RubyGems - active_attack - Versions diffs - 0.1.14 - Mend

active_attack 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

data/app/models/active_attack/permissions_required.rb ADDED

@@ -0,0 +1,14 @@
+module ActiveAttack
+  class PermissionsRequired < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :permissions_required_attack_pattern
+    def self.create_perm(perm)
+      permission = find_or_create_by(permission:perm)
+      permission
+    end
+    def convert_to_json
+      permission
+    end
+  end
+end

data/app/models/active_attack/platform.rb ADDED

@@ -0,0 +1,16 @@
+module ActiveAttack
+  class Platform < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :platform_attack_pattern
+    has_many :malware_platform
+    has_many :malwares, :class_name => 'ActiveStix::Malware', through: :malware_platform
+    def self.create_platform(plat_name)
+      plat = find_or_create_by(name:plat_name)
+      plat
+    end
+    def convert_to_json
+      platform
+    end
+  end
+end

data/app/models/active_attack/playbook.rb ADDED

@@ -0,0 +1,177 @@
+module ActiveAttack
+  class Playbook < ApplicationRecord
+    belongs_to :bundle, :class_name => 'ActiveStix::Bundle', foreign_key: 'bundle_id', primary_key: 'stix_id', optional: true
+    belongs_to :threat_actor, :class_name => 'ActiveStix::ThreatActor', foreign_key: 'threat_actor_id', primary_key: 'stix_id', optional: true
+    def as_stix(classification = nil, chess = nil)
+    end
+    def campaigns
+      @campaigns ||= bundle.bundled_objects.select {|b| b.stix_object.type == "campaign"}.collect {|bo| bo.stix_object}
+    end
+    def campaign
+      @campaign ||= bundle.bundled_objects.find {|b| b.stix_object.type == "campaign"}.stix_object
+    end
+    def attack_patterns
+      @attack_patterns ||= campaign.attack_patterns
+    end
+    def kill_chain
+      return @kill_chain if @kill_chain
+      @kill_chain = attack_patterns.first.kill_chain_phases.first.phase.kill_chain
+    end
+    def number_of_rows
+      phased_attack_patterns.collect {|k, v| v.size}.max
+    end
+    def campaign_attack_patterns
+      return @campaign_attack_patterns if @campaign_attack_patterns
+      @campaign_attack_patterns = {}
+      campaigns.each do |campaign|
+        @campaign_attack_patterns[campaign] = campaign.attack_patterns
+      end
+      @campaign_attack_patterns
+    end
+    def attack_pattern_campaign_list(phase, row)
+      attack_pattern = attack_pattern_matrix(phase, row)
+      campaigns.select do |campaign|
+        campaign_attack_patterns[campaign].collect(&:name).include? attack_pattern
+      end.collect(&:stix_id).join(" ")
+    end
+    def phased_attack_patterns
+      return @phased_attack_patterns if @phased_attack_patterns
+      @phased_attack_patterns = {}
+      @kill_chain.phases.each do |phase|
+        @phased_attack_patterns[phase.name] = phase.attack_patterns
+      end
+      @phased_attack_patterns
+    end
+    def attack_pattern_matrix(phase, row)
+      phase = phased_attack_patterns[phase]
+      if row < phase.size
+        phase[row].name
+      else
+        nil
+      end
+    end
+    def self.ingest_json(bundle)
+      puts "ingesting"
+      bundle = ActiveStix::Bundle.ingest_json(bundle, nil)
+      intrusion_set_report = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('intrusion-set')}.first.stix_object
+      intrusion_set = intrusion_set_report.report_objects.find {|ro| ro.stix_object.type == 'intrusion-set'}.stix_object
+      threat_actor = ActiveStix::ThreatActor.find_or_create_by(name: intrusion_set.name)
+      ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to')
+      campaign_reports = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('campaign')}.map(&:stix_object)
+      campaign_reports.each do |report|
+        campaign = report.report_objects.find_by(object_type: 'ActiveStix::Campaign').stix_object
+        ActiveStix::Relationship.relate(campaign, intrusion_set, 'attributed-to')
+        ActiveStix::Relationship.relate(campaign, threat_actor, 'attributed-to')
+      end
+      playbook = Playbook.create
+      playbook.threat_actor = threat_actor
+      playbook.bundle = bundle
+      playbook.save
+    end
+    def report(threat_actor)
+      bundle = ActiveStix::Bundle.create
+      if threat_actor.intrusion_sets.empty?
+        intrusion_set = ActiveStix::IntrusionSet.find_or_create_by(name: threat_actor.name)
+        rel = ActiveStix::Relationship.relate(intrusion_set, threat_actor, "attributed-to")
+        bundle.add(rel)
+      else
+        intrusion_set = threat_actor.intrusion_sets.last
+        bundle.add(ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to'))
+      end
+      ActiveStix::Relationship.where(target: intrusion_set, source_type: "ActiveStix::Campaign", relationship_type: 'attributed-to').all.each do |rel|
+        bundle.add(rel.source)
+      end
+      campaign_reports = threat_actor.campaigns.collect do |campaign|
+        report = ActiveStix::Report.create
+        label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'campaign')
+        report.labels << label
+        report.add_stix_object(campaign)
+        bundle.add(campaign)
+        campaign.attack_pattern_relationships.each do |attack_pattern_relationship|
+          report.add_stix_object(attack_pattern_relationship)
+          report.add_stix_object(attack_pattern_relationship.target)
+          bundle.add(attack_pattern_relationship)
+          bundle.add(attack_pattern_relationship.target)
+          attack_pattern_relationship.target.indicator_relationships.each do |indicator_relationship|
+            report.add_stix_object(indicator_relationship)
+            report.add_stix_object(indicator_relationship.source)
+            bundle.add(indicator_relationship)
+            bundle.add(indicator_relationship.source)
+          end
+        end
+        campaign.indicator_relationships.each do |indicator_relationship|
+          report.add_stix_object(indicator_relationship)
+          report.add_stix_object(indicator_relationship.source)
+          bundle.add(indicator_relationship)
+          bundle.add(indicator_relationship.source)
+        end
+        bundle.add(report)
+        report
+      end
+      intrusion_set_report = ActiveStix::Report.create
+      label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'intrusion-set')
+      intrusion_set_report.labels << label
+      intrusion_set_report.add_stix_object(intrusion_set)
+      campaign_reports.each do |campaign_report|
+        intrusion_set_report.add_stix_object(campaign_report)
+      end
+      bundle.add(threat_actor)
+      bundle.add(intrusion_set)
+      bundle.add(intrusion_set_report)
+      self.bundle = bundle
+      save
+      bundle
+    end
+    def engagement_report(threat_actor)
+      bundle = report(threat_actor)
+      identity_relationships = threat_actor.source_relationships.where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to")
+      identity_relationships.each do |relationship|
+        bundle.add(relationship)
+        bundle.add(relationship.target)
+        relationship.target.source_relationships.where(relationship_type: "employs").each do |employment_rel|
+          bundle.add(employment_rel)
+          bundle.add(employment_rel.target)
+        end
+      end
+      ActiveStix::Relationship.where(
+          source: threat_actor,
+          source_type: 'ActiveStix::ThreatActor',
+          target_type: 'ActiveStix::ObservedDatum',
+          relationship_type: 'related-to',
+          ).each do |observed_datum_rel|
+        bundle.add(observed_datum_rel)
+        bundle.add(observed_datum_rel.target)
+      end
+      bundle
+    end
+  end
+end

data/app/models/active_attack/tactic.rb ADDED

@@ -0,0 +1,61 @@
+module ActiveAttack
+  class Tactic < ApplicationRecord
+    has_many :reference_items, class_name: "ActiveStix::ReferenceItem", as: :referrer
+    has_many :external_references, class_name: "ActiveStix::ExternalReference", through: :reference_items
+    def self.ingest_json(obj)
+      xmt = find_or_create_by(stix_id: obj['id'], name: obj['name'])
+      if obj.has_key?('created_by_ref')
+        xmt.created_by_ref = obj['created_by_ref']
+      end
+      if obj.has_key?('description')
+        xmt.description = obj['description']
+      end
+      if obj.has_key?('external_references')
+        obj['external_references'].each do |er|
+          external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
+          xmt.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference_id: external_reference.id, referrer_id: xmt.id, referrer_type: "ActiveAttack::Tactic")
+        end
+      end
+      if obj.has_key?('object_marking_refs')
+        # todo
+      end
+      if obj.has_key?('x_mitre_shortname')
+        xmt.shortname = obj['x_mitre_shortname']
+      end
+      xmt.save
+      xmt
+    end
+    def convert_to_json
+      external_refs_arr = []
+      external_references.each do |x|
+        external_refs_arr << x.convert_to_json
+      end
+      marking_def_arr = []
+      marking_definitions.each do |x|
+        marking_def_arr << x.convert_to_json
+      end
+      {
+          :external_references => external_refs_arr,
+          :object_marking_refs => marking_def_arr,
+          :id => stix_id,
+          :name => name,
+          :created => created_at.to_s,
+          :modified => updated_at.to_s,
+          :type => "type",
+          :created_by_ref => created_by_ref,
+          :description => description,
+          :x_mitre_shortname => shortnames.first.convert_to_json
+      }
+    end
+  end
+end

data/app/models/active_attack/version.rb ADDED

@@ -0,0 +1,14 @@
+module ActiveAttack
+  class Version < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :version_attack_pattern
+    def self.create_version(ver)
+      vers = find_or_create_by(version:ver)
+      vers
+    end
+    def convert_to_json
+      version
+    end
+  end
+end

data/app/overrides/models/active_stix/active_stix_override.rb ADDED

@@ -0,0 +1,7 @@
+module ActiveStixOverride
+  def process_x_attrs?
+    true
+  end
+end
+ActiveStix.singleton_class.send :prepend, ActiveStixOverride

data/app/overrides/models/active_stix/attack_pattern_override.rb ADDED

@@ -0,0 +1,75 @@
+ActiveStix::AttackPattern.class_eval do
+  def expected_keys
+    [
+        'external_references',
+        'kill_chain_phases',
+        'object_marking_refs',
+        'x_mitre_detection',
+        'x_mitre_data_sources',
+        'x_mitre_platforms',
+        'x_mitre_permissions_required',
+        'x_mitre_detectable_by_common_defenses',
+        'x_mitre_difficulty_for_adversary_explanation',
+        'x_mitre_difficulty_for_adversary',
+        'x_mitre_detectable_by_common_defenses_explanation',
+        'x_mitre_version'
+    ]
+  end
+  def self.x_mitre_detection(attack_pattern, ob)
+    xmd = ActiveAttack::Detection.create_descr(obj['x_mitre_detection'])
+    #ensure no duplicate entries
+    attack_pattern.detections << xmd unless ActiveAttack::DetectionAttackPattern.find_by(x_mitre_detection_id: xmd.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_data_sources(attack_pattern, obj)
+    obj['x_mitre_data_sources'].each do |ds|
+      d_source = ActiveAttack::DataSource.create_source(ds)
+      attack_pattern.data_sources << d_source unless ActiveAttack::DataSourceAttackPattern.find_by(data_source_id: d_source.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_platforms(attack_pattern, obj)
+    obj['x_mitre_platforms'].each do |plat|
+      platform = ActiveAttack::Platform.create_platform(plat)
+      attack_pattern.platforms << platform unless ActiveAttack::PlatformAttackPattern.find_by(platform_id: platform.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_permissions_required(attack_pattern, obj)
+    obj['x_mitre_permissions_required'].each do |perm|
+      permission = ActiveAttack::PermissionsRequired.create_perm(perm)
+      attack_pattern.permissions_requireds << permission unless ActiveAttack::PermissionsRequiredAttackPattern.find_by(permissions_required_id: permission.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_detectable_by_common_defenses(attack_pattern, obj)
+    det = ActiveAttack::DetectableByCommonDefense.create_detectable(obj['x_mitre_detectable_by_common_defenses'])
+    attack_pattern.detectable_by_common_defenses << det unless ActiveAttack::DetectableByCommonDefenseAttackPattern.find_by(detectable_by_common_defense_id: det.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_difficulty_for_adversary_explanation(attack_pattern, obj)
+    diff_exp = ActiveAttack::DifficultyForAdversaryExplanation.create_explanation(obj['x_mitre_difficulty_for_adversary_explanation'])
+    attack_pattern.difficulty_for_adversary_explanations << diff_exp unless ActiveAttack::DifficultyForAdversaryExplanationAttackPattern.find_by(difficulty_for_adversary_id: diff_exp.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_difficulty_for_adversary(attack_pattern, obj)
+    diff = ActiveAttack::DifficultyForAdversary.create_difficulty(obj['x_mitre_difficulty_for_adversary'])
+    attack_pattern.difficulty_for_adversaries << diff unless ActiveAttack::DifficultyForAdversaryAttackPattern.find_by(difficulty_for_adversary_id: diff.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_detectable_by_common_defenses_explanation(attack_pattern, obj)
+    det_exp = ActiveAttack::DetectableByCommonDefensesExplanation.create_explanation(obj['x_mitre_detectable_by_common_defenses_explanation'])
+    attack_pattern.detectable_by_common_defenses_explanations << det_exp unless ActiveAttack::DetectableByCommonDefensesExplanationAttackPattern.find_by(detectable_by_common_defenses_explanation_id: det_exp.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_version(attack_pattern, obj)
+    version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
+    attack_pattern.versions << version unless ActiveAttack::VersionAttackPattern.find_by(version_id: version.id, attack_pattern_id: attack_pattern.id)
+  end
+end

data/app/overrides/models/active_stix/bundle_override.rb ADDED

@@ -0,0 +1,18 @@
+ActiveStix::Bundle.class_eval do
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'x-mitre-tactic' => ActiveAttack::Tactic,
+      'x-mitre-matrix' => ActiveAttack::Matrix,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+end

data/app/overrides/models/active_stix/malware_override.rb ADDED

@@ -0,0 +1,40 @@
+ActiveStix::Malware.class_eval do
+  has_many :builds, class_name: "ActiveAttack::Build", as: :buildable
+  has_many :platforms, through: :builds, class_name: "ActiveAttack::Platform"
+  def self.expected_keys
+    [
+        'description',
+        'external_references',
+        'object_marking_refs',
+        'x_mitre_aliases',
+        'x_mitre_platforms',
+        'labels',
+        'x_mitre_version'
+    ]
+  end
+  def self.x_mitre_aliases(malware, obj)
+      malware.aliases = obj['x_mitre_aliases']
+  end
+  def self.x_mitre_platforms(malware, obj)
+    obj['x_mitre_platforms'].each do |plat|
+      platform = ActiveAttack::Platform.create_platform(plat)
+      malware.platforms << platform unless ActiveAttack::Build.find_by(platform_id: platform.id, buildable_id: malware.id)
+    end
+  end
+  def self.labels(malware, obj)
+    obj['labels'].each do |lab|
+      label = ActiveStix::Label.ingest_label('malware', lab)
+      malware.labels << label unless ActiveStix::Markup.find_by(labelable: malware, label: label)
+    end
+  end
+  def self.x_mitre_version(malware, obj)
+    # todo
+    # version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
+    # malware.versions << version unless ActiveAttack::MalwareVersion.find_by(version_id: version.id, malware_id: malware.id)
+  end
+end

data/app/overrides/models/active_stix/report_override.rb ADDED

@@ -0,0 +1,18 @@
+ActiveStix::Report.class_eval do
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'x-mitre-tactic' => ActiveAttack::Tactic,
+      'x-mitre-matrix' => ActiveAttack::Matrix,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+end