Skip to main content

MITRE ATT&CK Integration

AegisShield provides direct integration with the MITRE ATT&CK framework, mapping identified threats to specific attack techniques using local STIX data and AI-powered technique selection.

Overview

The MITRE ATT&CK integration (mitre_attack.py) bridges threat models with real-world attack patterns documented in the MITRE ATT&CK framework.

3 Matrices

Enterprise, Mobile, and ICS/SCADA coverage

AI Selection

GPT-4o selects most relevant techniques

Technique Mapping

STIX IDs to ATT&CK Technique IDs

MITRE ATT&CK Matrices

AegisShield supports three MITRE ATT&CK matrices:
For traditional IT systems, cloud platforms, and web applications.File: MITRE_ATTACK_DATA/enterprise-attack.jsonApplication Types:
  • Desktop applications
  • Web applications
  • SaaS applications
  • Cloud applications
  • Network applications
  • AI/ML Systems
  • Blockchain systems
  • Messaging applications

Core Functions

fetch_mitre_attack_data()

Loads MITRE ATT&CK STIX data based on application type.
app_type
str
required
Application type determining which matrices to load
Returns: dict - STIX data with attack patterns, tactics, and techniques
mitre_attack.py:52-94
from mitre_attack import fetch_mitre_attack_data

# Automatically selects appropriate matrix
stix_data = fetch_mitre_attack_data("Web application")
# Returns enterprise-attack.json

stix_data = fetch_mitre_attack_data("Mobile application")
# Returns both mobile and enterprise data

stix_data = fetch_mitre_attack_data("ICS or SCADA System")
# Returns both ICS and enterprise data

process_mitre_attack_data()

Maps threats to relevant MITRE ATT&CK techniques using AI.
stix_data
dict
required
MITRE ATT&CK STIX data from fetch_mitre_attack_data()
threat_model
list
required
Array of threats from threat model
app_details
dict
required
Application context (type, industry, authentication, etc.)
openai_api_key
str
required
OpenAI API key for AI-powered technique selection
Returns: list - Array of threats with mapped MITRE techniques
Processing example
from mitre_attack import fetch_mitre_attack_data, process_mitre_attack_data

# Load STIX data
stix_data = fetch_mitre_attack_data(app_type)

# Map threats to techniques
app_details = {
    "app_type": "Web application",
    "industry_sector": "Finance",
    "authentication": "OAuth2",
    "internet_facing": "Yes",
    "sensitive_data": "PII",
    "app_input": "Banking platform..."
}

processed = process_mitre_attack_data(
    stix_data=stix_data,
    threat_model=threats,
    app_details=app_details,
    openai_api_key=api_key
)

# Each threat now has mitre_techniques array
for item in processed:
    threat = item["threat"]
    techniques = item["mitre_techniques"]
    print(f"{threat['Threat Type']}: {techniques[0]['technique_id']}")

map_attack_pattern_to_technique()

Converts STIX attack pattern IDs to ATT&CK Technique IDs (T####).
stix_data
dict
required
STIX data containing attack patterns
Returns: dict - Mapping of attack pattern IDs to technique IDs
Technique mapping
from mitre_attack import map_attack_pattern_to_technique

mapping = map_attack_pattern_to_technique(stix_data)

# Example mapping
# "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" -> "T1566"
# "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" -> "T1078"

technique_id = mapping["attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"]
print(technique_id)  # T1566 (Phishing)

Technique Selection Algorithm

AegisShield uses a two-phase approach:
1

Keyword Matching

Extract keywords from threat’s “MITRE ATT&CK Keywords” field and match against attack pattern names and descriptions.Maximum of 25 techniques per threat to keep processing manageable.
2

AI-Powered Selection

Send matched techniques to GPT-4o with application context to select the single most relevant technique.Includes exponential backoff (0-5 seconds) between API calls to avoid rate limiting.
Technique selection from mitre_attack.py:145-269
# Phase 1: Keyword matching
for obj in stix_data["objects"]:
    if obj["type"] == "attack-pattern":
        name = obj.get("name", "").lower()
        description = obj.get("description", "").lower()
        
        for keyword in threat["MITRE ATT&CK Keywords"]:
            if keyword.lower() in name or keyword.lower() in description:
                relevant_techniques.append(obj)
                break

relevant_techniques = relevant_techniques[:25]  # Limit to top 25

# Phase 2: AI selection
prompt = create_mitre_prompt(app_details, threat, relevant_techniques)
time.sleep(random.randint(0, 5))  # Rate limiting
top_technique_id = get_relevant_techniques(prompt, openai_api_key)
Rate limiting is critical. The code sleeps 0-5 seconds between API calls to respect OpenAI’s rate limits.

Output Structure

Each processed threat includes:
MITRE mapping structure
{
  "threat": {
    "Threat Type": "Spoofing",
    "Scenario": "Attacker could...",
    "MITRE ATT&CK Keywords": ["credential access", "token theft"]
  },
  "mitre_techniques": [
    {
      "name": "Steal Application Access Token",
      "description": "Adversaries may steal tokens to gain...",
      "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
      "technique_id": "T1528"
    }
  ]
}

Configuration

Key configuration constants from mitre_attack.py:
Configuration
MAX_TECHNIQUES = 25  # Maximum techniques per threat
RATE_LIMIT_SLEEP_MIN = 0  # Minimum sleep (seconds)
RATE_LIMIT_SLEEP_MAX = 5  # Maximum sleep (seconds)

# Application type categories
MOBILE_APP_TYPES = ["Mobile application", "5G/Wireless System"]
ENTERPRISE_APP_TYPES = ["Desktop application", "Web application", ...]
ICS_APP_TYPES = ["ICS or SCADA System", "Smart Grid Systems", ...]

Data Updates

MITRE ATT&CK data is loaded from local JSON files. Update these files quarterly to ensure coverage of new techniques.
1

Download Latest Data

Get updated STIX bundles from MITRE ATT&CK:
  • enterprise-attack.json
  • mobile-attack.json
  • ics-attack.json
2

Replace Files

Replace files in MITRE_ATTACK_DATA/ directory
3

Verify

Run a test threat model to ensure new data loads correctly

Example Integration

Complete workflow from threat to technique:
Complete workflow
from threat_model import get_threat_model, create_threat_model_prompt
from mitre_attack import fetch_mitre_attack_data, process_mitre_attack_data

# 1. Generate threats
threat_prompt = create_threat_model_prompt(...)
response = get_threat_model(api_key, "gpt-4o", threat_prompt)
threats = response["threat_model"]

# 2. Load MITRE data
stix_data = fetch_mitre_attack_data(app_type)

# 3. Map to techniques
app_details = {...}
mitre_mapped = process_mitre_attack_data(
    stix_data, threats, app_details, api_key
)

# 4. Use mapped techniques
for item in mitre_mapped:
    threat = item["threat"]
    techniques = item["mitre_techniques"]
    
    if techniques:
        tech = techniques[0]
        print(f"Threat: {threat['Scenario']}")
        print(f"Technique: {tech['technique_id']} - {tech['name']}")
        print(f"Learn more: https://attack.mitre.org/techniques/{tech['technique_id']}")

Visualization

MITRE techniques are displayed with:
  • Technique ID (e.g., T1566)
  • Technique name
  • Full description
  • Link to ATT&CK website
See Attack Trees for visual representation of attack paths using MITRE techniques.

Build docs developers (and LLMs) love

Get started for freeTalk to us