RubyGems - active_attack - Versions diffs - 0.1.14 - Mend

active_attack 0.1.14

Files changed (93) hide show

data/app/models/active_attack/permissions_required.rb ADDED

@@ -0,0 +1,14 @@
+module ActiveAttack
+  class PermissionsRequired < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :permissions_required_attack_pattern
+    def self.create_perm(perm)
+      permission = find_or_create_by(permission:perm)
+      permission
+    end
+    def convert_to_json
+      permission
+    end
+  end
+end

data/app/models/active_attack/platform.rb ADDED

@@ -0,0 +1,16 @@
+module ActiveAttack
+  class Platform < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :platform_attack_pattern
+    has_many :malware_platform
+    has_many :malwares, :class_name => 'ActiveStix::Malware', through: :malware_platform
+    def self.create_platform(plat_name)
+      plat = find_or_create_by(name:plat_name)
+      plat
+    end
+    def convert_to_json
+      platform
+    end
+  end
+end

data/app/models/active_attack/playbook.rb ADDED

@@ -0,0 +1,177 @@
+module ActiveAttack
+  class Playbook < ApplicationRecord
+    belongs_to :bundle, :class_name => 'ActiveStix::Bundle', foreign_key: 'bundle_id', primary_key: 'stix_id', optional: true
+    belongs_to :threat_actor, :class_name => 'ActiveStix::ThreatActor', foreign_key: 'threat_actor_id', primary_key: 'stix_id', optional: true
+    def as_stix(classification = nil, chess = nil)
+    end
+    def campaigns
+      @campaigns ||= bundle.bundled_objects.select {|b| b.stix_object.type == "campaign"}.collect {|bo| bo.stix_object}
+    end
+    def campaign
+      @campaign ||= bundle.bundled_objects.find {|b| b.stix_object.type == "campaign"}.stix_object
+    end
+    def attack_patterns
+      @attack_patterns ||= campaign.attack_patterns
+    end
+    def kill_chain
+      return @kill_chain if @kill_chain
+      @kill_chain = attack_patterns.first.kill_chain_phases.first.phase.kill_chain
+    end
+    def number_of_rows
+      phased_attack_patterns.collect {|k, v| v.size}.max
+    end
+    def campaign_attack_patterns
+      return @campaign_attack_patterns if @campaign_attack_patterns
+      @campaign_attack_patterns = {}
+      campaigns.each do |campaign|
+        @campaign_attack_patterns[campaign] = campaign.attack_patterns
+      end
+      @campaign_attack_patterns
+    end
+    def attack_pattern_campaign_list(phase, row)
+      attack_pattern = attack_pattern_matrix(phase, row)
+      campaigns.select do |campaign|
+        campaign_attack_patterns[campaign].collect(&:name).include? attack_pattern
+      end.collect(&:stix_id).join(" ")
+    end
+    def phased_attack_patterns
+      return @phased_attack_patterns if @phased_attack_patterns
+      @phased_attack_patterns = {}
+      @kill_chain.phases.each do |phase|
+        @phased_attack_patterns[phase.name] = phase.attack_patterns
+      end
+      @phased_attack_patterns
+    end
+    def attack_pattern_matrix(phase, row)
+      phase = phased_attack_patterns[phase]
+      if row < phase.size
+        phase[row].name
+      else
+        nil
+      end
+    end
+    def self.ingest_json(bundle)
+      puts "ingesting"
+      bundle = ActiveStix::Bundle.ingest_json(bundle, nil)
+      intrusion_set_report = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('intrusion-set')}.first.stix_object
+      intrusion_set = intrusion_set_report.report_objects.find {|ro| ro.stix_object.type == 'intrusion-set'}.stix_object
+      threat_actor = ActiveStix::ThreatActor.find_or_create_by(name: intrusion_set.name)
+      ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to')
+      campaign_reports = bundle.bundled_objects.where(object_type: "ActiveStix::Report").select {|bo| bo.stix_object.labels.map(&:name).include?('campaign')}.map(&:stix_object)
+      campaign_reports.each do |report|
+        campaign = report.report_objects.find_by(object_type: 'ActiveStix::Campaign').stix_object
+        ActiveStix::Relationship.relate(campaign, intrusion_set, 'attributed-to')
+        ActiveStix::Relationship.relate(campaign, threat_actor, 'attributed-to')
+      end
+      playbook = Playbook.create
+      playbook.threat_actor = threat_actor
+      playbook.bundle = bundle
+      playbook.save
+    end
+    def report(threat_actor)
+      bundle = ActiveStix::Bundle.create
+      if threat_actor.intrusion_sets.empty?
+        intrusion_set = ActiveStix::IntrusionSet.find_or_create_by(name: threat_actor.name)
+        rel = ActiveStix::Relationship.relate(intrusion_set, threat_actor, "attributed-to")
+        bundle.add(rel)
+      else
+        intrusion_set = threat_actor.intrusion_sets.last
+        bundle.add(ActiveStix::Relationship.relate(intrusion_set, threat_actor, 'attributed-to'))
+      end
+      ActiveStix::Relationship.where(target: intrusion_set, source_type: "ActiveStix::Campaign", relationship_type: 'attributed-to').all.each do |rel|
+        bundle.add(rel.source)
+      end
+      campaign_reports = threat_actor.campaigns.collect do |campaign|
+        report = ActiveStix::Report.create
+        label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'campaign')
+        report.labels << label
+        report.add_stix_object(campaign)
+        bundle.add(campaign)
+        campaign.attack_pattern_relationships.each do |attack_pattern_relationship|
+          report.add_stix_object(attack_pattern_relationship)
+          report.add_stix_object(attack_pattern_relationship.target)
+          bundle.add(attack_pattern_relationship)
+          bundle.add(attack_pattern_relationship.target)
+          attack_pattern_relationship.target.indicator_relationships.each do |indicator_relationship|
+            report.add_stix_object(indicator_relationship)
+            report.add_stix_object(indicator_relationship.source)
+            bundle.add(indicator_relationship)
+            bundle.add(indicator_relationship.source)
+          end
+        end
+        campaign.indicator_relationships.each do |indicator_relationship|
+          report.add_stix_object(indicator_relationship)
+          report.add_stix_object(indicator_relationship.source)
+          bundle.add(indicator_relationship)
+          bundle.add(indicator_relationship.source)
+        end
+        bundle.add(report)
+        report
+      end
+      intrusion_set_report = ActiveStix::Report.create
+      label = ActiveStix::OpenVocabulary.find_or_create_by(name: 'report-labels').labels.find_or_create_by(name: 'intrusion-set')
+      intrusion_set_report.labels << label
+      intrusion_set_report.add_stix_object(intrusion_set)
+      campaign_reports.each do |campaign_report|
+        intrusion_set_report.add_stix_object(campaign_report)
+      end
+      bundle.add(threat_actor)
+      bundle.add(intrusion_set)
+      bundle.add(intrusion_set_report)
+      self.bundle = bundle
+      save
+      bundle
+    end
+    def engagement_report(threat_actor)
+      bundle = report(threat_actor)
+      identity_relationships = threat_actor.source_relationships.where(target_type: "ActiveStix::Identity", relationship_type: "attributed-to")
+      identity_relationships.each do |relationship|
+        bundle.add(relationship)
+        bundle.add(relationship.target)
+        relationship.target.source_relationships.where(relationship_type: "employs").each do |employment_rel|
+          bundle.add(employment_rel)
+          bundle.add(employment_rel.target)
+        end
+      end
+      ActiveStix::Relationship.where(
+          source: threat_actor,
+          source_type: 'ActiveStix::ThreatActor',
+          target_type: 'ActiveStix::ObservedDatum',
+          relationship_type: 'related-to',
+          ).each do |observed_datum_rel|
+        bundle.add(observed_datum_rel)
+        bundle.add(observed_datum_rel.target)
+      end
+      bundle
+    end
+  end
+end

data/app/models/active_attack/tactic.rb ADDED

@@ -0,0 +1,61 @@
+module ActiveAttack
+  class Tactic < ApplicationRecord
+    has_many :reference_items, class_name: "ActiveStix::ReferenceItem", as: :referrer
+    has_many :external_references, class_name: "ActiveStix::ExternalReference", through: :reference_items
+    def self.ingest_json(obj)
+      xmt = find_or_create_by(stix_id: obj['id'], name: obj['name'])
+      if obj.has_key?('created_by_ref')
+        xmt.created_by_ref = obj['created_by_ref']
+      end
+      if obj.has_key?('description')
+        xmt.description = obj['description']
+      end
+      if obj.has_key?('external_references')
+        obj['external_references'].each do |er|
+          external_reference = ActiveStix::ExternalReference.ingest_json(er, obj['id'])
+          xmt.external_references << external_reference unless ActiveStix::ReferenceItem.find_by(external_reference_id: external_reference.id, referrer_id: xmt.id, referrer_type: "ActiveAttack::Tactic")
+        end
+      end
+      if obj.has_key?('object_marking_refs')
+        # todo
+      end
+      if obj.has_key?('x_mitre_shortname')
+        xmt.shortname = obj['x_mitre_shortname']
+      end
+      xmt.save
+      xmt
+    end
+    def convert_to_json
+      external_refs_arr = []
+      external_references.each do |x|
+        external_refs_arr << x.convert_to_json
+      end
+      marking_def_arr = []
+      marking_definitions.each do |x|
+        marking_def_arr << x.convert_to_json
+      end
+      {
+          :external_references => external_refs_arr,
+          :object_marking_refs => marking_def_arr,
+          :id => stix_id,
+          :name => name,
+          :created => created_at.to_s,
+          :modified => updated_at.to_s,
+          :type => "type",
+          :created_by_ref => created_by_ref,
+          :description => description,
+          :x_mitre_shortname => shortnames.first.convert_to_json
+      }
+    end
+  end
+end

data/app/models/active_attack/version.rb ADDED

@@ -0,0 +1,14 @@
+module ActiveAttack
+  class Version < ApplicationRecord
+    has_many :attack_patterns, :class_name => 'ActiveStix::AttackPattern', through: :version_attack_pattern
+    def self.create_version(ver)
+      vers = find_or_create_by(version:ver)
+      vers
+    end
+    def convert_to_json
+      version
+    end
+  end
+end

data/app/overrides/models/active_stix/active_stix_override.rb ADDED

@@ -0,0 +1,7 @@
+module ActiveStixOverride
+  def process_x_attrs?
+    true
+  end
+end
+ActiveStix.singleton_class.send :prepend, ActiveStixOverride

data/app/overrides/models/active_stix/attack_pattern_override.rb ADDED

@@ -0,0 +1,75 @@
+ActiveStix::AttackPattern.class_eval do
+  def expected_keys
+    [
+        'external_references',
+        'kill_chain_phases',
+        'object_marking_refs',
+        'x_mitre_detection',
+        'x_mitre_data_sources',
+        'x_mitre_platforms',
+        'x_mitre_permissions_required',
+        'x_mitre_detectable_by_common_defenses',
+        'x_mitre_difficulty_for_adversary_explanation',
+        'x_mitre_difficulty_for_adversary',
+        'x_mitre_detectable_by_common_defenses_explanation',
+        'x_mitre_version'
+    ]
+  end
+  def self.x_mitre_detection(attack_pattern, ob)
+    xmd = ActiveAttack::Detection.create_descr(obj['x_mitre_detection'])
+    #ensure no duplicate entries
+    attack_pattern.detections << xmd unless ActiveAttack::DetectionAttackPattern.find_by(x_mitre_detection_id: xmd.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_data_sources(attack_pattern, obj)
+    obj['x_mitre_data_sources'].each do |ds|
+      d_source = ActiveAttack::DataSource.create_source(ds)
+      attack_pattern.data_sources << d_source unless ActiveAttack::DataSourceAttackPattern.find_by(data_source_id: d_source.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_platforms(attack_pattern, obj)
+    obj['x_mitre_platforms'].each do |plat|
+      platform = ActiveAttack::Platform.create_platform(plat)
+      attack_pattern.platforms << platform unless ActiveAttack::PlatformAttackPattern.find_by(platform_id: platform.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_permissions_required(attack_pattern, obj)
+    obj['x_mitre_permissions_required'].each do |perm|
+      permission = ActiveAttack::PermissionsRequired.create_perm(perm)
+      attack_pattern.permissions_requireds << permission unless ActiveAttack::PermissionsRequiredAttackPattern.find_by(permissions_required_id: permission.id, attack_pattern_id: attack_pattern.id)
+    end
+  end
+  def self.x_mitre_detectable_by_common_defenses(attack_pattern, obj)
+    det = ActiveAttack::DetectableByCommonDefense.create_detectable(obj['x_mitre_detectable_by_common_defenses'])
+    attack_pattern.detectable_by_common_defenses << det unless ActiveAttack::DetectableByCommonDefenseAttackPattern.find_by(detectable_by_common_defense_id: det.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_difficulty_for_adversary_explanation(attack_pattern, obj)
+    diff_exp = ActiveAttack::DifficultyForAdversaryExplanation.create_explanation(obj['x_mitre_difficulty_for_adversary_explanation'])
+    attack_pattern.difficulty_for_adversary_explanations << diff_exp unless ActiveAttack::DifficultyForAdversaryExplanationAttackPattern.find_by(difficulty_for_adversary_id: diff_exp.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_difficulty_for_adversary(attack_pattern, obj)
+    diff = ActiveAttack::DifficultyForAdversary.create_difficulty(obj['x_mitre_difficulty_for_adversary'])
+    attack_pattern.difficulty_for_adversaries << diff unless ActiveAttack::DifficultyForAdversaryAttackPattern.find_by(difficulty_for_adversary_id: diff.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_detectable_by_common_defenses_explanation(attack_pattern, obj)
+    det_exp = ActiveAttack::DetectableByCommonDefensesExplanation.create_explanation(obj['x_mitre_detectable_by_common_defenses_explanation'])
+    attack_pattern.detectable_by_common_defenses_explanations << det_exp unless ActiveAttack::DetectableByCommonDefensesExplanationAttackPattern.find_by(detectable_by_common_defenses_explanation_id: det_exp.id, attack_pattern_id: attack_pattern.id)
+  end
+  def self.x_mitre_version(attack_pattern, obj)
+    version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
+    attack_pattern.versions << version unless ActiveAttack::VersionAttackPattern.find_by(version_id: version.id, attack_pattern_id: attack_pattern.id)
+  end
+end

data/app/overrides/models/active_stix/bundle_override.rb ADDED

@@ -0,0 +1,18 @@
+ActiveStix::Bundle.class_eval do
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'x-mitre-tactic' => ActiveAttack::Tactic,
+      'x-mitre-matrix' => ActiveAttack::Matrix,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+end

data/app/overrides/models/active_stix/malware_override.rb ADDED

@@ -0,0 +1,40 @@
+ActiveStix::Malware.class_eval do
+  has_many :builds, class_name: "ActiveAttack::Build", as: :buildable
+  has_many :platforms, through: :builds, class_name: "ActiveAttack::Platform"
+  def self.expected_keys
+    [
+        'description',
+        'external_references',
+        'object_marking_refs',
+        'x_mitre_aliases',
+        'x_mitre_platforms',
+        'labels',
+        'x_mitre_version'
+    ]
+  end
+  def self.x_mitre_aliases(malware, obj)
+      malware.aliases = obj['x_mitre_aliases']
+  end
+  def self.x_mitre_platforms(malware, obj)
+    obj['x_mitre_platforms'].each do |plat|
+      platform = ActiveAttack::Platform.create_platform(plat)
+      malware.platforms << platform unless ActiveAttack::Build.find_by(platform_id: platform.id, buildable_id: malware.id)
+    end
+  end
+  def self.labels(malware, obj)
+    obj['labels'].each do |lab|
+      label = ActiveStix::Label.ingest_label('malware', lab)
+      malware.labels << label unless ActiveStix::Markup.find_by(labelable: malware, label: label)
+    end
+  end
+  def self.x_mitre_version(malware, obj)
+    # todo
+    # version = ActiveAttack::Version.create_version(obj['x_mitre_version'])
+    # malware.versions << version unless ActiveAttack::MalwareVersion.find_by(version_id: version.id, malware_id: malware.id)
+  end
+end

data/app/overrides/models/active_stix/report_override.rb ADDED

@@ -0,0 +1,18 @@
+ActiveStix::Report.class_eval do
+  @@stix_map = {
+      'bundle' => ActiveStix::Bundle,
+      'attack-pattern' => ActiveStix::AttackPattern,
+      'relationship' => ActiveStix::Relationship,
+      'course-of-action' => ActiveStix::CourseOfAction,
+      'identity' => ActiveStix::Identity,
+      'intrusion-set' => ActiveStix::IntrusionSet,
+      'malware' => ActiveStix::Malware,
+      'tool' => ActiveStix::Tool,
+      'x-mitre-tactic' => ActiveAttack::Tactic,
+      'x-mitre-matrix' => ActiveAttack::Matrix,
+      'marking-definition' => ActiveStix::MarkingDefinition,
+      'report' => ActiveStix::Report,
+      'campaign' => ActiveStix::Campaign,
+      'indicator' => ActiveStix::Indicator
+  }
+end