVD CVE...                      year=2021
+INFO[04-20|11:40:33] Fetching NVD CVE...                      year=2022
+INFO[04-20|11:40:35] Fetched Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings techniques=1112 mappings=98011 attackers=672
+INFO[04-20|11:40:35] Insert Cyber Threat Intelligences and CVE-ID to CTI-ID Mappings into go-cti. db=redis
+INFO[04-20|11:40:35] Inserting Cyber Threat Intelligences... 
+INFO[04-20|11:43:29] Inserting Techniques... 
+1112 / 1112 [------------------------------------------------] 100.00% 3530 p/s
+INFO[04-20|11:43:30] Inserting CVE-ID to CTI-ID CveToTechniques... 
+98011 / 98011 [----------------------------------------------] 100.00% 9900 p/s
+INFO[04-20|11:43:40] Inserting Attackers... 
+672 / 672 [-----------------------------------------------------] 100.00% ? p/s
 ```
 
 ## Search by CVE-ID
 ```
-$ go-cti search CVE-2017-15131
-[
-  {
-    "cti_id": "T1546.001",
+$ go-cti search cti T1037
+{
+  "type": "Technique",
+  "technique": {
+    "technique_id": "T1037",
     "type": "MITRE-ATTACK",
-    "name": "T1546.001: Change Default File Association",
-    // ...
-  },
-  // ...
+    "name": "T1037: Boot or Logon Initialization Scripts",
+	...
+  }
+}
+
+$ go-cti search cve CVE-2017-15131
+[
+  "T1037",
+  "CAPEC-578",
+  "T1562.001",
+  "T1014",
+  "CAPEC-502",
+  "CAPEC-551",
+  "T1547.006",
+  "T1080",
+  "CAPEC-563",
+  "T1546.004",
+  "T1574.011",
+  "CAPEC-536",
+  "CAPEC-550",
+  "T1542.003",
+  "CAPEC-19",
+  "T1543.002",
+  "CAPEC-503",
+  "T1553.004",
+  "T1546.001",
+  "CAPEC-564",
+  "T1547",
+  "CAPEC-478",
+  "CAPEC-558",
+  "CAPEC-562",
+  "CAPEC-546",
+  "T1543.004",
+  "CAPEC-552",
+  "CAPEC-556",
+  "CAPEC-479",
+  "T1543.003",
+  "T1546.008",
+  "T1543.001",
+  "CAPEC-441"
+]
+
+$ search attacker T1078 T1550.002 T1588.002
+[
+  "S0122", // T1550.002
+  "G0011"  // T1078, T1588.002
 ]
 ```
 
@@ -100,34 +146,132 @@ https://echo.labstack.com
 ____________________________________O/_______
                                     O\
 ⇨ http server started on 127.0.0.1:1329
-{"time":"2022-04-15T00:24:23.773648507+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1329","method":"GET","uri":"/cves/CVE-2017-15131","user_agent":"curl/7.68.0","status":200,"error":"","latency":143229557,"latency_human":"143.229557ms","bytes_in":0,"bytes_out":358064}
+{"time":"2022-04-15T00:24:23.773648507+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1329","method":"GET","uri":"/cves/CVE-2021-46628","user_agent":"curl/7.68.0","status":200,"error":"","latency":143229557,"latency_human":"143.229557ms","bytes_in":0,"bytes_out":358064}
 {"time":"2022-04-15T00:26:34.068344126+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1329","method":"POST","uri":"/multi-cves","user_agent":"curl/7.68.0","status":200,"error":"","latency":137130582,"latency_human":"137.130582ms","bytes_in":28,"bytes_out":358083}
 
-$ curl http://127.0.0.1:1329/cves/CVE-2017-15131 | jq
+$ curl http://127.0.0.1:1329/ctis/CAPEC-540 | jq .
+{
+  "type": "Technique",
+  "technique": {
+    "technique_id": "CAPEC-540",
+    "type": "CAPEC",
+    "name": "CAPEC-540: Overread Buffers",
+	// ...
+  }
+}
+
+$ curl http://127.0.0.1:1329/cves/CVE-2021-46628 | jq .
 [
-  {
-    "cti_id": "T1546.001",
-    "type": "MITRE-ATTACK",
-    "name": "T1546.001: Change Default File Association",
-    // ...
-  },
-  // ...
+  "CAPEC-540"
 ]
 
-$ curl -d "{\"args\": [\"CVE-2017-15131\"]}" -H "Content-Type: application/json" 127.0.0.1:1329/multi-cves| jq .
+
+$ curl -d "{\"args\": [\"CVE-2021-46628\"]}" -H "Content-Type: application/json" 127.0.0.1:1329/multi-cves | jq .
 {
-  "CVE-2017-15131": [
-    {
-      "cti_id": "T1546.001",
-      "type": "MITRE-ATTACK",
-      "name": "T1546.001: Change Default File Association"
-      // ...
-    },
-    // ...
+  "CVE-2021-46628": [
+    "CAPEC-540"
   ]
 }
 ```
 
+## How to generate the Technique Dictionary for Vuls
+- main.go
+```go
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"golang.org/x/exp/slices"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+
+  ctiDB "github.com/vulsio/go-cti/db"
+	"github.com/vulsio/go-cti/models"
+)
+
+func main() {
+	db, err := gorm.Open(sqlite.Open("go-cti.sqlite3"))
+	if err != nil {
+		fmt.Printf("failed to open DB. err: %s\n", err)
+		os.Exit(1)
+	}
+	techniqueIDs := []string{}
+	if err := db.Model(&models.Technique{}).Select("technique_id").Find(&techniqueIDs).Error; err != nil {
+		fmt.Printf("failed to get techniqueIDs. err: %s\n", err)
+		os.Exit(1)
+	}
+	sqlDB, err := db.DB()
+	if err != nil {
+		fmt.Printf("failed to get sqlDB. err: %s\n", err)
+		os.Exit(1)
+	}
+	if err := sqlDB.Close(); err != nil {
+		fmt.Printf("failed to close sqlDB. err: %s\n", err)
+		os.Exit(1)
+	}
+
+	driver, locked, err := ctiDB.NewDB("sqlite3", "go-cti.sqlite3", false, ctiDB.Option{})
+	if locked || err != nil {
+		fmt.Printf("failed to new DB. locked: %t, err: %s\n", locked, err)
+		os.Exit(1)
+	}
+
+  fmt.Println("// Technique has MITER ATT&CK Technique or CAPEC information")
+	fmt.Printf("type Technique struct {\n  Name string `json:\"name\"`\n  Platforms []string `json:\"platforms\"`\n}\n\n")
+	fmt.Println("// TechniqueDict is the MITRE ATT&CK Technique and CAPEC dictionary")
+	fmt.Printf("var TechniqueDict = map[string]Technique{\n")
+	slices.Sort(techniqueIDs)
+	for _, techniqueID := range techniqueIDs {
+		cti, err := driver.GetCtiByCtiID(techniqueID)
+		if err != nil {
+			fmt.Printf("failed to get CTI. err: %s\n", err)
+			os.Exit(1)
+		}
+
+		if cti.Technique.Type == models.MitreAttackType {
+			tactics := []string{}
+			for _, phase := range cti.Technique.MitreAttack.KillChainPhases {
+				tactics = append(tactics, phase.Tactic)
+			}
+			slices.Sort(tactics)
+
+			platforms := []string{}
+			for _, platform := range cti.Technique.MitreAttack.Platforms {
+				platforms = append(platforms, fmt.Sprintf("\"%s\"", platform.Platform))
+			}
+			slices.Sort(platforms)
+
+			fmt.Printf("\"%s\": {\n  Name:      %q,\n  Platforms: []string{%s},\n},\n",
+				cti.Technique.TechniqueID,
+				fmt.Sprintf("%s => %s", strings.Join(tactics, ", "), cti.Technique.Name),
+				strings.Join(platforms, ", "),
+			)
+		} else {
+			fmt.Printf("\"%s\": {\n  Name: %q,\n},\n",
+				cti.Technique.TechniqueID,
+				cti.Technique.Name,
+			)
+		}
+	}
+	fmt.Println("}")
+
+	if err := driver.CloseDB(); err != nil {
+		fmt.Printf("failed to close DB. err: %s", err)
+		os.Exit(1)
+	}
+}
+```
+
+```console
+$ ls
+go-cti.sqlite3  go.mod  go.sum  main.go
+
+$ go run main.go
+```
+
 ## License
 MIT
 

diff --git a/commands/fetch-cti.go b/commands/fetch-cti.go
@@ -51,14 +51,14 @@ func fetchMitreCti(_ *cobra.Command, _ []string) (err error) {
 	}
 
 	log15.Info("Fetching Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings")
-	ctis, mappings, err := fetcher.FetchCti()
+	techniques, mappings, attackers, err := fetcher.FetchCti()
 	if err != nil {
 		return xerrors.Errorf("Failed to fetch Cyber Threat Intelligence. err: %w", err)
 	}
-	log15.Info("Fetched Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings", "ctis", len(ctis), "mappings", len(mappings))
+	log15.Info("Fetched Cyber Threat Intelligence and CVE-ID to CTI-ID Mappings", "techniques", len(techniques), "mappings", len(mappings), "attackers", len(attackers))
 
 	log15.Info("Insert Cyber Threat Intelligences and CVE-ID to CTI-ID Mappings into go-cti.", "db", driver.Name())
-	if err := driver.InsertCti(ctis, mappings); err != nil {
+	if err := driver.InsertCti(techniques, mappings, attackers); err != nil {
 		return xerrors.Errorf("Failed to insert. dbpath: %s, err: %w", viper.GetString("dbpath"), err)
 	}