Skip to content

Instantly share code, notes, and snippets.

View johnwunder's full-sized avatar

John Wunder johnwunder

64 followers · 0 following
View GitHub Profile
@johnwunder
johnwunder / default.py
Created May 9, 2019 20:53
Display Navigator in Jupyter Lab
from IPython.display import IFrame
token = "<your Jupyter Lab token, from startup>" # Get this from the terminal when Jupyter Lab starts up
layer_url = "http://localhost:8888/files/layer.json" # Get this from right-clicking the file in the Jupyter Lab file manager and hitting Copy Download URL
navigator_url = "https://mitre-attack.github.io/attack-navigator/enterprise/"
IFrame(src="{}#layerURL={}?token={}".format(navigator_url, layer_url, token), width='100%', height='500px')
@johnwunder
johnwunder / uc1-option7.json
Created September 27, 2018 19:47
{
"type": "bundle",
"objects": [
{
"type": "threat-actor",
"spec_version": "2.1",
"name": "Evil Org",
"modified": "2018-09-27T19:45:38.359000Z",
"labels": [
"crime-syndicate"
@johnwunder
johnwunder / matrices.md
Created June 19, 2018 20:03

Tactics

Definition

A tactic is a column in one or more ATT&CK matrices. It describes the tactical "goal" an adversary might want to achieve by carrying out the techniques under that tactics.

Tactics are not necessarily specific to any given matrix or platform. Some tactics are shared, some are not.

Data model

@johnwunder
johnwunder / awesome-stix.md
Created February 1, 2018 18:12
Awesome-STIX
@johnwunder
johnwunder / snippet.py
Last active December 8, 2017 14:43
Custom props
from stix2 import CustomObject, properties, TAXIICollectionSource
from taxii2client import Collection
@CustomObject('opinion', [
('description', properties.StringProperty()),
('authors', properties.StringProperty()),
('opinion', properties.EnumProperty(allowed=[
'strongly-disagree',
'disagree',
'neutral',
@johnwunder
johnwunder / summary.md
Last active August 17, 2017 14:48
IEP Inclusion Options

Including IEP in STIX

We have good consensus in the community that IEP should be included as part of STIX 2.1. The technical mechanism that we do that (a data marking definition) is very straightforward and is described in the playground. There are several open questions though, that can be resolved as a combination of text in the specification itself, in the conformance section of the specification, or in the interoperability specification.

  1. Do we lock IEP specifically to a single version? Locking it to one version makes compatibility easier to state, but precludes the ability for newer versions of IEP to be used in STIX without a modification to STIX. Allowing it to remain open makes compatibility more difficult (STIX 2.1 and IEP 2.0 incompatible with STIX 2.1 and IEP 2.2) but allows IEP to evolve and be used ahead of STIX.
  2. How do we talk about the overlap of IEP and TLP? We could take a
@johnwunder
johnwunder / no-description.json
Last active April 7, 2017 18:45
Opinion
[
{
"type": "opinion",
"id": "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"object_ref": "relationship--16d2358f-3b0d-4c88-b047-0da2f7ed4471",
"opinion": "strongly-disagree"
},
@johnwunder
johnwunder / 00-use-case.md
Last active November 2, 2016 19:15
TAXII 2.0 Proposal

TAXII Use Case Example

Writeup

  1. Analyst or tool at Company A discovers a piece of malware. They generate 5 indicators based on that malware.
  2. Analyst reviews their releasability/gets permission to share indicators. They send 5 indicators to the ISAC.
  3. Company A gets permission to release the malware object. They send it and relationships to the indicators to the ISAC.
  4. Company B hears about that piece of malware and gets content related to it (malware object + indicators).
  5. Company B implements indicators, blocks one file based on the indicator.
  6. Company B returns the sighting to the ISAC.
@johnwunder
johnwunder / readme.md
Created October 26, 2016 15:51
Location thoughts

Use Cases

  1. Location of an intrusion set or information source: "APT1 originates from China"
  • Location tied to specific identity
  1. Location of a sighting: "This indicator was sighted in NY, USA"
  • Location tied to general characteristics (presumption is orgs/people in NY)
  • Location might be combined with other attributes (e.g., "This indicator was sighted in the finance sector in NY, USA")
  1. Targeting by location: "This threat actor targets organizations in North America"
  • Location tied to general characteristics (orgs in NA)
  • Location might be combined with other attributes (e.g., "This threat actor targets the electric sector in North America")
@johnwunder
johnwunder / observation-and-sighting-options.md
Last active July 3, 2016 18:54
Options to handle sightings and observations

Sightings and Observations Options

Option 1: Current Approach (Sighting as special relationship)

In the current approach (consensus at the DC3 F2F), sighting is essentially just a special relationship between observation and indicator (or, other object types that can be sighted). Thus, it doesn't have many data fields itself other than those just to link things between observations.

Pros and Cons

  • Has a sighting object and an observation object: Kind of a pro because people talk about these things, kind of a con because other people get confused by the distinction
  • count/start/end only on observation, so you don't have to deal with it in two places, or figure out how to handle inconsistencies