A CLI tool to evaluate structural patterns derived from the MITRE ATT&CK framework on coreLang models using the Neo4j graph database. The pattern collection consists of 25 different patterns capable of identifying specific components in a model where structural defenses can be applied. In total 14 unique structural defenses are proposed that can alter the available attack paths generated in an attack graph.
- git clone https://github.com/mal-lang/malPatternEvaluator
- pip install -r requirements.txt
- Install Neo4j Desktop:
- Connect to Neo4j desktop instance: uri="bolt://localhost:7687", username="neo4j", password="dynp12345!", dbname="neo4j",
-
Compile coreLang model using the MAL-Toolbox or use the example models provided in the /models directory
-
python3 mpe.py -m models/mX/model_X.json -p patterns.json
-
CLI instructions:
[1] Analyze patterns - Process each pattern from the pattern.json file and send the queries to the Neo4j graph database
[2] Review Pattern Report - Print the generated log report from the analyzed patterns
[3] Apply mitigation - From the pattern report select the ID of the pattern that should be mitigated and provide it as argument
[4] Restore model - Undo any changes to the provided model and restore it to its original state
[5] Exit - Terminates the program
Each pattern consists of two sub-patterns (BadPattern & MitigationPattern) that are encoded into Cypher queries that can be processed by the Neo4j graph database. The BadPattern blueprint identifies the components that may pose a threat and the MitigationPattern blueprint propose the structural changes. To provide additional security guidance, a mapping has been made from each pattern to a selection of ATT&CK Technique and Mitigation IDs.
Group of patterns | Pattern name | BadPattern description | Mitigation-Pattern description | ATT&CK IDs |
---|---|---|---|---|
IAM | remoteAccessMFA | Identifies [Credentials] linked to [Application] with name matching of remote access where association {ConditionalAuthentication} is missing. | Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. | Initial Access: [T1133, T1078], Persistence: [T1078], Credential Access: [T1110], Mitigation: [M1036, M1032, M1030, M1017] |
IAM | highPrivAccountsMFA | Identifies [Credentials] linked to [User] associated [Identity] with extended privileges where association {ConditionalAuthentication} is missing. | Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. | Privilege Escalation: [T1078], Defense Evasion: [T1078], Credential Access: [T1110], Mitigation: [M1032, M1027, M1026] |
IAM | shadowAdmin | Identifies [User] associated [Identity] with {highPrivAppIAMs} association to [Application] where name is not matching admin/root. | Remove {highPrivAppIAMs} from the identified [Identity] and add {lowPrivAppIAMs} instead. | Initial Access: [T1078], Privilege Escalation: [T1078], Mitigation: [M1032, M1018, M1026, M1036] |
IAM | groupIdentityAppMismatch | Identifies [Identity] with {memberOf} association to a [Group] where the [Identity] has different privileges than the [Group] on an [Application]. | Remove the association between identified [Identity] and [Application]. | Privilege Escalation: [T1078], Discovery: [T1613, T1046], Mitigation: [M1026] |
IAM | groupIdentityDataMismatch | Identifies [Identity] with {memberOf} association to a [Group] where the [Identity] has different privileges than the [Group] on a [Data]. | Remove the association between identified [Identity] and [Application]. | Privilege Escalation: [T1078], Discovery: [T1613, T1046], Mitigation: [M1026] |
IAM | highPrivServiceAccounts | Identifies [Identity] with name matching of service account with {highPrivAppIAMs} association. | Remove [Identity] from [Network] and add it to new segmented [Network]. | Privilege Escalation: [T1078], Discovery: [T1087], Lateral Movement: [T1072, T1021], Mitigation: [M1027, M1036, M1035, M1030, M1033] |
IAM | accountManagerMFA | Identifies [Identity] with {managers} association to another [Group], [Identity], or [Privileges] where association {ConditionalAuthentication} is missing. | Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. | Persistence: [T1098, T1136], Impact: [T1531], Mitigation: [M1032, M1026] |
IAM | identityDiscovery | Identifies [Application] with multiple associated [Identity] with different types of privileges on the [Application]. | Delete the association between identified [Identity] and [Application], then add a new anonymous [Identity] with {CanAssume} to sensitive [Identity]. | Discovery: [T1087], Mitigation: M1028 |
ComputeResources | userExposedHardware | Identifies [Hardware] with {hostHardware} association to a [Network] linked [Application] where a [User] is not matching name of [Hardware]. | Remove the association between identified [Hardware] and [User], then add new [PhysicalZone] with {ZoneInclusion} to the [Hardware] to restrict access. | Initial Access: [T1200, T1091], Lateral Movement: [T1091], Mitigation: [M1034, M1040] |
ComputeResources | zoneExposedHardware | Identifies [Hardware] where [User] is not associated with the [PhysicalZone] linked to the [Hardware]. | Remove the association between identified [Hardware] and [User]. | Initial Access: [T1200, T1091], Lateral Movement: [T1091], Mitigation: [M1034, M1040] |
ComputeResources | supplyChainVulnApp | Identifies [Application] with associated [SoftwareProduct] where no {protectedApps} association to an [IDPS] exists. | Add [IDPS] with association {AppProtection} to the identified [Application]. | Initial Access: [T1195], Mitigation: [M1016, M1051, M1033] |
ComputeResources | containerCompromise | Identifies [Application] with name matching of containerized services where [Identity] with extended privileges exists. | Add [IDPS] to the identified [Application]. | Execution: [T1610], Privilege Escalation: [T1611], Discovery: [T1613], Mitigation: [M1047, M1048, M1038] |
ComputeResources | taintSharedStorage | Identifies [Data] that is hosted on [Hardware] or contained in [Application] where multiple [Identity] have write privileges indicating shared storage. | Remove the association between identified [Data] and [Identity] to restrict access. | Lateral Movement: [T1080], Mitigation: [M1022, M1049] |
ComputeResources | remoteAccessC2 | Identifies [Application] with name matching of remote access tools where no {protectedApps} association to an [IDPS] exists. | Add [IDPS] to the identified [Application]. | Command and Control: [T1219], Exfiltration: [T1041], Mitigation: [M1031, M1037] |
DataResources | unencryptedData | Identifies [Data] linked to [Application] where associated {encryptCreds} are missing. | Add [Credentials] with {EncryptionCredentials} to the identified [Data] where encryption is missing. | Credentials Access: [T1552, T1555], Collection: [T1005, T1039], Impact: [T1565], Mitigation: [M1041, M1047, M1027, M1057] |
DataResources | unencryptedInfo | Identifies [Information] linked to [Data] where associated {encryptCreds} are missing. | Add [Credentials] with {EncryptionCredentials} to the identified [Data] where encryption is missing. | Credentials Access: [T1552, T1555], Collection: [T1005, T1039], Impact: [T1565], Mitigation: [M1041, M1047, M1027, M1057] |
DataResources | dataAiTM | Identifies [Data] with association {transitData} to a [Network] where [User] have physical access to the [Network]. | Remove the {DataInTransit} association between identified [Data] and [Network], then transit over new [Network]. | Credential Access: [T1557, T1040], Collection: [T1557], Mitigations: [M1041, M1037, M1035] |
DataResources | dataDestruction | Identifies [Data] where [Identity] is associated with {writingIAMs} or {deletingIAMs}. | Add new [Data] as backup and add it to new [Hardware] for offline backup. | Impact: [T1485, T1486, T1561], Mitigation: [M1053] |
Network | activeNetworkScan | Identifies [Network] with connected [Application] where [Network] is not identified as DMZ but with {ingoingNetConnections} association to [RoutingFirewall]. | Remove {ingoingNetConnections} to the identified [Network] and add {outgoingNetConnections} instead. | Reconnaissance: [T1595, T1590], Discovery: [T1046], Mitigation: [M1056] |
Network | nonSegmentedPublicApp | Identifies [Application] with name matching as an internet-facing service with {ingoingAppConnections} association to [Network] which is not identified as DMZ. | Remove the association between identified [Application] and [Network], then add it to a new segmented [Network]. | Initial Access: [T1190, T1133], Lateral Movement: [T1210], Mitigation: [M1030] |
Network | networkPerimeterCompromise | Identifies [RoutingFirewall] with associated [Application] or [Hardware] where [Identity] is linked to it. | Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. Then add [IDPS] to the identified [Application]. | Defense Evasion: [T1599], Mitigation: [M1043, M1032, M1027] |
User | userExposedNetworks | Identifies [Network] where [User] exists but [IDPS] or other [Application] matching a security tool is missing. | Add [IDPS] between the [RoutingFirewall] and [Network] where [User] exists. | Initial Access: [T1566], Execution: [T1204], Lateral Movement: [T1534], Mitigation: [M1049, M1031, M1017] |
User | userImpersonation | Identifies [User] with associated [Identity] that is linked to another [User]. | Add [Credentials] with {ConditionalAuthentication} to the identified [Credentials] where MFA is missing. | Defense Evasion: [T1656], Mitigation: [M1019, M1017] |
Vulnerability | exploitVulnerablePublicApp | Identifies [Application] linked to [SoftwareVulnerability] with association {ingoingAppConnections} to [Network] not identified as DMZ. | Remove [ConnectionRule] from [Application] to the [Network], then assign it to a new segmented [Network]. | Initial Access: [T1190], Mitigation: [M1030, M1051, M1016] |
Vulnerability | exploitVulnerableApp | Identifies [SoftwareVulnerability] linked to an [Application] or [SoftwareProduct] with associated [Identity]. | Remove any associations to [Application] except the ones to [SoftwareVulnerability] and [SoftwareProduct] to isolate. | Execution: [T1203], Privilege Escalation: [T1068], Defense Evasion: [T1211], Credential Access: [T1212], Mitigation: [M1051, M1048, M1019] |