Skip to main content

Hello everyone,

I'd like to share with the community a thing we did internally to use the MSV Library with the MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/).
This job was made in collaboration with my colleagues from the CSIRT team.
We had two objectives:

  1. "plot" the MSV Library on the MITRE ATT&CK matrix using layers (https://github.com/mitre-attack/attack-navigator/tree/master/layers).
  2. overlaying the MSV library with custom layers or layers from MITRE to extract the list of actions corresponding to the techniques that are common to the two layers.

The approach we developed is very simple and it's the following:

  1. analyse MSV Library and collect a list of VIDs for every technique.
  2. create a MITRE ATT&CK navigator layer where for each technique the metadata field contains the list of VIDs.
  3. import the MSV layer in the Navigator.
  4. import in the Navigator the other layer (e.g. mapping of an incident, TTPs from APT41, ...).
  5. combine the two layers to see where they overlap.
  6. export the combined layer.
  7. select from the combined layer only overlapped techniques with their corresponding VID list.
  8. get the VID list to create new evaluations/sequences.

We created two python scripts:

  • MSV2Matrix.py to automate points 1 and 2.
  • Layer2VIDList.py to automate points 7 and 8.

The other steps are to be done manually on the Navigator.
Refer to these links to understand how to do it:
https://attack.mitre.org/docs/training-cti/Comparing%20Layers%20in%20Navigator.pdf.
https://www.youtube.com/watch?v=78RIsFqo9pM

Here is an example.
We'd like to know which actions from MSV Library are related to Mitre Engenuity Insider Threat TTP Knowledge Base (https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/insider-threat-ttp-knowledge-base/).
Running the first script we got the layer for MSV Library (set score to 2).

python3 MSV2Matrix.py --directorip <your ip> --user <your user> --password <your password> --score 2 --outfile <your filename>).

Import this layer to the Navigator.
Select Color Setup and set Low Value to 1 and High Value to 3.

From Matrix configuration remove "show aggregate scores" and select "show IDs". You will get something like this:

Hovering over colored techniques you will see a pop-up with VIDs related to that technique.

From the Navigator click the "+" to add a new tab and do the same loading the json layer from Engenuity (https://github.com/center-for-threat-informed-defense/insider-threat-ttp-kb/raw/main/docs/extra/green_seen_v1_v2.json).
Select Color Setup and set colors in the same way you did for the first layer.

Last thing to do is to combine the two layers. Create a new Layer and set the Score Expression to "a+b".
The important thing here is to set the Metadata field to get data from the MSV Library layer.

Again select Color Setup and set colors in the same way you did for the first layer.
In this new layer you will see the overlapping techniques colored with the color set for score 3. These are the overlapping techniques between MSV Library and Engenuity layer. For these techniques you have at least an action in MSV Library.

You can now export the layer as a json file and run the second script:

python3 Layer2VIDList.py --json <your exported json file> --score 3

You will obtain a text file with the list of VIDs related to techniques in common between the two layers.

If you are interested in these python scripts send me a DM.

Disclaimer: I'm not a developer, I know only the basics of Python, so my code could be very basic and could contain errors. No warranties on the code quality 😉
Feel free to modify it as you want, but please share it again with the community.

For any questions, suggestions or criticism, please leave a comment.

Enjoy, Paolo

PS: I hope to see soon something similar integrated in the Director 😎

Great post and script, Paolo! Thanks for sharing.

We also use Navigator by starting from Mandiant Threat Intel or Google Threat Intel more recently, where we analyze a series of Threat Actors of interest specific to an Industry and a region and we use the Navigator layers to see on what TTPs these actors overlap. This way we will know what TTPs will be a priority for MSV  testing and run their specific Actions.


Fantastic info. I am fairly new too this and python. Could you send scripts used in the examples.

<PII removed by staff>

Thanks