attack-flow
Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows. (by center-for-threat-informed-defense)
adversary_emulation_library
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. (by center-for-threat-informed-defense)
SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
surveyjs.io
featured
| attack-flow | adversary_emulation_library | |
|---|---|---|
| 5 | 8 | |
| 508 | 1,555 | |
| 3.3% | 2.2% | |
| 8.9 | 9.5 | |
| 11 days ago | 4 months ago | |
| TypeScript | C | |
| Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
attack-flow
Posts with mentions or reviews of attack-flow.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-09-21.
- Attack Flow v2.0.1 — a language for describing how cyber adversaries combine and sequence various offensive techniques to achieve their goals
-
Attack Chain/Exploitation Path Diagram Generation Tools?
This is what Attack Flow is specifically meant to help with (https://github.com/center-for-threat-informed-defense/attack-flow and https://www.youtube.com/watch?v=dlTTF4TF48A). Take a look at the CEO Scenario walkthrough (https://github.com/center-for-threat-informed-defense/attack-flow/blob/main/docs/ceo_scenario.md), the use of a Sankey diagram to highlight how mitigations reduce the cost of risk is one of the best representations I know of.
-
I'm the CINO of Tidal Cyber, and previously founded MITRE's ATT&CK® Evaluations. AMA!
I will give credit to the work at CTID, though many are looking at how to not look at ATT&CK Techniques atomically, rather as chains: https://ctid.mitre-engenuity.org/our-work/attack-flow/
-
PURPLE TEAM LEADERSHIP METRICS?
define your attack path similar to the sankey diagrams at https://github.com/center-for-threat-informed-defense/attack-flow/blob/main/docs/ceo_scenario.md
-
Tooling for Purple Teaming
- Threat Modeling - Based on the assessment results, define potential attack paths (not a single action against a single asset, but the full chain of steps that an attacker would take - see https://github.com/center-for-threat-informed-defense/attack-flow/blob/main/docs/ceo_scenario.md for a basic example). Prioritize your attack paths based on whatever real world factors affect your team's availability, capabilities, etc. For example, if the team's availability overlaps with a year-end accounting process, pick an attack path that doesn't touch your finance and accounting team.
adversary_emulation_library
Posts with mentions or reviews of adversary_emulation_library.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-10-16.
-
What adversary emulation options are there nowadays to test SIEMs and IDSs?
Unfortunately I don't have the background and knowledge of cybersecurity needed to plan a pentest of my own. Also, it would be more interesting to emulate the attacks of actual APTs known in the wild. So far, I've tested Caldera, Invoke-AtomicRedTeam and manual tests from CTID's adversary emulation library: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
- adversary_emulation_library: An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
-
New blue team
This is a great callout! To help get started, check out the adversary emulation library, https://github.com/center-for-threat-informed-defense/adversary_emulation_library. There are also micro-emulation plans, described here: https://ctid.mitre-engenuity.org/our-work/micro-emulation-plans/.
- micro_emulation_plans: This collection expands the impact of the Adversary Emulation Library by developing easy-to-execute adversary emulation content that targets specific behaviors and challenges facing defenders
-
Advice on purple teaming
I don't know how we know what CS would do if that command was part of a chain of attack, I'm assuming it would just detect on the more malicious activities. Once we get a bit more mature in our use of Atomic Red team I was looking at this framework for simulating an actual attack chain.
- THT: When hunt APT look for emulation ...
- Adversary Emulation Library
- menuPass Adversary Emulation
What are some alternatives?
When comparing attack-flow and adversary_emulation_library you can also consider the following projects:
caldera_pathfinder - Pathfinder is a plugin for mapping network vulnerabilities, scanned by CALDERA or imported by a supported network scanner, and translating those scans into adversaries for network traversal.
tram - TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CK®.
VECTR - VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
sysmon-modular - A repository of sysmon configuration modules
attack-stix-data - STIX data representing MITRE ATT&CK
attack-control-framework-mappings - 🚨ATTENTION🚨 The NIST 800-53 mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
caldera - Automated Adversary Emulation Platform
RedEye - RedEye is a visual analytic tool supporting Red & Blue Team operations
heimdall2 - Heimdall Enterprise Server 2 lets you view, store, and compare automated security control scan results.
stix2.1-coa-playbook-extension - A STIX 2.1 Extension Definition for the Course of Action (COA) object type. The nested property extension allows a COA to share machine-readable security playbooks such as CACAO Security Playbooks
auditd-attack - A Linux Auditd rule set mapped to MITRE's Attack Framework
attack-flow vs caldera_pathfinder
adversary_emulation_library vs tram
attack-flow vs VECTR
adversary_emulation_library vs sysmon-modular
attack-flow vs attack-stix-data
adversary_emulation_library vs attack-control-framework-mappings
attack-flow vs caldera
adversary_emulation_library vs RedEye
attack-flow vs heimdall2
adversary_emulation_library vs stix2.1-coa-playbook-extension
adversary_emulation_library vs auditd-attack
adversary_emulation_library vs caldera