Rc 0.3.6 (#963)

* Fix docker compose (#743)

* fixed docker-compose.yml, api explorer is being built locally
* updated compose
* checked in compiled UI files temporarily, serving them through nginx

* Fix docker compose (#744)

* deleted old uifiles
* updated uifiles

* Issue 755 (#756)

* Fix docker compose (#743)

* fixed docker-compose.yml, api explorer is being built locally
* updated compose
* checked in compiled UI files temporarily, serving them through nginx

* Fix docker compose (#744)

* deleted old uifiles
* updated uifiles

* fixes #755, updated sensors observable data, updated observable data in config

* fixes #762, mongo auth (#767)

* consistent newlines across dev platforms (#769)

* updated deploy

* changed mongo auth steps to use host enviromental variables

* changed mongo auth steps to use host enviromental variables

* removed mongo pw support

* Issue 738 (#774)

* made Dockerfile for gateway image
* added build docker hub script, removed ui files
* fixes #738, updated docker compose to match new docker ignore rules

* Issue 772 (#788)

* jwt timeout config

* updated jwtDurationSeconds

* Adds test data for campaign, observable data, threat actors and sightings (#799)

* updated readme

* added missing data for campaigns, threat actors, sightings and observable data

* Issue 812 (#821)

* added rollup ID to sample assessments, changed name
* updated created by ref for assessment samples

* more reports from cert (#818)

* more reports from cert

* updated docker compose files to process reports

* bump version 0.3.5 (#836)

* updated discover gateway

* updated public path for api explorer (#856)

* add ntctf (#860)

* use overriding docker containers to reduce replication (#863)

* converted to docker version 3.3

* initial checking

* The main docker compose and the development compose now works only if they are run as overriding

* updated the deploy docker

* dodcar sample capabilities (#879)

* dodcar sample capabilities

* case sensitive

* better names for nginx config files (#873)

* better dodcar test data

* added debugging port and extra volumes for socket server debugging (#882)

* Compose rework (#887)

* converted to docker version 3.3

* initial checking

* The main docker compose and the development compose now works only if they are run as overriding

* updated the deploy docker

* reorgnized the docker compose files and nginx config files.  Rather than different conf files for every deployment, the main conf.d/default.conf has includes to deployment specific conf files, and those are loaded by docker-compose based on the type of deployment

* Compose rework2 (#891)

* better naming?
* comments

* not ready for ansible

* Issue 889 (sample object assessments) (#897)

* Added 2 sample object assessments (includes all NT CTF techniques)

* Corrected object assessments

* Renamed for consistency

* Updated reference to Assessments 3.0 sample data file

* Renamed

* correct file

* updated config groups (#893)

* ntctf data for processor

* Added 10 sightings quickly.  Fixed #907 (#909)

* Added 10 sightings quickly.  Fixed #907

* moved the sightings to another file.

* remove extra attack patterns for now

* fix merge

* removed some redundant sample stix, added auto publish STIX to processor (#916)

* mongo logging flag (#917)

* spelling

* updated docker compose to use new processor args, added additional kill chains to config (#938)

* Added created_by_ref for object assessments (#939)

* updated build docker hub (#948)

* Framework switch (#950)

* framework switch
* fix attack pattern ids
* comment

* add modified date (#954)

* added initial-access to MITRE enterprise (#958)

* assessment categories w/ ntctf attackpatterns (#957)

* 0.3.6

Author: mushinlogit

build-docker-hub.sh

@@ -32,9 +32,9 @@ if [ -d '../unfetter-ui' ]; then
     # Run docker compose
     cd ../unfetter;
     if [[ "$(uname -s)" == "Darwin" ]]; then
-        docker-compose -f docker-compose.build-docker-hub.yml build;
+        docker-compose -f docker-compose.yml -f docker-compose.build-docker-hub.yml build;
     else
-        sudo docker-compose -f docker-compose.build-docker-hub.yml build;
+        sudo docker-compose -f docker-compose.yml -f docker-compose.build-docker-hub.yml build;
     fi
 else
     echo "This script requires the unfetter-ui to be present as a sibling directory to unfetter.";

config/examples/unfetter-db/config.json

@@ -1,7 +1,9 @@
-[{
+[
+    {
         "_id": "d9732cfc-166e-41a0-af79-d37e7abc69b2",
         "configKey": "killChains",
-        "configValue": [{
+        "configValue": [
+            {
                 "name": "mitre-attack",
                 "phase_names": [
                     "persistence",
@@ -13,44 +15,116 @@
                     "execution",
                     "collection",
                     "exflitration",
-                    "command-and-control"
+                    "command-and-control",
+                    "initial-access"
                 ],
                 "description": "Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a threat modeling methodology and suite of models for the various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats. ATT&CK models are useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.",
                 "url": "https://attack.mitre.org/wiki/Main_Page"
             },
             {
-                "name": "ctf",
+                "name": "lockheed-martin",
                 "phase_names": [
-                    "planning",
-                    "research",
-                    "develop-resources",
-                    "acquire-knowledge",
-                    "complete-preparation",
-                    "deployment",
-                    "interaction",
-                    "exploitation",
+                    "reconnaissance",
+                    "weaponization",
                     "delivery",
-                    "control",
-                    "evasion",
-                    "expansion",
-                    "focus",
-                    "persistence",
-                    "enablement",
-                    "access-denial",
-                    "data-extraction",
-                    "data-alteration",
-                    "data-destruction"
+                    "exploitation",
+                    "installation",
+                    "command & control (c2)",
+                    "actions on objectives"
+                ],
+                "description": "Lockheed Martin Cyber Threat Framework",
+                "url": "https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html"
+            },
+            {
+                "name": "ntctf",
+                "phase_names": [
+                    "administer - planning",
+                    "administer - research development",
+                    "administer - research",
+                    "preparation - reconnaissance",
+                    "preparation - staging",
+                    "engagement - delivery",
+                    "engagement - exploitation",
+                    "presence - installation & execution",
+                    "presence - internal reconnaissance",
+                    "presence - privilege escalation",
+                    "presence - credential access",
+                    "presence - lateral movement",
+                    "presence - persistence",
+                    "effect - monitor",
+                    "effect - exflitration",
+                    "effect - modify",
+                    "effect - deny",
+                    "effect - destroy",
+                    "ongoing processes - analysis, evaluation, and feedback",
+                    "ongoing processes - command & control (c2)",
+                    "ongoing processes - evasion"
                 ],
                 "stage_names": [
-                    "Preparation",
-                    "Engagement",
-                    "Presence",
-                    "Effect"
-                ]
+                    "administer",
+                    "preparation",
+                    "engagement",
+                    "presence",
+                    "effect",
+                    "ongoing processes"
+                ],
+                "description": "NSA/CSS Technical Cyber Threat Framework v1",
+                "url": "https://www.iad.gov/iad/library/reports/nsa-css-technical-cyber-threat-framework-v1.cfm"
+            },
+            {
+                "name": "mitre-pre-attack",
+                "phase_names": [
+                    "establish-&-maintain-infrastructure",
+                    "people-information-gathering",
+                    "technical-weakness-identification",
+                    "people-weakness-identification",
+                    "organizational-weakness-identification",
+                    "priority-definition-planning",
+                    "build-capabilities",
+                    "persona-development",
+                    "compromise",
+                    "organizational-information-gathering",
+                    "launch",
+                    "technical-information-gathering",
+                    "target-selection",
+                    "stage-capabilities",
+                    "adversary-opsec",
+                    "test-capabilities",
+                    "priority-definition-direction"
+                ],
+                "description": "Building on ATT&CK™ —Adversarial Tactics, Techniques, and Common Knowledge— a MITRE-developed model to quickly identify and categorize behavior post-network infiltration, PRE-ATT&CK provides the ability to prevent an attack before the adversary has a chance to get in. The seventeen tactic categories for PRE-ATT&CK were derived from the first four stages (recon, weaponize, deliver, and execute) of a seven-stage Cyber Attack Lifecycle2 (first articulated by Lockheed Martin as the Cyber Kill Chain®3). This cyber threat framework captures the tactics, techniques, and procedures adversaries use to select a target, obtain information, and launch a campaign. The framework lists the ways that adversaries perform each tactic and provides the ability to track and organize adversary statistics and patterns. Ultimately, this arms defenders with a broader understanding of adversary actions that they can use to determine technical or policy-based mitigations and evaluate the quality and utility of cyber threat intelligence data sources.",
+                "url": "https://attack.mitre.org/pre-attack/index.php/Main_Page"
+            },
+            {
+                "name": "mitre-mobile-attack",
+                "phase_names": [
+                    "collection",
+                    "command-and-control",
+                    "exfiltration",
+                    "defense-evasion",
+                    "discovery",
+                    "cellular-network-based",
+                    "general-network-based",
+                    "lateral-movement",
+                    "exploit-via-physical-access",
+                    "exploit-via-internet",
+                    "persistence",
+                    "credential-access",
+                    "app-delivery-via-authorized-app-store",
+                    "app-delivery-via-other-means",
+                    "effects",
+                    "supply-chain",
+                    "exploit-via-cellular-network",
+                    "cloud-based",
+                    "privilege-escalation"
+                ],
+                "description": "The ATT&CK Mobile Profile builds upon NIST's Mobile Threat Catalogue, providing a model of adversarial tactics and techniques used to gain access to mobile devices as well as tactics and techniques to then take advantage of that access in order to accomplish adversarial objectives. The ATT&CK Mobile Profile also depicts network-based effects, which are adversarial tactics and techniques that an adversary can employ without access to the mobile device itself. Each adversarial technique includes a technical description along with applicable mitigation/countermeasure approaches, applicable detection analytics, and examples of use.",
+                "url": "https://attack.mitre.org/mobile/index.php/Main_Page"
             }
         ],
         "configGroups": [
-            "stixConfig"
+            "stixConfig",
+            "public"
         ]
     },
     {
@@ -228,14 +302,15 @@
             }
         },
         "configGroups": [
-            "stixConfig"
+            "stixConfig",
+            "public"
         ]
-
     },
     {
         "_id": "98fba9e7-6ad8-4bac-a178-af9282f8b05c",
         "configKey": "observableDataTypes",
-        "configValue": [{
+        "configValue": [
+            {
                 "name": "driver",
                 "actions": [
                     "load",
@@ -405,7 +480,7 @@
                     "ppid",
                     "user"
                 ]
-            },                      
+            },
             {
                 "name": "thread",
                 "actions": [
@@ -457,13 +532,18 @@
                     "user"
                 ]
             }
+        ],
+        "configGroups": [
+            "stixConfig",
+            "public"
         ]
-
-
     },
     {
         "_id": "905f4e32-528c-479a-bb20-aa36bb54be9f",
         "configKey": "jwtDurationSeconds",
-        "configValue": 900
+        "configValue": 900,
+        "configGroups": [
+            "public"
+        ]
     }
 ]