Skip to content

A CLI tool to evaluate structural patterns using the Neo4j graph database

Notifications You must be signed in to change notification settings

mal-lang/malPatternEvaluator

Repository files navigation

malPatternEvaluator

A CLI tool to evaluate structural patterns derived from the MITRE ATT&CK framework on coreLang models using the Neo4j graph database. The pattern collection consists of 25 different patterns capable of identifying specific components in a model where structural defenses can be applied. In total 14 unique structural defenses are proposed that can alter the available attack paths generated in an attack graph.

Installment

  1. git clone https://github.com/mal-lang/malPatternEvaluator
  2. pip install -r requirements.txt
  3. Install Neo4j Desktop:
  4. Connect to Neo4j desktop instance: uri="bolt://localhost:7687", username="neo4j", password="dynp12345!", dbname="neo4j",

Usage

  1. Compile coreLang model using the MAL-Toolbox or use the example models provided in the /models directory

  2. python3 mpe.py -m models/mX/model_X.json -p patterns.json

  3. CLI instructions:

    [1] Analyze patterns - Process each pattern from the pattern.json file and send the queries to the Neo4j graph database
    [2] Review Pattern Report - Print the generated log report from the analyzed patterns
    [3] Apply mitigation - From the pattern report select the ID of the pattern that should be mitigated and provide it as argument
    [4] Restore model - Undo any changes to the provided model and restore it to its original state
    [5] Exit - Terminates the program

CLI usage

Pattern collection

Each pattern consists of two sub-patterns (BadPattern & MitigationPattern) that are encoded into Cypher queries that can be processed by the Neo4j graph database. The BadPattern blueprint identifies the components that may pose a threat and the MitigationPattern blueprint propose the structural changes. To provide additional security guidance, a mapping has been made from each pattern to a selection of ATT&CK Technique and Mitigation IDs.

Group of patterns Pattern name BadPattern description Mitigation-Pattern description ATT&CK IDs
IAM remoteAccessMFA Identifies [Credentials] linked to [Application] with name matching of remote access where association {ConditionalAuthentication} is missing. Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Initial Access: [T1133, T1078], Persistence: [T1078], Credential Access: [T1110], Mitigation: [M1036, M1032, M1030, M1017]
IAM highPrivAccountsMFA Identifies [Credentials] linked to [User] associated [Identity] with extended privileges where association {ConditionalAuthentication} is missing. Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Privilege Escalation: [T1078], Defense Evasion: [T1078], Credential Access: [T1110], Mitigation: [M1032, M1027, M1026]
IAM shadowAdmin Identifies [User] associated [Identity] with {highPrivAppIAMs} association to [Application] where name is not matching admin/root. Remove {highPrivAppIAMs} from the identified [Identity] and add {lowPrivAppIAMs} instead. Initial Access: [T1078], Privilege Escalation: [T1078], Mitigation: [M1032, M1018, M1026, M1036]
IAM groupIdentityAppMismatch Identifies [Identity] with {memberOf} association to a [Group] where the [Identity] has different privileges than the [Group] on an [Application]. Remove the association between identified [Identity] and [Application]. Privilege Escalation: [T1078], Discovery: [T1613, T1046], Mitigation: [M1026]
IAM groupIdentityDataMismatch Identifies [Identity] with {memberOf} association to a [Group] where the [Identity] has different privileges than the [Group] on a [Data]. Remove the association between identified [Identity] and [Application]. Privilege Escalation: [T1078], Discovery: [T1613, T1046], Mitigation: [M1026]
IAM highPrivServiceAccounts Identifies [Identity] with name matching of service account with {highPrivAppIAMs} association. Remove [Identity] from [Network] and add it to new segmented [Network]. Privilege Escalation: [T1078], Discovery: [T1087], Lateral Movement: [T1072, T1021], Mitigation: [M1027, M1036, M1035, M1030, M1033]
IAM accountManagerMFA Identifies [Identity] with {managers} association to another [Group], [Identity], or [Privileges] where association {ConditionalAuthentication} is missing. Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Persistence: [T1098, T1136], Impact: [T1531], Mitigation: [M1032, M1026]
IAM identityDiscovery Identifies [Application] with multiple associated [Identity] with different types of privileges on the [Application]. Delete the association between identified [Identity] and [Application], then add a new anonymous [Identity] with {CanAssume} to sensitive [Identity]. Discovery: [T1087], Mitigation: M1028
ComputeResources userExposedHardware Identifies [Hardware] with {hostHardware} association to a [Network] linked [Application] where a [User] is not matching name of [Hardware]. Remove the association between identified [Hardware] and [User], then add new [PhysicalZone] with {ZoneInclusion} to the [Hardware] to restrict access. Initial Access: [T1200, T1091], Lateral Movement: [T1091], Mitigation: [M1034, M1040]
ComputeResources zoneExposedHardware Identifies [Hardware] where [User] is not associated with the [PhysicalZone] linked to the [Hardware]. Remove the association between identified [Hardware] and [User]. Initial Access: [T1200, T1091], Lateral Movement: [T1091], Mitigation: [M1034, M1040]
ComputeResources supplyChainVulnApp Identifies [Application] with associated [SoftwareProduct] where no {protectedApps} association to an [IDPS] exists. Add [IDPS] with association {AppProtection} to the identified [Application]. Initial Access: [T1195], Mitigation: [M1016, M1051, M1033]
ComputeResources containerCompromise Identifies [Application] with name matching of containerized services where [Identity] with extended privileges exists. Add [IDPS] to the identified [Application]. Execution: [T1610], Privilege Escalation: [T1611], Discovery: [T1613], Mitigation: [M1047, M1048, M1038]
ComputeResources taintSharedStorage Identifies [Data] that is hosted on [Hardware] or contained in [Application] where multiple [Identity] have write privileges indicating shared storage. Remove the association between identified [Data] and [Identity] to restrict access. Lateral Movement: [T1080], Mitigation: [M1022, M1049]
ComputeResources remoteAccessC2 Identifies [Application] with name matching of remote access tools where no {protectedApps} association to an [IDPS] exists. Add [IDPS] to the identified [Application]. Command and Control: [T1219], Exfiltration: [T1041], Mitigation: [M1031, M1037]
DataResources unencryptedData Identifies [Data] linked to [Application] where associated {encryptCreds} are missing. Add [Credentials] with {EncryptionCredentials} to the identified [Data] where encryption is missing. Credentials Access: [T1552, T1555], Collection: [T1005, T1039], Impact: [T1565], Mitigation: [M1041, M1047, M1027, M1057]
DataResources unencryptedInfo Identifies [Information] linked to [Data] where associated {encryptCreds} are missing. Add [Credentials] with {EncryptionCredentials} to the identified [Data] where encryption is missing. Credentials Access: [T1552, T1555], Collection: [T1005, T1039], Impact: [T1565], Mitigation: [M1041, M1047, M1027, M1057]
DataResources dataAiTM Identifies [Data] with association {transitData} to a [Network] where [User] have physical access to the [Network]. Remove the {DataInTransit} association between identified [Data] and [Network], then transit over new [Network]. Credential Access: [T1557, T1040], Collection: [T1557], Mitigations: [M1041, M1037, M1035]
DataResources dataDestruction Identifies [Data] where [Identity] is associated with {writingIAMs} or {deletingIAMs}. Add new [Data] as backup and add it to new [Hardware] for offline backup. Impact: [T1485, T1486, T1561], Mitigation: [M1053]
Network activeNetworkScan Identifies [Network] with connected [Application] where [Network] is not identified as DMZ but with {ingoingNetConnections} association to [RoutingFirewall]. Remove {ingoingNetConnections} to the identified [Network] and add {outgoingNetConnections} instead. Reconnaissance: [T1595, T1590], Discovery: [T1046], Mitigation: [M1056]
Network nonSegmentedPublicApp Identifies [Application] with name matching as an internet-facing service with {ingoingAppConnections} association to [Network] which is not identified as DMZ. Remove the association between identified [Application] and [Network], then add it to a new segmented [Network]. Initial Access: [T1190, T1133], Lateral Movement: [T1210], Mitigation: [M1030]
Network networkPerimeterCompromise Identifies [RoutingFirewall] with associated [Application] or [Hardware] where [Identity] is linked to it. Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Then add [IDPS] to the identified [Application]. Defense Evasion: [T1599], Mitigation: [M1043, M1032, M1027]
User userExposedNetworks Identifies [Network] where [User] exists but [IDPS] or other [Application] matching a security tool is missing. Add [IDPS] between the [RoutingFirewall] and [Network] where [User] exists. Initial Access: [T1566], Execution: [T1204], Lateral Movement: [T1534], Mitigation: [M1049, M1031, M1017]
User userImpersonation Identifies [User] with associated [Identity] that is linked to another [User]. Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Defense Evasion: [T1656], Mitigation: [M1019, M1017]
Vulnerability exploitVulnerablePublicApp Identifies [Application] linked to [SoftwareVulnerability] with association {ingoingAppConnections} to [Network] not identified as DMZ. Remove [ConnectionRule] from [Application] to the [Network], then assign it to a new segmented [Network]. Initial Access: [T1190], Mitigation: [M1030, M1051, M1016]
Vulnerability exploitVulnerableApp Identifies [SoftwareVulnerability] linked to an [Application] or [SoftwareProduct] with associated [Identity]. Remove any associations to [Application] except the ones to [SoftwareVulnerability] and [SoftwareProduct] to isolate. Execution: [T1203], Privilege Escalation: [T1068], Defense Evasion: [T1211], Credential Access: [T1212], Mitigation: [M1051, M1048, M1019]

About

A CLI tool to evaluate structural patterns using the Neo4j graph database

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages