Implements threat modeling with MITRE ATT&CK framework: maps adversary TTPs to assets, assesses detection coverage gaps, optimizes defense investments. For SOC teams aligning detections, new environment assessments, security procurement.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
以下情况使用本技能:
Implements MITRE ATT&CK-based threat modeling to map TTPs to assets, assess detection gaps, and prioritize defenses. For SOC threat assessments and security planning.
Implements threat modeling using MITRE ATT&CK to map adversary TTPs to assets, assess detection gaps, and prioritize defenses. For SOC threat assessments and detection engineering.
Maps adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques/sub-techniques to quantify coverage and prioritize controls. Use for ATT&CK heatmaps, SIEM tagging, gap analysis with Navigator and Sigma.
Share bugs, ideas, or general feedback.
以下情况使用本技能:
不适用于一次性演练——威胁模型必须随着对手 TTP 演进和组织攻击面变化而持续更新。
使用 MITRE ATT&CK 组织数据库研究针对您所在行业的对手组织:
import requests
import json
# 下载 ATT&CK STIX 数据
response = requests.get(
"https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
)
attack_data = response.json()
# 提取组织及其技术
groups = {}
for obj in attack_data["objects"]:
if obj["type"] == "intrusion-set":
group_name = obj["name"]
aliases = obj.get("aliases", [])
description = obj.get("description", "")
groups[group_name] = {
"aliases": aliases,
"description": description[:200],
"techniques": []
}
# 通过关系映射技术到组织
relationships = [obj for obj in attack_data["objects"] if obj["type"] == "relationship"]
techniques = {obj["id"]: obj for obj in attack_data["objects"]
if obj["type"] == "attack-pattern"}
for rel in relationships:
if rel["relationship_type"] == "uses":
source = rel["source_ref"]
target = rel["target_ref"]
for group_name, group_data in groups.items():
if source == group_data.get("id") and target in techniques:
tech = techniques[target]
ext_refs = tech.get("external_references", [])
for ref in ext_refs:
if ref.get("source_name") == "mitre-attack":
group_data["techniques"].append(ref["external_id"])
# 示例:金融行业威胁行为者
financial_actors = ["FIN7", "FIN8", "Carbanak", "APT38", "Lazarus Group"]
for actor in financial_actors:
if actor in groups:
print(f"{actor}: {len(groups[actor]['techniques'])} 个技术")
print(f" 主要技术:{groups[actor]['techniques'][:10]}")
为优先威胁行为者创建 ATT&CK Navigator 层:
import json
def create_attack_layer(actor_name, techniques, color="#ff6666"):
"""为威胁行为者生成 ATT&CK Navigator JSON 层"""
layer = {
"name": f"{actor_name} TTP 画像",
"versions": {
"attack": "15",
"navigator": "5.0",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": f"与 {actor_name} 相关的技术",
"techniques": [
{
"techniqueID": tech_id,
"tactic": "",
"color": color,
"comment": f"被 {actor_name} 使用",
"enabled": True,
"score": 1
}
for tech_id in techniques
],
"gradient": {
"colors": ["#ffffff", color],
"minValue": 0,
"maxValue": 1
}
}
return layer
# 为主要威胁行为者创建层
fin7_techniques = ["T1566.001", "T1059.001", "T1053.005", "T1547.001",
"T1078", "T1021.001", "T1003", "T1071.001", "T1041"]
layer = create_attack_layer("FIN7", fin7_techniques, "#ff6666")
with open("fin7_layer.json", "w") as f:
json.dump(layer, f, indent=2)
导出已映射到 ATT&CK 的当前检测规则:
--- 从 Splunk ES 关联搜索提取 ATT&CK 技术映射
| rest /services/saved/searches
splunk_server=local
| where match(title, "^(COR|ESCU|RBA):")
| eval techniques = if(isnotnull(action.correlationsearch.annotations),
spath(action.correlationsearch.annotations, "mitre_attack"),
"unmapped")
| stats count by techniques
| mvexpand techniques
| stats count by techniques
| rename techniques AS technique_id, count AS rule_count
创建检测覆盖率层:
def create_coverage_layer(detection_rules):
"""从检测规则清单生成覆盖率层"""
technique_counts = {}
for rule in detection_rules:
for tech in rule.get("techniques", []):
technique_counts[tech] = technique_counts.get(tech, 0) + 1
layer = {
"name": "SOC 检测覆盖率",
"versions": {"attack": "15", "navigator": "5.0", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": [
{
"techniqueID": tech_id,
"color": "#31a354" if count >= 2 else "#a1d99b" if count == 1 else "",
"score": count,
"comment": f"{count} 条检测规则"
}
for tech_id, count in technique_counts.items()
],
"gradient": {
"colors": ["#ffffff", "#a1d99b", "#31a354"],
"minValue": 0,
"maxValue": 3
}
}
return layer
将威胁行为者 TTP 叠加到检测覆盖率上:
def gap_analysis(threat_techniques, covered_techniques):
"""识别特定威胁行为者的检测缺口"""
gaps = set(threat_techniques) - set(covered_techniques)
covered = set(threat_techniques) & set(covered_techniques)
print(f"威胁行为者技术数:{len(threat_techniques)}")
print(f"已检测:{len(covered)} ({len(covered)/len(threat_techniques)*100:.0f}%)")
print(f"缺口:{len(gaps)} ({len(gaps)/len(threat_techniques)*100:.0f}%)")
# 按杀伤链阶段排列缺口优先级
priority_order = {
"TA0001": 1, "TA0002": 2, "TA0003": 3, "TA0004": 4,
"TA0005": 5, "TA0006": 6, "TA0007": 7, "TA0008": 8,
"TA0009": 9, "TA0010": 10, "TA0011": 11, "TA0040": 12
}
gap_details = []
for tech_id in gaps:
gap_details.append({
"technique": tech_id,
"priority": "HIGH" if tech_id.split(".")[0] in ["T1003", "T1021", "T1059"] else "MEDIUM",
"recommendation": f"为 {tech_id} 构建检测"
})
return {
"total_actor_techniques": len(threat_techniques),
"covered": len(covered),
"gaps": len(gaps),
"coverage_pct": round(len(covered)/len(threat_techniques)*100, 1),
"gap_details": sorted(gap_details, key=lambda x: x["priority"])
}
# 运行分析
result = gap_analysis(fin7_techniques, current_coverage)
构建检测工程路线图:
threat_model_remediation_plan:
assessed_date: 2024-03-15
primary_threats:
- FIN7(金融行业)
- APT38(朝鲜金融)
- Lazarus Group(破坏性攻击)
current_coverage: 64%
target_coverage: 80%
priority_1_gaps: # 30 天目标
- technique: T1021.002
name: SMB/Windows 管理共享
data_source: Windows Security Event 5140
effort: 低
detection_approach: 监控来自非管理工作站的管理共享访问
- technique: T1003.006
name: DCSync
data_source: Windows Security Event 4662
effort: 中
detection_approach: 检测来自非域控制器的 DS-Replication-Get-Changes
priority_2_gaps: # 60 天目标
- technique: T1055
name: 进程注入
data_source: Sysmon EventCode 8, 10
effort: 高
detection_approach: 监控跨进程内存访问模式
- technique: T1071.001
name: Web 协议(C2)
data_source: 代理/防火墙日志
effort: 中
detection_approach: 检测 HTTP/S 流量中的信标模式
priority_3_gaps: # 90 天目标
- technique: T1070.004
name: 文件删除
data_source: Sysmon EventCode 23
effort: 低
detection_approach: 监控敏感目录中的批量文件删除
使用 MITRE Caldera 或 Atomic Red Team 测试覆盖率:
# 使用 Atomic Red Team 验证 FIN7 技术覆盖率
# T1566.001 — 鱼叉式钓鱼附件
Invoke-AtomicTest T1566.001
# T1059.001 — PowerShell
Invoke-AtomicTest T1059.001 -TestNumbers 1,2,3
# T1053.005 — 计划任务
Invoke-AtomicTest T1053.005
# T1547.001 — 注册表运行键
Invoke-AtomicTest T1547.001
# T1003 — 凭据转储
Invoke-AtomicTest T1003 -TestNumbers 1,2
# 验证检测
# 在 15 分钟内检查 SIEM 中是否有相应告警
记录仿真结果以验证威胁模型准确性。
| 术语 | 定义 |
|---|---|
| MITRE ATT&CK | 基于真实观察的对手战术、技术和程序知识库 |
| TTP | 战术、技术和程序(Tactics, Techniques, and Procedures)——对手组织的行为模式 |
| ATT&CK Navigator | 用于以分层热力图可视化 ATT&CK 矩阵(显示覆盖率或威胁画像)的 Web 工具 |
| 缺口分析(Gap Analysis) | 将威胁行为者 TTP 与检测覆盖率进行比较以识别盲区的过程 |
| 威胁驱动防御(Threat-Informed Defense) | 基于实际对手行为而非理论风险来确定防御优先级的安全策略 |
| 对手仿真(Adversary Emulation) | 受控模拟威胁行为者 TTP 以验证检测和响应能力 |
威胁模型评估 — 金融服务部门
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
日期: 2024-03-15
威胁行为者: FIN7、APT38、Lazarus Group
技术总计: 所有行为者共计 87 种独特技术
检测覆盖率:
已覆盖: 56/87 (64%)
缺口: 31/87 (36%)
战术覆盖率分解:
初始访问: 78% ████████░░
执行: 82% █████████░
持久化: 71% ████████░░
权限提升: 65% ███████░░░
防御规避: 52% ██████░░░░ <-- 优先缺口
凭据访问: 58% ██████░░░░ <-- 优先缺口
发现: 45% █████░░░░░
横向移动: 61% ███████░░░
数据收集: 50% ██████░░░░
渗漏: 55% ██████░░░░
C2: 67% ███████░░░
优先缺口(30 天修复计划):
1. T1055 进程注入 — 所有 3 个行为者均使用,0 条检测
2. T1003.006 DCSync — FIN7 和 Lazarus 使用,0 条检测
3. T1070.004 文件删除 — 证据销毁,0 条检测
投资建议:
弥补前 10 个缺口需要:2 名检测工程师 FTE,60 天
预期覆盖率提升:64% -> 76%