def get_attack(url: str, proxy_string: str, timeout: int) -> MemoryStore:
"""Fetch Mitre ATT&CK JSON data in Stix2 format and return a Stix2 memory store"""
attack = worker.fetch_json(url, proxy_string, timeout)
# Create memory store
mem = MemoryStore()
# Add all objects to the memory store
for obj in parse(attack, allow_custom=True).objects:
mem.add(obj)
return mem
report_MITM = Report(
name='Digital Twin based MITM attack simulation with ARP spoofing',
description=
'This report describes a simulated MITM attack on a filling plant using a digital twin in'
' simulation mode. The attack is based on ARP spoofing.',
published=datetime.datetime.now(),
object_refs=MITM_id_list)
stix21_object_list_MITM.append(report_MITM)
print(report_MITM)
bundle_MITM = Bundle(objects=stix21_object_list_MITM)
print('\n-------------------------------------------')
'''
Uncomment if you want to generate a new STIX2.1 json output file
'''
mem = MemoryStore()
mem.add(bundle_MITM)
# mem.save_to_file(export_path+'STIX21_output_MITM_use_case.json')
print('-------------------------------------------')
'''
This method generates the STIX2.1 CTI report for the DoS use case
'''
generate_dos_stix21_report()
# sys.stdout.close()
def generate_dos_stix21_report():
root_dir = os.path.dirname(os.path.abspath(__file__))
import_path = os.path.join(root_dir, 'data\\')
export_path = os.path.join(root_dir, 'results\\')
# sys.stdout = open(export_path+'console_output_DoS_use_case', 'w')
stix21_object_list_DOS = list()
print('\nUSE CASE 2 -- DoS Attack:\n')
imported_stix21_data = import_static_stix21_data()
imported_sro_list = imported_stix21_data[1]
print('\n-------------------------------------------')
get_static_mitm_sco_list()
print('-------------------------------------------\n')
converted_logs_DOS1 = convert_log_entries(
import_simulation_output(import_path, "use_case_2_plc.log"))
converted_logs_DOS2 = convert_log_entries(
import_simulation_output(import_path, "use_case_2_hmi.log"))
converted_pcap_DOS = convert_pcap_frames(
import_simulation_output(import_path,
"use_case_2_network_traffic.json"))
print('')
print(get_all_ip_addr(converted_logs_DOS1))
print('')
pretty_print_list(get_timespan(converted_logs_DOS1))
print('')
print(get_all_severity_level(converted_logs_DOS1))
print('')
print(get_all_ip_addr(converted_logs_DOS2))
print('')
pretty_print_list(get_timespan(converted_logs_DOS2))
print('')
print(get_all_severity_level(converted_logs_DOS2))
print('\n-------------------------------------------\n')
print('Generated STIX2.1 SCOs from log entries:')
ip1dos = converted_logs_DOS1[0].generate_ipv4_addr()
ip2dos = converted_logs_DOS2[0].generate_ipv4_addr()
process_dos = converted_logs_DOS1[0].generate_process()
stix21_object_list_DOS.append(ip1dos)
stix21_object_list_DOS.append(ip2dos)
stix21_object_list_DOS.append(process_dos)
print(ip1dos, ip2dos, process_dos)
print('\n-------------------------------------------\n')
pretty_print_list(get_timespan(converted_pcap_DOS))
print('')
print(get_all_protocols(converted_pcap_DOS))
print('\nDisplaying the last 10 pcap entries:')
for element in converted_pcap_DOS[-10:]:
print(element)
ack_traffic = list()
for element in converted_pcap_DOS:
if element.eth_src == '00:00:00:00:00:02' or element.eth_dst == '00:00:00:00:00:02':
ack_traffic.append(element)
print('\nDisplaying 5 SYN/ACK pcap entries:')
pretty_print_list(ack_traffic[:5])
print('\n-------------------------------------------\n')
mac3_dos = converted_pcap_DOS[0].generate_mac_addr('src')
stix21_object_list_DOS.append(mac3_dos)
mac1_dos = converted_pcap_DOS[0].generate_mac_addr('dst')
stix21_object_list_DOS.append(mac1_dos)
mac2_dos = ack_traffic[0].generate_mac_addr('dst')
stix21_object_list_DOS.append(mac2_dos)
print('Generated STIX2.1 MAC addresses from pcap frames:')
print(mac1_dos, mac2_dos, mac3_dos)
print(
'\nGenerated STIX2.1 network traffic SCOs from pcap frames (excerpt shown):'
)
network_traffic_DOS_list = list()
for element in converted_pcap_DOS[:100]:
network_traffic_DOS = element.generate_network_traffic(
stix21_object_list_DOS)
network_traffic_DOS_list.append(network_traffic_DOS)
stix21_object_list_DOS.append(network_traffic_DOS)
pretty_print_list(network_traffic_DOS_list[:5])
print('\n-------------------------------------------\n')
get_static_stix21_objects_dos_round_1()
print('\n-------------------------------------------\n')
ip2dos_updated = IPv4Address(id=ip2dos.id,
value=ip2dos.value,
resolves_to_refs=[mac2_dos.id, mac3_dos.id])
stix21_object_list_DOS.remove(ip2dos)
stix21_object_list_DOS.append(ip2dos_updated)
print('Updated IPv4 address object (embedded relationship):\n{}\n'.format(
ip2dos_updated))
print('Custom selected and generated Infrastructure SDO and related SROs:')
infrastructure_dos = Infrastructure(
name='Conyeor belt digital twin',
description=
"Digital twin representing a conveyor belt with HMI and PLC. Target of the conducted attack"
)
stix21_object_list_DOS.append(infrastructure_dos)
rel_infra_ip1_dos = Relationship(source_ref=infrastructure_dos,
relationship_type='consists_of',
target_ref=ip1dos)
rel_infra_ip2_dos = Relationship(source_ref=infrastructure_dos,
relationship_type='consists_of',
target_ref=ip2dos_updated)
rel_infra_process_dos = Relationship(source_ref=infrastructure_dos,
relationship_type='consists_of',
target_ref=process_dos)
stix21_object_list_DOS.append(rel_infra_ip1_dos)
stix21_object_list_DOS.append(rel_infra_ip2_dos)
stix21_object_list_DOS.append(rel_infra_process_dos)
print(infrastructure_dos, rel_infra_ip1_dos, rel_infra_ip2_dos,
rel_infra_process_dos)
print(
'\nCustom generated Observed Data for IP addresses and spoofed SYN-flooding traffic:'
)
observed_data1_dos = ObservedData(
first_observed=converted_logs_DOS2[0].timestamp,
last_observed=converted_logs_DOS2[-1].timestamp,
number_observed=1,
object_refs=[ip2dos_updated] # duplicate IP
)
stix21_object_list_DOS.append(observed_data1_dos)
nw_traffic_dos_id_list = list()
for element in network_traffic_DOS_list:
nw_traffic_dos_id_list.append(element.id)
observed_data2_dos = ObservedData(
first_observed=converted_pcap_DOS[0].timestamp,
last_observed=converted_pcap_DOS[len(converted_pcap_DOS) -
1].timestamp,
number_observed=100,
object_refs=nw_traffic_dos_id_list # SYN traffic excerpt
)
stix21_object_list_DOS.append(observed_data2_dos)
print(observed_data1_dos, observed_data2_dos)
print('\n-------------------------------------------\n')
search_list1 = search_stix21_objects(imported_sro_list, "observed-data",
'direct')
print('The following direct relationships exist for Observed Data:')
for entry in search_list1:
print(entry)
print(
'Custom generated Indicators and relationships between Observed Data and Indicators:\n'
)
lhs1 = ObjectPath("ipv4-addr", ["resolves_to_refs[0]"])
lhs1b = ObjectPath("ipv4-addr", ["resolves_to_refs[1]"])
ob1 = EqualityComparisonExpression(lhs1,
StringConstant('00:00:00:00:00:03'),
True)
ob1b = EqualityComparisonExpression(lhs1b,
StringConstant('00:00:00:00:00:03'))
pattern1_dos = ObservationExpression(AndBooleanExpression([ob1, ob1b]))
indicator1_dos = Indicator(
name='Spoofing indicator - duplicate IP address',
description='IP address resolves to two different MAC addresses',
pattern=pattern1_dos,
pattern_type='stix',
valid_from=datetime.datetime.now())
stix21_object_list_DOS.append(indicator1_dos)
print(indicator1_dos)
lhs2 = ObjectPath('network-traffic', ['scr_ref'])
ob2 = EqualityComparisonExpression(lhs2,
StringConstant('00:00:00:00:00:03'))
lhs2a = ObjectPath('network-traffic', ['dst_ref'])
ob2a = EqualityComparisonExpression(lhs2a,
StringConstant('00:00:00:00:00:01'))
lhs2b = ObjectPath('network-traffic', ['protocols[1]'])
ob2b = EqualityComparisonExpression(lhs2b, StringConstant('tcp'))
obe2 = ObservationExpression(AndBooleanExpression([ob2, ob2a, ob2b]))
pattern2_dos = QualifiedObservationExpression(
QualifiedObservationExpression(obe2, RepeatQualifier(100)),
WithinQualifier(1))
indicator2_dos = Indicator(
name='SYN flooding indicator',
description=
'Highly repetitive tcp network traffic originating from malicious MAC address',
pattern=pattern2_dos,
pattern_type='stix',
valid_from=datetime.datetime.now())
stix21_object_list_DOS.append(indicator2_dos)
print(indicator2_dos)
rel_indicator_observed1_dos = Relationship(source_ref=indicator1_dos,
relationship_type='based-on',
target_ref=observed_data1_dos)
rel_indicator_observed2_dos = Relationship(source_ref=indicator2_dos,
relationship_type='based-on',
target_ref=observed_data2_dos)
stix21_object_list_DOS.append(rel_indicator_observed1_dos)
stix21_object_list_DOS.append(rel_indicator_observed2_dos)
print(rel_indicator_observed1_dos, rel_indicator_observed2_dos)
print('\n-------------------------------------------\n')
print(
'Custom generated Attack Pattern, Tool and additional relationships:')
attack_pattern_dos = AttackPattern(
name='DoS SYN flooding attack',
description=
'The attacker executes a Denial of Service attack with TCP SYN requests consuming the resources of'
' its target',
external_references=[
ExternalReference(source_name='capec', external_id='CAPEC-125'),
ExternalReference(source_name='capec', external_id='CAPEC-482')
],
kill_chain_phases=KillChainPhase(
kill_chain_name='lockheed-martin-cyber-kill-chain',
phase_name='actions-on-objective'))
stix21_object_list_DOS.append(attack_pattern_dos)
tool_dos = Tool(name='hping3')
stix21_object_list_DOS.append(tool_dos)
print(attack_pattern_dos, tool_dos)
rel_indicator_attack1_dos = Relationship(source_ref=indicator1_dos,
relationship_type='indicates',
target_ref=attack_pattern_dos)
rel_indicator_attack2_dos = Relationship(source_ref=indicator2_dos,
relationship_type='indicates',
target_ref=attack_pattern_dos)
rel_attack_tool_dos = Relationship(source_ref=attack_pattern_dos,
relationship_type='uses',
target_ref=tool_dos)
stix21_object_list_DOS.append(rel_indicator_attack1_dos)
stix21_object_list_DOS.append(rel_indicator_attack2_dos)
stix21_object_list_DOS.append(rel_attack_tool_dos)
print(rel_indicator_attack1_dos, rel_indicator_attack2_dos,
rel_attack_tool_dos)
DOS_id_list = list()
for element in stix21_object_list_DOS:
DOS_id_list.append(element.id)
print('\n-------------------------------------------\n')
print('Generated Report for the Digital Twin DoS simulation use case:')
report_DOS = Report(
name='Digital Twin based DoS attack simulation with SYN flooding',
description=
'This report describes a simulated DoS attack on a conveyor belt using a digital twin in'
' simulation mode. The attack is based on repeatedly spoofed TCP traffic.',
published=datetime.datetime.now(),
object_refs=DOS_id_list)
stix21_object_list_DOS.append(report_DOS)
print(report_DOS)
bundle_DOS = Bundle(objects=stix21_object_list_DOS)
print('\n-------------------------------------------')
mem = MemoryStore()
mem.add(bundle_DOS)
# mem.save_to_file(export_path+'STIX21_output_DoS_use_case.json')
print('-------------------------------------------')