Convert Figma logo to code with AI

mitre logocti

Cyber Threat Intelligence Repository expressed in STIX 2.0

1,731
415
1,731
18

Top Related Projects

6,282

Open Cyber Threat Intelligence Platform

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Quick Overview

MITRE/CTI is a repository containing Cyber Threat Intelligence (CTI) expressed in STIX 2.0 JSON. It includes the MITRE ATT&CK™ and CAPEC™ databases in STIX format, providing a standardized representation of tactics, techniques, and procedures used by cyber adversaries.

Pros

  • Provides a comprehensive, structured dataset of cyber threat intelligence
  • Uses the widely-adopted STIX 2.0 format for improved interoperability
  • Regularly updated to reflect the latest threat intelligence
  • Enables easier integration of threat data into security tools and processes

Cons

  • Large dataset size may be challenging for some users to process efficiently
  • Requires familiarity with STIX 2.0 format for effective use
  • May contain some inconsistencies or gaps in threat coverage
  • Updates may introduce changes that require adjustments in existing implementations

Code Examples

As this is not a code library but a data repository, there are no code examples to provide. However, users typically interact with this data using STIX 2.0 compatible tools or custom scripts to parse and analyze the JSON files.

Getting Started

While there's no code to run directly, you can get started with the MITRE/CTI repository by following these steps:

  1. Clone the repository:

    git clone https://github.com/mitre/cti.git
    
  2. Navigate to the desired dataset folder (e.g., enterprise-attack, mobile-attack, or capec).

  3. Use a JSON parser or STIX 2.0 compatible tool to read and analyze the data files.

  4. Keep the repository updated by regularly pulling the latest changes:

    git pull origin main
    
  5. Refer to the STIX 2.0 documentation to understand the structure and content of the data files.

Competitor Comparisons

6,282

Open Cyber Threat Intelligence Platform

Pros of opencti

  • Provides a comprehensive platform for threat intelligence management
  • Offers a user-friendly web interface for data visualization and analysis
  • Supports integration with various external tools and data sources

Cons of opencti

  • Requires more complex setup and infrastructure compared to cti
  • May have a steeper learning curve for new users
  • Potentially higher resource consumption due to its full-featured nature

Code comparison

cti (STIX format):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2022-04-06T20:03:00.000Z",
  "modified": "2022-04-06T20:03:00.000Z",
  "name": "Malicious IP",
  "pattern": "[ipv4-addr:value = '10.0.0.1']",
  "pattern_type": "stix",
  "valid_from": "2022-04-06T20:03:00Z"
}

opencti (GraphQL query):

query {
  stixCyberObservables(filters: [{ key: "entity_type", values: ["IPv4-Addr"] }]) {
    edges {
      node {
        id
        entity_type
        value
        created_at
        updated_at
      }
    }
  }
}

Both repositories focus on threat intelligence, but opencti provides a more comprehensive platform with advanced features, while cti offers a simpler, STIX-based approach to sharing threat data.

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • More comprehensive threat intelligence platform with built-in sharing capabilities
  • Supports a wider range of data types and formats beyond just STIX
  • Active community with frequent updates and contributions

Cons of MISP

  • Steeper learning curve and more complex setup process
  • Requires more resources to run and maintain
  • May be overkill for organizations only interested in STIX/TAXII data

Code Comparison

MISP (PHP):

$misp = new MISP([
    'url' => 'https://misp.example.com',
    'key' => 'your_api_key'
]);
$event = $misp->newEvent();
$event->info = 'New threat intelligence';
$event->publish();

CTI (Python):

from stix2 import Indicator

indicator = Indicator(
    name="Malicious IP",
    pattern="[ipv4-addr:value = '10.0.0.1']",
    pattern_type="stix"
)

The MISP code snippet demonstrates creating and publishing an event, while the CTI example shows creating a STIX 2 indicator. MISP offers a more comprehensive API for managing threat intelligence, whereas CTI focuses on STIX object creation and manipulation.

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Pros of TheHive

  • Comprehensive incident response platform with case management features
  • Integrates with various security tools and threat intelligence feeds
  • Active community and regular updates

Cons of TheHive

  • Steeper learning curve for setup and configuration
  • Requires more resources to run and maintain
  • Limited focus on sharing standardized threat intelligence

Code Comparison

TheHive (Scala):

def create(caze: Case): Future[Case] = {
  val createdCase = caze.copy(
    createdAt = Some(new Date().getTime),
    status = CaseStatus.Open
  )
  caseRepository.create(createdCase)
}

MITRE CTI (JSON):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2022-04-06T20:03:00.000Z",
  "modified": "2022-04-06T20:03:00.000Z",
  "indicator_types": ["malicious-activity"],
  "pattern": "[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']",
  "pattern_type": "stix",
  "valid_from": "2022-04-06T20:03:00Z"
}

TheHive focuses on incident response workflows, while MITRE CTI provides standardized threat intelligence in STIX format. TheHive offers more interactive features, but MITRE CTI excels in sharing structured threat data across organizations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

CTI

This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0. See USAGE or USAGE-CAPEC for information on using this content with python-stix2.

If you are looking for ATT&CK represented in STIX 2.1, please see the attack-stix-data GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. Please see the attack-stix-data USAGE document for more information on the improved data model of that repository.

ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

https://attack.mitre.org

CAPEC

Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.

  • Focuses on application security
  • Enumerates exploits against vulnerable systems
  • Includes social engineering / supply chain
  • Associated with Common Weakness Enumeration (CWE)

https://capec.mitre.org/

STIX

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.

STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

https://oasis-open.github.io/cti-documentation/