0% found this document useful (0 votes)

55 views77 pages

Attackflow

Q: Illustrate how the process described for creating an Attack Flow can aid in incident documentation and retrospective analysis.

Creating an Attack Flow aids in incident documentation by allowing users to visually and contextually map out TTP sequences during or following an incident. This aids retrospective analysis by providing clear timelines of adversary behavior, identifying exploited vulnerabilities, and documenting the tools and techniques used. Such comprehensive documentation can be leveraged for future threat detection efforts and enhances institutional memory, facilitating a rapid resumption of normal operations .

Q: How does the specification of conditions in Attack Flows improve human understanding of such flows?

The specification of conditions in Attack Flows improves human understanding by clarifying different potential scenarios that might lead to similar outcomes, thereby enhancing the granularity with which flows are interpreted. For instance, indicating unknown initial access vectors or combining multiple vectors with an OR operator ensures clarity over potential starting points, thus refining flow relevance to specific circumstances and facilitating more precise engagements with the data .

Q: How does utilizing Attack Flow contribute to improving defenders' incident mitigation and recovery strategies?

Utilizing Attack Flow contributes to improving defenders' incident mitigation and recovery strategies by systematically cataloguing attack sequences, which helps in understanding typical adversary tactics, techniques, and procedures (TTPs). This enables defenders to recognize patterns, prepare for potential incidents, and enhance their detection and response mechanisms by creating better-informed responses geared towards common attack scenarios .

Q: In what ways can Attack Flow enhance threat hunting capabilities within an organization?

Attack Flow enhances threat hunting capabilities by allowing threat hunters to model known TTP sequences, which can then be searched for within their own infrastructure. This structured approach can pinpoint specific actions and tools used by adversaries, guiding the hunt and enabling hunters to focus efforts on breaking TTP chains, ultimately leading to more efficient and accurate threat detection .

Q: What benefits do example attack flows offer to cybersecurity professionals, particularly those new to the industry?

Example attack flows offer cybersecurity professionals, particularly novices, a practical and insightful resource to learn about high-profile breaches and common attack vectors. They provide real-world scenarios that demonstrate how adversaries execute attacks, illuminate typical defensive measures, and impart strategic insights into threat mitigation, thus enhancing industry-specific knowledge and readiness against cyber threats .

Q: Explain how Attack Flow integrates with existing standards like STIX and why this integration is beneficial.

Attack Flow integrates with existing standards like STIX by extending STIX 2.1 with features that allow the creation of structured and machine-readable attack flows. This integration facilitates a seamless combination of attack flow processes with other threat intelligence data, enhancing interoperability, data standardization, and sharing across different cybersecurity platforms, which bolsters coordinated defensive frameworks and amplifies situational awareness .

Q: What role does the Attack Flow Builder play in fostering collaboration between different cybersecurity teams?

The Attack Flow Builder fosters collaboration between cybersecurity teams by providing a shared platform where both red and blue teams can visualize and discuss attack strategies and defense mechanisms. Using a drag-and-drop interface, teams can create, view, and modify flows that detail adversary actions and sequences, enabling effective communication of threats and response strategies, thus supporting both coordinated threat hunting and emulation efforts .

Q: In the context of Attack Flow, why is it recommended to refrain from attaching conditions directly to other conditions?

Attaching conditions directly to other conditions is discouraged as it can be redundant and space-consuming. It may not add value to the flow since the relationship between conditions can often be expressed more succinctly within a single condition object. This approach streamlines the flow, reducing complexity while maintaining clarity, thereby enhancing the overall quality and efficiency of the flow .

Q: What criteria must a contributed Attack Flow meet to be included in the public corpus, and why are these criteria important?

A contributed Attack Flow must be sufficiently complex, feature at least 10 actions, make effective use of preconditions and operators, and include credible metadata sources. These criteria ensure the flows provide substantial and reliable data for analysis, enabling better simulation of real-world attacks and promoting a detailed, nuanced understanding of adversarial behavior that can pragmatically inform defensive strategies .

Q: Discuss the potential privacy concerns associated with using the online version of the Attack Flow Builder and how they can be mitigated.

Using the online version of the Attack Flow Builder could raise privacy concerns as it stores documents in local memory and disk, with potential visibility to third parties due to internet access. To mitigate these concerns, users can opt for the downloadable or Docker versions for a private experience, ensuring data confidentiality by avoiding exposure to the internet and minimizing the risk of unauthorized access .

This document provides an overview of the Attack Flow framework for modeling cyber attack paths and behaviors. It describes the key components like action objects, condition objects, and operator objects that are used to represent different stages of an attack. It also provides examples of how to structure attack flows and best practices for modeling attack scenarios.

Uploaded by

Nits S

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

55 views77 pages

Attackflow

Uploaded by

Nits S

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Attack Flow

Release v2.0.0

Center for Threat-Informed Defense

Oct 27, 2022

CONTENTS

1 Overview 3
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Who is Attack Flow For? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Deep Dive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.6 Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Introduction 7
2.1 Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Condition Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Parallel Attack Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4 Operator Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.5 Asset Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.6 Success and Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.7 Additional STIX Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3 Example Flows 17
3.1 List of Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4 Builder 19
4.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3 Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4 Developer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5 Language 27
5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2 STIX Datatypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.3 STIX Common Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.4 Attack Flow SDOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.5 Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.6 Confidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6 Best Practices Guide 37

6.1 Project Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.2 Open-Source Report Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.3 Mapping Reports to ATT&CK Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.4 Flow Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.5 Flow Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.6 Quality Criteria for Public Corpus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

i
7 Developers 45
7.1 Attack Flow Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7.2 Attack Flow Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.3 Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

8 Translation to OWL/RDF 55
8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
8.2 The Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
8.3 Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
8.4 Converting to RDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8.5 Full Code Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

9 Changelog 73
9.1 Attack Flow 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
9.2 Attack Flow 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

ii
Attack Flow, Release v2.0.0

Attack Flow is a language for describing how cyber adversaries combine and sequence various offensive techniques
to achieve their goals. The project helps defenders and leaders understand how adversaries operate and improve their
own defensive posture. This project is created and maintained by the MITRE Engenuity Center for Threat-Informed
Defense in futherance of our mission to advance the start of the art and and the state of the practice in threat-informed
defense globally. The project is funded by our research participants.

CONTENTS 1
Attack Flow, Release v2.0.0

2 CONTENTS
CHAPTER

ONE

OVERVIEW

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers will win.
—John Lambert, April 26, 2015

1.1 Introduction

The Attack Flow project helps defenders move from tracking individual adversary behaviors to tracking the sequences
of behaviors that adversaries employ to move towards their goals. By looking at combinations of behaviors, defenders
learn the relationships between them: how some techniques set up other techniques, or how adversaries handles un-
certainty and recover from failure. The project supports a wide variety of use cases: from blue team to red team, from
manual analysis to autonomous response, and from front-line worker to the C-suite. Attack Flow provides a common
language and toolset for describing complex, adversarial behavior.

1.2 Who is Attack Flow For?

This project is targeted at any cyber security professional seeking to understand how adversaries operate, the impact
on their organization, and how to most effectively improve their defensive posture to address those threats. Threat
intelligence analysts, security operations, incident response teams, red team members, and risk assessors are some of
the groups that can benefit from Attack Flow. This specification facilitates sharing of threat intelligence, communicating
about risks, modeling efficacy of security controls, and more. The project includes tools to visualize attacks for the
benefit of low-level analysis as well as communicating high-level principles to management.

1.3 Use Cases

Attack Flow is designed to support many different use cases.

Threat Intelligence
CTI analysts can use Attack Flow to create highly detailed, behavior-based threat intelligence products. The langauge is
machine-readable to provide for interoperability across organizations and commercial tools. Users can track adversary
behavior at the incident level, campaign level, or threat actor level. Instead of focusing on indicators of compromise
(IOCs), which are notoriously inexpensive for the adversary to change, Attack Flow is centered on adversary behavior,
which is much more costly to change.
Defensive Posture
The blue team can use Attack Flow to assess and improve their defensive posture, as well as provide leadership with a
data-driven case for resource allocation. Attack Flow allows for a realistic risk assessment based on observed adversary

3
Attack Flow, Release v2.0.0

sequences of attack, allowing defenders to play out hypothetical scenarios (e.g. table top exercises) with high fidelity.
Defenders can reason about security controls over chains of TTPs to determine gaps in coverage, as well as choke points
where defenses should be prioritized.
Executive Communications
Front-line cyber professionals can use Attack Flow to roll up highly complicated, technical details of an incident into
a visual depiction that aids communication with non-technical stakeholders, management, and executives. This format
Attack Flow allows defenders to present their analysis of an attack and their defensive posture strategically while de-
emphasizing raw data, technical jargon, and other information that executives do not need to make a business decision.
Defenders can use flows to communicate the impact of an attack in business terms (i.e. money) and make a convincing
case for new tools, personnel, or security controls to prioritize.
Lessons Learned
Incident responders can use Attack Flow to improve their incident response (IR) planning and after-action reveiew.
After a security incident has occurred, responders can create flows to understand how their defenses failed and where
they can apply controls to reduce future risk and enhance threat containment. Mapping a flow will also allow defenders
to see where their defenses succeeded and what they should continue to do going forward. Creating attack flows is an
easy way to ensure the incident is documented and organizational knowledge is retained for future use. Over time, this
will improve defenders’ ability to mitigate and recover from incidents more efficiently.
Adversary Emulation
The red team can use Attack Flow to create adversary emulation plans that focus their security testing on realistic
sequences of TTPs informed by public as well as proprietary intelligence. The red team can leverage a corpus of attack
flow to identify common attack paths and TTP sequences. In purple team scenarios, a flow is a very precise way to
communicate between attackers and defenders.
Threat Hunting
Threat hunters can use Attack Flow to identify common sequences of TTPs observed in the wild, then hunt for those
same TTP chains in their own environment. These flows can guide investigative searches, piecing together techniques
and timestamps to construct detailed timelines. Attack Flow can showcase the adversary tools and TTPs that are
being used, which can help aid in writing detections against common behaviors and/or adversary toolsets, as well as
prioritizing those detections.

1.4 Get Started

Here are a few ways for you to learn more and get started with Attack Flow:
1. Look at the corpus of example flows. The corpus is a great place to start learning about Attack Flow.
If you’re new to the industry, it’s also a great way to familiarize yourself with some high-profile breaches!
2. Build your own flow. The Attack Flow Builder is a user-friendly tool that runs in your browser (no download
required!) and will let start creating flows in just minutes.
3. Tell us what you think. Find us on LinkedIn or email us ctid@[Link] and let us know how
you’re using Attack Flow and what ideas you have to improve it.
4. Spread the word! Our goals is to get members of the community excited about Attack Flow and adopt it
in their own work. Attack Flow is open source and royalty-free, so go ahead and share it to your professional
network!

4 Chapter 1. Overview
Attack Flow, Release v2.0.0

1.5 Deep Dive

If you decide you want to dive even deeper into Attack Flow, here are the key resources for building up a full under-
standing of the project:
• The language specification goes into very deep detail about the inner working of Attack Flow. This is intended
for developers who want to write code that works with Attack Flow, and not required reading for the general
audience.
• The developer guide explains how to set up a development environment if you want to start using the Attack
Flow python library or modify the Attack Flow Builder.
• The GitHub repository is ready for your contributions – issues and pull requests are welcome!

1.6 Notice

© 2022 MITRE Engenuity. Approved for public release. Document number CT0040.
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with
the License. You may obtain a copy of the License at [Link]
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
“AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®: ATT&CK Terms of Use

1.5. Deep Dive 5

Attack Flow, Release v2.0.0

6 Chapter 1. Overview
CHAPTER

TWO

INTRODUCTION

This chapter introduces the main concepts of Attack Flow with visual examples taken from the Attack Flow Builder.
The example start with simple scenarios and work up to complex situations.

2.1 Action Objects

An action represents an adversary executing a specific technique. For example, T1566: Phishing is a common adver-
sarial technique that captured in the ATT&CK knoweldge base. If an adversary utilizes this behavior during a specific
breach, then that is an action.

Note: The examples here depict ATT&CK techniques, but Attack Flow does not require the use of ATT&CK. You
may use custom collections of techniques, e.g. created in Workbench, other knowledge bases such as VERIS, or even
create ad hoc actions to describe techniques that are not part of any pre-existing taxonomy.

Adversary behavior is the focal point of the Attack Flow project, and actions are the backbone of any flow. Sequences
of adversary behavior are represented by connecting actions together with an arrow.
When two actions are connected together, it represents a dependency between them: the second action cannot be
executed until the first action completes successfully. (The handling of failed actions is discussed later.) This is not
equivalent to saying that one action happened before another! This is a more powerful concept that models how an
adversary uses one behavior to create the preconditions they need to execute the next behavior.

2.2 Condition Objects

Sometimes the relationship between two actions is not immediately obvious to the reader, especially if the underlying
techniques are especially obscure or rare. A condition describes the state of the world after the preceding action
finishes. This can be used to clarify for the reader how two actions are related, i.e. what one action accomplishes that
enables the next action to run.
In the example above, the reader may not know enough about LSASS, password hashes, or password cracking to
understand how the first two actions lead to the third. The condition object fills this gap by succinctly describing the
outcome (or effect) of the first two actions that enables the third action.

7
Attack Flow, Release v2.0.0

Fig. 1: An action connected to another action represents a dependency between them.

8 Chapter 2. Introduction
Attack Flow, Release v2.0.0

Fig. 2: A condition clarifies how the outcome of an action sets up the execution of another next action.

2.2. Condition Objects 9

Attack Flow, Release v2.0.0

2.3 Parallel Attack Paths

The adversary may have multiple available techniques to execute in a given scenario. In the next example, the attacker
has used two different persistence mechanisms. Although the attacker is not literally executing these techniques simul-
taneously, it helps to think of these as “parallel” attack paths because neither technique depends on successful execution
of the other.

Fig. 3: The attack branches out to show that the adversary has multiple persistence techniques.

Note: Flows can represent adversary behavior in different scopes, e.g. portraying a single specific incident versus
portraying an overall campaign. In a specific incident scope, parallel attack paths indicate the attacker executing dif-
ferent techniques. On the other hand, the campaign scope rolls up behavior across multiple incidents, so parallel paths
represent the different behaviors that have been observed across multiple incidents.

2.4 Operator Objects

After a flow splits into parallel attack paths, operators combine them back together. An OR operator means that only
of the incoming attack paths needs to succeed in order to continue the flow, while an AND operator means that all of the
incoming attack paths must succeed in order to continue. The next example shows that the adversary has two different
techniques for pivoting into a different user account. If either technique succeeds, then the attack can continue forward.
When multiple attack paths are combined, the logic can be difficult for the reader to follow. This is a great place to use
conditions to clarify what the state of the world is at that point in the flow.

10 Chapter 2. Introduction
Attack Flow, Release v2.0.0

Fig. 4: An OR operator shows that the attacker has two different techniques for pivoting to a local user account.

2.4. Operator Objects 11

Attack Flow, Release v2.0.0

Fig. 5: A condition object clarifies how the actions before the operator are related to the action after the operator.

12 Chapter 2. Introduction
Attack Flow, Release v2.0.0

Perhap the reader does not understand the consequences of dumping LSASS memory or how it relates to the actions
that come afterward. The condition clarifies that the adversary is now able to pivot into a different user account.

Warning: It is possible to join paths together without using an operator by simplying pointing two arrows at a
single action or condition. This approach is ambiguous because it’s not clear how the sucess or failure of those paths
affects the outcome of the flow, but ambiguity may be appropriate in some circumstances, e.g. if the underlying
CTI is itself ambiguous.

2.5 Asset Objects

Each action can potentially have some outcome or effect on the world. It is often informative to describe the effect in
terms of some object in the world that has been impacted. Actions can point to assets to indicate which objects are
impacted as well as which objects are used in subsequent techniques.

Fig. 6: An asset clarifies how actions modify the state of the world or depend on the state of the world.

In this example, the asset shows which particular password hash was disclosed by LSASS memory dumping. Later
in the flow, the adversary cracks that password hash. An asset can also point to another object to provide additional
structured data.

Attention: The user account object in this example is one of the many available STIX objects. This aspect of
Attack Flow is covered in depth later in this chapter.

2.5. Asset Objects 13

Attack Flow, Release v2.0.0

2.6 Success and Failure

When modeling complex adversary behavior, conditions can also depict how the attacker handles branches that are
only feasible in specific circumstances.

Fig. 7: Conditions model when different branches of the attack can be taken.

In this example (an excerpt from the NotPetya flow), the malware has two different privilege escalation techniques.
Each technique depends on the host process having a specific Windows privilege. The conditions depict what state is
required for each path to continue executing. The attack can go down one path, both paths, or neither path depending
on the state of the host process.
Conditions can also model how the adversary handles failure. All the examples up to this point have used the true
branch of each condition to represent what happens when the underlying condition is true. But conditions also have a
false branch that is activated when the condition is not true.
In this example, the adversary attempts to steal a targeted user’s credentials via spearphishing. Since this technique
relies evading email filtering and tricking users, it is inherently unreliable. The condition object after spearphishing
shows a decision point for the adversary: if they obtained a credential then they can move on to logging in with it. But
if the spearphshing fails, then the adversary falls back to a password spraying technique in another attempt to obtain a
valid credential.

14 Chapter 2. Introduction
Attack Flow, Release v2.0.0

Fig. 8: The “false” branch portrays what happens when a technique fails.
2.6. Success and Failure 15
Attack Flow, Release v2.0.0

2.7 Additional STIX Objects

This introduction focuses on the core Attack Flow objects, but Attack Flow is based on the STIX industry standard, so
you can also use any available STIX object in your flows! STIX contains a variety of useful objects to enrich your flow
with including IOCs and contextual details. This next example shows the standard STIX process object being used to
provide details about how the file discovery technique was executed.

Fig. 9: The process object provides technical details regarding how the action was executed.

Now that you are familiar with the central concepts, continue reading to review the corpus of example flows and how
to use the Attack Flow Builder to start creating your own flows.

16 Chapter 2. Introduction
CHAPTER

THREE

EXAMPLE FLOWS

The Attack Flow project includes a corpus of example flows that may be useful for learning about Attack Flow, studying
high-profile breaches, or mining the data for statistical patterns. You can download the entire corpus from the Attack
Flow release page, or you can view individual flows on this page. Each Attack Flow is provided in multiple formats:
Builder (.afb) The format used for creating and editing in the Attack Flow Builder.
JSON (.json) The machine-readable format for exchanging flows.
Graphviz (.dot) An example of converting from Attack Flow to another graph format in order to take advantage of
other tool ecosystems. Must install Graphviz to use this format, or use our pre-rendered Graphviz .png files.
Mermaid (.mmd) Mermaid is another graph format that you can convert Attack Flow into. Notably, Mermaid graphs
can be embedded directly in GitHub Markdown files.

17
Attack Flow, Release v2.0.0

3.1 List of Examples

Report Authors Description

Cobalt Kitty Campaign Eric Kannampuzha Cobalt Kitty campaign conducted by OceanLotus.

Conti CISA Alert Dr. Desiree Beck Conti ransomware flow based on CISA alert.

Conti PWC Dr. Desiree Beck Conti ransomware flow based on PWC report.

Conti Ransomware Alaa Nasser Based on DFIR report

Equifax Breach Lauren Parker Attack flow on the 2017 Equifax breach.

FIN13 Case 1 Mia Sanchez Attack by FIN13 against a Latin American bank

FIN13 Case 2 Mia Sanchez Attack flow for the FIN13 campaign targeting a bank in
Peru.
Gootloader Mia Sanchez Attack flow on the Gootloader payload distribution at-
tack.
JP Morgan Breach Lauren Parker Attack flow on the 2014 JP Morgan breach.

Marriott Breach Lauren Parker A data breach at the Marriott hotel group in 2018.

SolarWinds Lauren Parker A well-known supply chain attack against an Austin, TX

software company.
Tesla Kubernetes Breach Mark Haase A cryptomining attack discovered on a Tesla kubernetes
(k8s) cluster.
WhisperGate Mia Sanchez A Russian state-sponsored malware campaign targeting
Ukraine.

18 Chapter 3. Example Flows

CHAPTER

FOUR

BUILDER

Attack Flow Builder is a free and open source tool for creating, viewing, and editing Attack Flows.

Fig. 1: View and edit Attack Flows using an intuitive drag-and-drop interface.

This web-based tool provides a workspace where you can populate information about adversary actions and additional
context, then weave those items into a flow by drawing arrows to indicate the sequences of adversary techniques ob-
served during an incident or campaign.

19
Attack Flow, Release v2.0.0

4.1 Getting Started

The quickest and easiest way to get started is with our online option. Click the button below to open the builder in
a new tab, or select one of the Example Flows for viewing it in Attack Flow Builder.

Caution: The online Attack Flow Builder stores documents in memory and on disk on your local machine, so any
flows that you create or edit are completely private. However, the online version is accessed over the internet, and
so your connection may be visible to some third parties (e.g. GitHub, ISPs). For a completely private experience,
consider using the download or Docker approaches described below.

When you first open the Builder, if you did not select one of the example flows then you will initially see a blank
workspace. A menubar across the top contains a lot of options for working with the flow, similar to what you would
find in any flowchart software.
The right panel of the workspace contains properties for the currently selected object or–when no object is selected–the
properties for the flow itself. Begin by filling in a name and description for your flow. You can also fill in your
information in the author fields and cite any sources using the “external references” fields.

Fig. 2: An empty workspace with menubar and side panel highlighted.

Right click in the workspace to open up a menu, then go to Create → Attack Flow → Action to create a new action

20 Chapter 4. Builder
Attack Flow, Release v2.0.0

object.

Fig. 3: Using context menus to add a new action to the flow.

Fig. 4: This action is empty because no properties have been filled in.

Click on the action to highlight it. The action’s properties are now displayed in the side panel. Fill in a name, technique
ID, and description, and notice how the action object displays the data you’ve entered.
Repeat the steps to create a second action with details filled in. Then drag a line from the anchor points (little X marks)
on one action to the other action to create an arrow. Notice that if you move either action, the arrow stays attached to it.
Continue to build out your flow by adding objects, filling in the attributes, and drawing arrows between nodes. When
you are done, you go to the File menu to save your flow.
If you make any errors while building your flow, e.g. not filling in a required field, the validation pane calls your
attention to the changes you need to make. If you click one of the items, the builder will zoom to the corresponding
object, which makes it easy to locate the source of the problem.
Continue to build out your flow by adding objects, filling in the attributes, and drawing arrows between nodes. When
you are done, you go to the File menu to save your flow.
Save Saves the flow in *.afb format, which can be opened for further editing in the future.
Save as Image Saves the flow in *.png format, which is great for visualizing, using in presentations, sharing with
others, etc..
Save Selection as Image When you have one or more objects selected, this menu item will save an excerpt of the
selected items in *.png format. (This is how many of the examples in this documentation were created!)
Publish Attack Flow Saves the flow in *.json format, which is the machine-readable format for exchanging and pro-
cessing Attack Flows.

4.1. Getting Started 21

Attack Flow, Release v2.0.0

Fig. 5: The action displays the properties that are filled in.

22 Chapter 4. Builder
Attack Flow, Release v2.0.0

Fig. 6: Build flows by creating multiple objects and connecting them together.

4.1. Getting Started 23

Attack Flow, Release v2.0.0

Fig. 7: This flow is invalid because the first action does not have a name filled in, and names are required for all actions.

Fig. 8: There are a few different options for saving or exporting your flow.

24 Chapter 4. Builder
Attack Flow, Release v2.0.0

Warning: The Attack Flow Builder does not automatically save your work. If you accidentally close the tab or
navigate forward or backward, you will lose any unsaved work. Remember to save your work frequently. (This
issue will be addressed in a future release.)

There are a ton of useful features in the builder! Way more than we can cover here. To fully master this tool, we
encourage you to experiment with all of the different options and commands and try building some sample flows.

4.2 Docker

If you do not want to use the Attack Flow Builder embedded in this site, you can run it locally using Docker as shown
below.

$ docker pull [Link]/center-for-threat-informed-defense/attack-flow:main

$ docker run --name AttackFlowBuilder \
[Link]/center-for-threat-informed-defense/attack-flow:main

Once the container is running, you can open a brower tab to [Link] to view the Builder.
If you want to customize and build your own Docker images, edit the Dockerfile and then run this command to create
the Docker image:

$ make docker-build
docker build . -t attack-flow-builder:latest
[+] Building 2.9s (13/13) FINISHED
=> [internal] load build definition from Dockerfile ␣
˓→ 0.0s
=> => transferring dockerfile: 269B ␣
˓→ 0.0s
=> [internal] load .dockerignore
...

If building the image completes successfully, then use this command to run the image:

$ make docker-run
docker run --rm -p 8080:80 attack-flow-builder:latest
/[Link]: /docker-entrypoint.d/ is not empty, will attempt to perform␣
˓→configuration

/[Link]: Looking for shell scripts in /docker-entrypoint.d/

/[Link]: Launching /docker-entrypoint.d/[Link]
...

4.3 Download

If you do not wish to use Docker, you can also download the Builder from the GitHub repository:
1. Go to the Attack Flow release page and download attack_flow_builder.zip.
2. Unzip it.
3. In the attack_flow_builder/ directory, double click on [Link] to open it in a web browser.

4.2. Docker 25
Attack Flow, Release v2.0.0

4.4 Developer

Finally, if you wish to help contribute code for Attack Flow Builder, you can set up Builder in a development environ-
ment.

26 Chapter 4. Builder
CHAPTER

FIVE

LANGUAGE

5.1 Overview

Attack Flow is a machine-readable language that is defined as an extension to the Structured Threat Information Ex-
pression (STIX) 2.1 Standard. STIX is a machine-readable standard for cyber threat intelligence that is expressed in
JSON for easy parsing and processing across a variety of programming languages and computer architectures. STIX
2.1 has a formal extension mechanism that allows STIX to be augmented with new features and capabilities.
As a result of extending STIX, the Attack Flow language is interoperable with a broad ecosystem of STIX content,
tools, and vendors. A flow can reference external STIX objects (e.g. an identity or a threat actor) and external STIX
objects can also refer back to an attack flow. Attack Flow extends STIX by defining several new STIX Domain Objects
(SDOs) that are described below.
The formal specification for the Attack Flow language is represented as a JSON schema, but this page summarizes the
extension objects and attributes that make up the language.

5.2 STIX Datatypes

STIX has built-in datatypes that are used in Attack Flow. The datatypes that are most relevant to Attack Flow are
summarized below.

Datatype Description
boolean A value of true or false.
enum A value from a STIX Enumeration.
external-reference A non-STIX identifier or reference to other related external content.
float An IEEE 754 [IEEE 754-2008] double-precision number.
identifier An identifier (ID) is for STIX Objects.
integer A whole number.
string A series of Unicode characters.
timestamp A time value (date and time).

For the full list of data types, see the STIX Standard Chapter 2.

27
Attack Flow, Release v2.0.0

5.3 STIX Common Properties

All STIX objects, including Attack Flow objects, share a set of common properties. The most important common
properties are described in the table below. (See the STIX specification for the complete list of common properties.)

Property Name Type Description

type (required) string Identifies the type of STIX object. It must be a valid
object type as defined in the STIX 2.1 standard or in an
extension (such as Attack Flow).
spec_version (required) string The version of the STIX specification used to represent
this object. The value must be 2.1 for all Attack Flow
objects.
id (required) identifier Uniquely identifies each object.
created_by_ref (op- identifier Specifies the id property of the identity object that
tional) describes the entity that created this object.
created (required) timestamp Represents the time at which the object was originally
created. The object creator can use the time it deems
most appropriate as the time the object was created. The
minimum precision MUST be milliseconds (three digits
after the decimal place in seconds), but MAY be more
precise.
modified (required) timestamp The modified property is only used by STIX Objects that
support versioning and represents the time that this par-
ticular version of the object was last modified. The ob-
ject creator can use the time it deems most appropriate
as the time this version of the object was modified. The
minimum precision MUST be milliseconds (three digits
after the decimal place in seconds), but MAY be more
precise.
confidence (optional) integer The confidence property identifies the confidence that
the creator has in the correctness of their data. The con-
fidence value MUST be a number in the range of 0-100.
Attack Flow uses a confidence scale to convert from nu-
merical confidence to human terms.
external_references (op- list of Citing the intelligence sources consulted for creating an
tional) external-reference Attack Flow is an important part of producing informa-
tive and trustworthy flows. You can include this prop-
erty on the attack-flow object to cite the sources used
for creating the flow, or you can include references on
attack-action objects for fine-grained sourcing. For
the STIX standard, see STIX Chap. 2.5.

28 Chapter 5. Language
Attack Flow, Release v2.0.0

5.4 Attack Flow SDOs

This section describes the STIX Domain Objects (SDOs) defined in the Attack Flow extension. The complete extension,
schema, and example flow can be found on the Attack Flow GitHub.

5.4.1 Attack Flow

Every Attack Flow document MUST contain exactly one attack-flow object. It provides metadata for name and
description, starting points for the flow of actions, and can be referenced from other STIX objects.

Property Name Type Description

type (required) string The type MUST be attack-flow.
spec_version string The version MUST be 2.1.
(required)
name (required) string The name of the Attack Flow.
description (op- string A description of the overall Attack Flow.
tional)
scope (required) enum Indicates what type of behavior the Attack Flow de-
scribes: a specific incident, a campaign, etc.
The value of this property MUST be one of: “incident”,
“campaign”, “threat-actor”, “malware”, “other”.
start_refs (re- list of type identifier A list of objects that start the flow.
quired) (of type attack-action or
attack-condition)

Example:

{
"type": "attack-flow",
"spec_version": "2.1",
"id": "attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f",
"created_by_ref": "identity--fe7860f3-e23f-4d3f-9248-91105467a77a",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"name": "Example Flow",
"description": "This Attack Flow example demonstrates some of the key concepts of the␣
˓→Attack Flow specification.",

"scope": "incident",
"start_refs": [
"attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15",
"attack-action--3ea0de71-67a6-426e-bb2f-86375c620478",
"attack-action--4f541c4c-b7bb-4b14-befd-ca8e8fe12599"
],
"external_references": [
{
"source_name": "APT X Campaign Report. Fictitious Corp. August 15 2022.",
"description": "A threat intel report summarizing the public CTI associated with␣
˓→the APT X phishing campaign.",

"url": "[Link]
},
{
(continues on next page)

5.4. Attack Flow SDOs 29

Attack Flow, Release v2.0.0

(continued from previous page)

"source_name": "APT X Threat Actor Report. Imaginary LLC. Jun 24 2022.",
"description": "A threat intel report summarizing the public CTI associated with␣
˓→the APT X threat actor profile.",

"url": "[Link]
}
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}

5.4.2 Attack Action

An attack-action object represents the execution of a particular technique, i.e. a discrete unit of adverary behavior.

Property Name Type Description

type (required) string The type MUST be attack-action.
spec_version string The version MUST be 2.1.
(required)
name (required) string The name of the technique, or if a specific technique is
not known, then the name of the tactic.
tactic_id (optional) string A tactic identifier or shortname that may reference an
authoritative collection of tactics, e.g. ATT&CK.
tactic_ref (op- identifier A reference to the tactic’s STIX representation. For
tional) ATT&CK, this should be an x-mitre-tactic object.
technique_id string A technique identifier or shortname that may reference
(optional) an authoritative collection of techniques, e.g. ATT&CK.
technique_ref (op- identifier (of type A reference to the technique’s STIX representation.
tional) attack-pattern)
description (op- string A description of the adversary behavior, e.g. what they
tional) did, how they did it, and why. This field may contain
prose as well as technical information, but consider us-
ing command_ref for providing technical details about
technique execution.
execution_start identifier Timestamp indicating when the execution of this action
(optional) began.
execution_end (op- identifier Timestamp indicating when the execution of this action
tional) ended.
command_ref (op- identifier (of type process) Describe tools or commands executed by the attacker by
tional) referring to a STIX Process object, which can represent
commands, environment variables, process image, etc.
asset_refs (op- list of type identifier (of The assets involved in this action, i.e. where this action
tional) type attack-asset) modifies or depends on the state of the asset.
effect_refs (op- list of type identifier The potential effects that result from executing this ac-
tional) (of type attack-action tion. (See: Effects.)
or attack-operator or
attack-condition)

Example:

30 Chapter 5. Language
Attack Flow, Release v2.0.0

{
"type": "attack-action",
"spec_version": "2.1",
"id": "attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"technique_id": "T1583.002",
"name": "Acquire Infrastructure: Domains",
"technique_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3",
"description": "The attacker obtains a phishing domain similar to the target company.",
"effect_refs": [
"attack-condition--7e809f5b-319a-4b3f-82fe-e4dc09af5088"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}

5.4.3 Attack Asset

An asset is any object that is the subject or target of an action. Assets can be technical assets (such as machines and
data) or non-technical assets such as people and physical systems. Actions typically either modify or depend upon the
state of an asset in some way.
Note that assets are not applicable in all contexts. For example, public threat reports may not include enough detail
to represent the assets in a flow, or the flow might represent aggregate behavior (at the campaign or actor level) for
which it does not make sense to specify an asset. Assets should be used to add context to a flow when the underlying
intelligence contains sufficient detail to do so.

Property Name Type Description

type (required) string The type MUST be attack-asset.
spec_version string The version MUST be 2.1.
(required)
name (required) string An name for the asset.
description (op- string A description of the asset.
tional)
object_ref (op- identifier A reference to any STIX data object (i.e. SDO) or ob-
tional) servable (i.e. SCO) that contains structured data about
this asset.

Example:

{
"type": "attack-asset",
"spec_version": "2.1",
"id": "attack-asset--f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"name": "Employee WordPress Account",
(continues on next page)

5.4. Attack Flow SDOs 31

Attack Flow, Release v2.0.0

(continued from previous page)

"description": "The employee's credentials for accessing the WordPress blog.",
"object_ref": "user-account--ce035bd0-8e58-4d18-aefb-f1fbb031d782",
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}

5.4.4 Attack Condition

An attack-condition object represents some possible condition, outcome, or state that could occur. Conditions can
be used to split flows based on the success or failure of an action, or to provide further description of an action’s results.

Property Name Type Description

type (required) string The type MUST be attack-condition.
spec_version string The version MUST be 2.1.
(required)
description (re- string The condition that is evaluated, usually based on the suc-
quired) cess or failure of the preceding action.
pattern (optional) string (This is an experimental feature.) The detection pattern
for this condition may be expressed as a STIX Pattern or
another appropriate language such as SNORT, YARA,
etc.
pattern_type string (This is an experimental feature.) The pattern langauge
(optional) used in this condition. The value for this property should
come from the STIX pattern-type-ov open vocabu-
lary.
pattern_version string (This is an experimental feature.) The version of the pat-
(optional) tern language used for the data in the pattern property.
For the STIX Pattern language, the default value is de-
termined by the spec_version of the condition object.
on_true_refs list of type identifier When the condition is true, the flow continues to these
(optional) (of type attack-action objects.
or attack-operator or
attack-condition)
on_false_refs list of type identifier When the condition is false, the flow continues to these
(optional) (of type attack-action objects. (If there are no objects, then the flow halts at this
or attack-operator or node.)
attack-condition)

Example:

{
"type": "attack-condition",
"spec_version": "2.1",
"id": "attack-condition--7e809f5b-319a-4b3f-82fe-e4dc09af5088",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"description": "Adversary possesses a phishing domain.",
(continues on next page)

32 Chapter 5. Language
Attack Flow, Release v2.0.0

(continued from previous page)

"on_true_refs": [
"attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}

5.4.5 Attack Operator

An attack-operator object joins multiple attack paths together using boolean logic.

Property Name Type Description

type (required) string The type MUST be attack-operator.
spec_version string The version MUST be 2.1.
(required)
operator (required) enum The logical operator to apply to the input effects.
The value of this property MUST be one of: “AND”,
“OR”.
effect_refs (op- list of type identifier The effects, outcomes, or states that result when this op-
tional) (of type attack-action erator evaluates to true. If the operator evaluates to
or attack-operator or false, then the flow halts. (See: Effects.)
attack-condition)

Example:

{
"type": "attack-operator",
"spec_version": "2.1",
"id": "attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"operator": "AND",
"effect_refs": [
"attack-action--d68e5201-796c-469c-b012-290b7040db02"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}

5.4. Attack Flow SDOs 33

Attack Flow, Release v2.0.0

5.5 Effects

One of the key ideas behind Attack Flow is understanding how individual adversary techniques relate to each other.
The concept of effect is critical for understanding these relationships between techniques. An effect is the outcome,
result, or change in state that occurs when an adversary executes a technique. Examples of effects include:
1. The attacker modifies the state of an asset, e.g. opening a port on the firewall.
2. The attacker gains some knowledge, e.g. a password.
3. The attacker achieves code execution.
Actions can produce effects, and subsequent actions may depend on those effects:
1. The attacker wants to connect to an internal service, which requires opening a port on the firewall.
2. The attacker wants to log in remotely, which depends on knowing the password.
3. The attacker wants to run a C2 implant, which depends on having code execution.
While an action is being executed, it’s effect is an indeterminate state, i.e. we cannot make any statement about the
outcome or result. Once the action concludes, then we can evaluate its effects, whether it succeeded or failed, etc.
When one action is chained to another, the latter depends on the effects of the former, i.e. the second one can only
execute when the first one completes successfully.
A condition splits a flow into multiple paths based on evaluating an effect, e.g. if the action is a privilege escalation ex-
ploit, then the condition can test whether the attacker has obtained elevated privileges (i.e. the exploit succeeded) or still
has regular privileges (i.e. the exploit failed.) A condition always selects one path to follow, either the on_true_refs
or the on_false_refs.
On the other hand, an operator joins multiple attack paths together by aggregating multiple effects. Conditions and
operators can be used to encode complex behavior into an attack flow that represents how attackers coordinate multiple
behaviors to achieve a desired outcome, as well as how they handle individual technique failure.

5.6 Confidence

The confidence property is STIX common property that establishes the confidence in the correctness of the data in
a particular object, e.g. in a particular attack-action. In STIX, the value is defined as a number from 0 to 100
(inclusive), i.e. a percentage. It is often difficult or impossible to estimate confidence to that level of precision, because
Attack Flow typically describes real-world behavior that may have been observed only a few times, which is not a large
enough sample to compute precise statistics.
To make confidence easier to reason about, Attack Flow uses the following confidence scale to map confidence terms
to numbers, and vice-versa.

34 Chapter 5. Language
Attack Flow, Release v2.0.0

Table 1: Confidence Terms

Term Description Confidence Confidence
Value Range
Speculation Information that is purely speculative or hypothetical, e.g. the 0 0-0
author imagines a what-if scenario.
Very Doubtful Information that is very unlikely to be true. All of the available 10 1-20
evidence is against it, or it may have bias in its reporting, e.g.
an adversary providing attribution information.
Doubtful Information that is unlikely to be true. Most of the available 30 21-40
evidence is against it.
Even Odds Information that is equally like to be true as not true; a coin 50 41-60
flip. The available evidence is equally weighted in support and
against.
Probable Information that is likely to be true. Most of the available evi- 70 61-80
dence supports it.
Very Probable Information that is very likely to be true. All of the available 90 81-99
evidence supports it.
Certainty Information that is unquestionably true. 100 100-100

Example usage of the table:

• Convert “Very Probable” to a confidence number:
– Look up “Very Probable” in the table: it is in row 6.
– Read off the Confidence Value for row 6: it is 90.
• Convert 38 to a confidence term.
– Go down the Confidence Range column to find the range containing 38: it is in the 21-40 range, which
is row 3.
– Read off the term from row 3: “Doubtful”.

5.6. Confidence 35
Attack Flow, Release v2.0.0

36 Chapter 5. Language
CHAPTER

SIX

BEST PRACTICES GUIDE

This chapter addresses considerations for creating flows that are outside the scope of the technical specification. While
it is possible to create a valid flow without adhering to these rules, we recommend employing these best practices to
produce high-quality flows.

6.1 Project Name

The technical specification and the project as a whole are referred to as “Attack Flow” (with capital letters), while the
individual files created using the language are referred to as “attack flows” (lower case).

6.2 Open-Source Report Selection

If you choose to use an open-source report to create an attack flow, it is important to assess the strengths and weaknesses
of the report in order to establish a confidence level in its data and assessments. Factors affecting source quality include
the manner of data collection, the level of source access to the data, report completeness, and the age and currency of
the information. In addition to extracting the technical details, it is also beneficial to construct the victimology of the
attack from the reports, as its inclusion will allow any reader to quickly gauge the scope and applicability of the flow
to their own organization. It is important to use high-quality sources, because they will support the credibility of your
flow and provide an accurate portrayal of the threat, which may be used to inform decisions on defense and resource
prioritization.

Important: Key Takeaways for Selecting a Report

• Reports should be transparent about where the data originates and provide a technically competent overview of
an incident.
• Reports should originate from a vendor with a track record of accurate reporting and first-hand analysis of the
incident in question.
• Reports should provide the most current information on the malware or breach.
• Reports should make it easy to identify any information gaps. Use multiple sources to address gaps and corrob-
orate the data, if possible.
• Reports should distinguish between facts, assumptions, and analytical assessments.
• When available, use attribution and targeting information from reports to enrich your attack flows.

Conversely, sources that do not meet the above criteria should be avoided. Sources that do not have technical expertise
and the ability to analyze the malware or attack themselves (for example, news sites) are not considered optimal for
creating attack flows.

37
Attack Flow, Release v2.0.0

Characteristics of Reports to Avoid:

• Second-hand sources that simply regurgitate information about attacks instead of providing their own technical
analysis.
• Sources that do not provide the context in which the information was obtained.
• Reports focusing mainly on a security product rather than the attack.
• Sources that do not provide adequate technical information.

6.2.1 Examples of Reports to Avoid

Cloudflare: “What are Petya and NotPetya?” This article simply summarizes the attack and does not offer the tech-
nical detail needed to create a flow.
Vox: “U.S. hospitals have been hit by the global ransomware attack” This news article does not have the source
credibility and technical detail needed to create a flow.
Trellix: “Update on WhisperGate, Destructive Malware Targeting Ukraine - Threat Intelligence & Protections Update”
This article focuses on mitigation strategies and tools rather than the technical details of the attack. However, the
report bases its information on a technical report by Trellix, which would be a good source to create an attack
flow.

6.2.2 Examples of Reports to Use

Crowdstrike: “NotPetya Technical Analysis - A Triple Threat: File Encryption, MFT Encryption, Credential Theft”
Crowdstrike performs a first-hand analysis of the NotPetya malware and provides a sufficient level of technical
detail.
Cisco Talos: “Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation” Cisco performs a
first-hand analysis of the WhisperGate malware and provides sufficient technical detail. This report also provides
information on adversary intent, targeting, and attribution, and distinguishes between information and analytical
judgements.
The DFIR Report: “SEO Poisoning - A Gootloader Story” DFIR performs a first-hand analysis of this attack and
provides sufficient technical detail, including a detailed timeline of events.

Note: The three examples in this section have all been mapped into attack flows in Example Flows.

6.3 Mapping Reports to ATT&CK Techniques

6.3.1 General Advice

MITRE ATT&CK™ is a knowledge base observed adversary tactics, techniques, and procedures extracted from public
threat reporting. There are hundreds of techniques in the ATT&CK knowledge base, and it can be challenging to map
CTI reports if you are not familiar with the overall structure of ATT&CK.

Attention: Attack Flow does not require the use of ATT&CK. You may use adversary techniques from other
knowledge bases or even proprietary techniques that are not part of any public reporting.

38 Chapter 6. Best Practices Guide

Attack Flow, Release v2.0.0

Consider the following steps when mapping reports to ATT&CK techniques:

• Familiarize yourself with the ATT&CK Enterprise Matrix.
• Take MITRE Engenuity’s MAD CTI Training for deeper training.
• Read CISA’s best practices for mapping to ATT&CK.
• Read through your selected report(s) and try to order the behaviors into chronological events, beginning with
Reconnaissance or Initial Access tactics and ending with the Impact of the attack.
• If the order of events is unclear in your report, you may need to compare several technical reports to determine
a timeline.
• Once you have your order of events, assign a technique to each event. You may need to conduct further research
on the behavior to determine the best-fitting technique.
• Use the Center for Threat-Informed Defenses ATT&CK Powered Suit browser extension to quickly research
ATT&CK techniques, groups, and more.
• Set the confidence property in your actions to reflect any potential uncertainty in your sources.

6.3.2 Example Technique Mapping

This section works through an example of mapping a report to illustrate the process. The report used is from Cisco
Talos: “Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables”. The corresponding attack
flow can be found in Example Flows.
Initial Access
The adversary gains initial access to the system through the distribution of PDF files containing embedded links.

Execution
The malware requires user-interaction to execute.

6.3. Mapping Reports to ATT&CK Techniques 39

Attack Flow, Release v2.0.0

Command and Control

This report downloads two variants of the infection chain. The PDF either downloads malicious XLS files or a Win-
dows executable from an attacker-hosted website. In an attack flow, multiple paths would be passed using an operator
“OR”/”AND.” However, for the sake of this example, we will only map the first variation.

Infection Chain
The malicious XLS file variation executes via VBA macros and establishes persistence.

40 Chapter 6. Best Practices Guide

Attack Flow, Release v2.0.0

There was no ATT&CK technique associated with this Canary Token technique that may have served as a means of
defense evasion or anti-analysis. The action was simply named “Canary Token Execution.”

This variation of the malware concludes with the PowerShell downloader reaching out to a remote location for the final
payload, which Cisco was unable to obtain.

6.3. Mapping Reports to ATT&CK Techniques 41

Attack Flow, Release v2.0.0

Impact
Because Cisco was unable to obtain the final payload, we cannot determine the objective of the attack. However, we
can assess possible impact based on information in the report on Muddy Water’s observed behavior in past campaigns.
We will reflect this uncertainty in our flow in the Action descriptions and confidence property and by using an OR
operator.

42 Chapter 6. Best Practices Guide

Attack Flow, Release v2.0.0

6.4 Flow Structure

The following best practices pertain to how the individual objects are arranged together to form an attack flow.
Begin a flow with either a Reconnaissance, Resource Development, or Initial Access Technique. If the Initial
Access vector is unknown, begin the flow with a condition stating that the Initial Access vector is unknown, along with
any other details on the compromised state of the system. If there are multiple possible Initial Access vectors, combine
them using an OR operator.
Use preconditions to enhance human understanding of the flow. If a set of actions are self-explanatory, omit the
precondition and connect the actions to each other directly. For example, the NotPetya encryption routine does not
require preconditions in between the actions.
End a flow with an Impact technique. If the Impact is unknown, end the flow with condition stating that the impact
is unknown, along with any other relevant details.

6.5 Flow Data

The description field for the flow is open-ended but should bring context and relevance to the flow. For example,
include information on attribution, targeted company/industry/geography, specific technologies targeted, etc. This helps
readers can quickly gauge the relevance of the attack to their own assets. You may also want to include lessons learned,
IOCs, or any other information that will inform threat prioritization and decision-making.
Action descriptions should provide sufficient detail and not simply repeat the technique name. For example,
“Exploits remote services,” is a poor description because it is a rephrasing of a technique name. A better description
would be, “to move laterally, NotPetya tests for vulnerable SMBv1 condition (Eternal Blue/Eternal Romance exploit)
and deploys an SMB backdoor.””
Refrain from attaching conditions directly to other conditions. Although the specification does not forbid this, it is
duplicative and wastes space. Consider combining the two conditions into one object with a description that describes
both aspects of the state.

6.6 Quality Criteria for Public Corpus

The project includes a number of Example Flows. We encourage you to submit flows you create for inclusion in this
public corpus. Additions to the public corpus should follow the best practices described above as well as meet the
following requirements:
1. The flow must be sufficiently complex for submission. The flow must have no fewer than 10 actions and must
make proper use of preconditions and operators.
2. The flow must contain at least one source in the metadata. Source must be credible and technically competent.

6.4. Flow Structure 43

Attack Flow, Release v2.0.0

Fig. 1: A condition object is not necessary between these actions because the relationship between is very obvious.

44 Chapter 6. Best Practices Guide

CHAPTER

SEVEN

DEVELOPERS

If you would like to help create or maintain the code for Attack Flow, including the Attack Flow library (Python) and
the Attack Flow builder (ECMAScript/[Link]), this document explains how to set up an environment to work on this
code and the frequent tasks that you will need to perform.

7.1 Attack Flow Library

The Attack Flow Library is written in Python and contains tools for:
• Validating Attack Flow JSON files
• Generating schema documentation
• Visualizing Attack Flows using GraphViz, Mermaid, or ATT&CK matrix
• Running unit tests

7.1.1 Set up

The Attack Flow Library requires Python >=3.8. You will also need to install Python Poetry in order to handle depen-
dencies and setting up a virtualenv. Clone the repository as follows:

$ git clone git@[Link]:center-for-threat-informed-defense/[Link]

Cloning into 'attack-flow'...
remote: Enumerating objects: 11137, done.
remote: Counting objects: 100% (808/808), done.
remote: Compressing objects: 100% (411/411), done.
remote: Total 11137 (delta 389), reused 740 (delta 363), pack-reused 10329
Receiving objects: 100% (11137/11137), 15.68 MiB | 4.63 MiB/s, done.
Resolving deltas: 100% (2625/2625), done.

Once you have the repository cloned, go into that directory and install the Python dependencies. This step will also
create a virtualenv for the project so that the dependencies do not conflict with other Python packages you may have
installed.

$ cd attack-flow
$ poetry install
Creating virtualenv attack-flow-arUjfNL5-py3.9 in /Users/mhaase/Library/Caches/pypoetry/
˓→virtualenvs

Installing dependencies from lock file

(continues on next page)

45
Attack Flow, Release v2.0.0

(continued from previous page)

Package operations: 72 installs, 0 updates, 0 removals

• Installing six (1.16.0)

• Installing certifi (2022.5.18.1)
• Installing charset-normalizer (2.0.12)
• Installing idna (3.3)
• Installing markupsafe (2.1.1)
• Installing pyparsing (3.0.9)

...

Installing the current project: attack-flow (2.0.0)

Finally, enter the virtualenv. You can check if the installation succeeded by running the af command.

$ poetry shell
py[attack-flow] $ af version
Attack Flow version 2.0.0

Warning: The rest of the Attack Flow Library documentation assumes that you are in a Poetry shell. Make sure
to run poetry shell in each terminal session.

7.1.2 Validate JSON files

Validate one or more Attack Flow JSON files:

$ af validate corpus/*.json
corpus/[Link]: OK
corpus/conti_2021.json: OK
corpus/dfir_report_zero_to_domain_admin.json: OK
corpus/mac_malware_steals_cryptocurrecy.json: OK
corpus/[Link]: OK
corpus/[Link]: OK

There is a Makefile target make validate that validates the corpus.

7.1.3 Visualize with GraphViz

In addition to the Attack Flow Builder, there are a few other options for visualizing Attack Flows. The first approach is
converting to GraphViz format:

$ af graphviz corpus/[Link] [Link]

The example command converts the Attack Flow [Link] into GraphViz format [Link]. If you have GraphViz
installed, you can use one of its layout tools to create an image:

$ dot -Tpng -O [Link]

This command will render [Link] as a PNG graphics file called [Link]. It will look something like this:

46 Chapter 7. Developers
Attack Flow, Release v2.0.0

Fig. 1: The result of converting [Link] into [Link].

7.1. Attack Flow Library 47

Attack Flow, Release v2.0.0

7.1.4 Visualize with Mermaid

Another approach for visualizing flows is to convert to Mermaid format. Mermaid is a newer format with fewer features
than GraphViz, but does have the benefit that it can be embedded directly into GitHub-Flavored Markdown.

$ af mermaid corpus/[Link] [Link]

You can copy/paste the resulting graph into a Markdown file, or if you have Mermaid installed locally, you can render
it as an image.

$ mmdc -i [Link] -o [Link]

This command will render [Link] as a PNG graphics file called [Link]. It will look something like this:

7.1.5 Visualize with ATT&CK Navigator

You can also visualize an Attack Flow as an overlay on top of an ATT&CK navigator layer. In order to do this, you
must open your layer in Navigator and export it to SVG:
• Open your layer in Navigator.
• Click the camera icon to open the SVG settings screen.
• Adjust the options as you like.
• Click the download icon to save as a .svg file.
Here is an example of an SVG file – this one has several columns cropped out.
With your SVG file prepared, let’s call it base_matrix.svg you can now render any flow on top of it:

$ af matrix [Link] corpus/[Link] [Link]

This command reads in [Link], renders the corpus/[Link] Attack Flow on top of it, and writes the
resulting image to [Link].

Note: If your flow references subtechniques that are not displayed in the Navigator layer, then the script will automat-
ically try to use the parent technique.

The output of the command will look something like this:

7.1.6 Generate schema documentation

The Attack Flow Library can convert the JSON schema file into human-readable documentation and insert it into
[Link].

$ af doc-schema schema/[Link] docs/[Link]

This is automatically done at build time when publishing documentation, but you may want to run this locally while
modifying the JSON schema.

48 Chapter 7. Developers
Attack Flow, Release v2.0.0

Fig. 2: The result of converting [Link] into [Link].

7.1. Attack Flow Library 49

Attack Flow, Release v2.0.0

Fig. 3: How to export SVG from ATT&CK Navigator.

7.1.7 Build documentation

The technical documentation (i.e. what you’re reading right now) is written in a language called reStructuredText (which
is similar to Markdown but with more features) and compiled using Sphinx to produce documentation in HTML or
PDF format. To build and view the documentation:

$ make docs-server
[sphinx-autobuild] > sphinx-build -b dirhtml -a /Volumes/Code/ctid/attack-flow/docs /
˓→Volumes/Code/ctid/attack-flow/docs/_build

Running Sphinx v4.5.0

loading pickled environment... done
building [mo]: all of 0 po files
building [html]: all source files
updating environment: 0 added, 0 changed, 0 removed

...

[I 220601 [Link] server:335] Serving on [Link]

[I 220601 [Link] handlers:62] Start watching changes
[I 220601 [Link] handlers:64] Start detecting changes

Once the server is running, you can open [Link] in your browser to view the documentation. When you
edit and save any .rst document, the docslive server will recompile it and refresh the browser so that you can see the
changes almost immediately. This makes for an efficient editing workflow.
The documentation can also be built into PDF, but it’s a slower and more complicated process. You will need to have
Docker installed and the first time you run this command it will need to download a Docker image for building Sphinx
PDFs.

50 Chapter 7. Developers
Attack Flow, Release v2.0.0

Fig. 4: A Navigator layer with the the Tesa flow rendered as an overlay.

7.1. Attack Flow Library 51

Attack Flow, Release v2.0.0

$ make docs-pdf
...

The resulting PDF can be found in docs/_build/latex/[Link]. Alternatively, you can download PDFs
from the GitHub actions.

7.1.8 Run unit tests

Run the unit tests using Pytest:

$ poetry run pytest --cov=src/ --cov-report term-missing

There is a Makefile target make test that is a shortcut for the command above, as well as make test-ci which runs
the same tests but exports the code coverage data to an XML file.

7.2 Attack Flow Builder

The Attack Flow Builder is written in JavaScript. To set up a development environment, you first need to install [Link]
and npm. Then, perform the following setup steps:

$ cd src/attack_flow_builder
$ npm install
...

This will download all of the dependencies needed. You also need to initialize the ATT&CK search index (used for
autocompletion of ATT&CK objects):

$ npm run fetch-attack

Downloading ATT&CK STIX data...
* [Link] → data/[Link]... done
* [Link] → data/[Link]... done
* [Link] → data/[Link]... done

Finished successfully.

$ npm run build-index

Finally, to run the application:

$ npm run serve

DONE Compiled successfully in 3342ms ␣
˓→ [Link] PM

App running at:

- Local: [Link]
- Network: unavailable

Note that the development build is not optimized.

To create a production build, run npm run build.

(continues on next page)

52 Chapter 7. Developers
Attack Flow, Release v2.0.0

(continued from previous page)

Issues checking in progress...
No issues found.

If this starts up successfully, then you can access the application at [Link] As you edit source code and
save, the server will automatically rebuild the application and you can refresh the browser to run it again.

7.3 Releases

The Attack Flow project uses a [Link] version scheme. All components of the project (the STIX
extension, Python library, Attack Flow Builder) use the same version number for simplicity. The project uses bumpver
to automate the updating of version number strings throughout the project. For example, to do a new major release:

$ bumpver update --major

INFO - fetching tags from remote (to turn off use: -n / --no-fetch)
INFO - Old Version: 1.0.0
INFO - New Version: 2.0.0
INFO - git commit --message 'Bump version 1.0.0 -> 2.0.0'
INFO - git tag --annotate 2.0.0 --message 2.0.0

Note that the flags --minor and --patch can be used as well.
Bumpver automatically updates the version number stored in various places throughout the project (e.g. pyproject.
toml, src/attack_flow_builder/[Link], docs/[Link], etc), commits those changes, and creates a new
tag.
Review the contents of the commit. When you are satisfied:

$ git push --follow-tags

This command will push the new commit and tag to GitHub.

7.3. Releases 53
Attack Flow, Release v2.0.0

54 Chapter 7. Developers
CHAPTER

EIGHT

TRANSLATION TO OWL/RDF

8.1 Overview

The Resource Description Framework (RDF) and the Web Ontology Language (OWL) are web standards designed to
ease data aggregation across sources and contexts. Attack Flow users may find it convenient to represent their flows in
RDF in order to use query tools such as SPARQL or graph databases such as Blazegraph.
The purpose of this document is to outline an approach for translating flows to RDF through the use of the JSON-LD
standard (JSON for Linking Data).

Note: The Attack Flow project does not provide an official translation of flows into RDF, nor a suggest a particular
vocabulary. Such an “official” translation may become possible after the OASIS Threat Actor Context (TAC) Technical
Committee releases their ontology for representing STIX reports in RDF.

8.2 The Context

In JSON-LD, a top-level @context property provides document-wide definitions for mapping JSON structures into
RDF triples. Below we provide a sample context for the Tesla flow.

Listing 1: Sample context for converting the Tesla flow to JSON-LD.

{
"@context": {
"@base": "[Link]
"@vocab": "[Link]
"id": "@id",
"objects": "@graph",
"xsd": "[Link]
"stix": "[Link]
"kb": "[Link]
"af": "[Link]
"created": {
"@id": "stix:created",
"@type": "xsd:dateTime"
},
"modified": {
"@id": "stix:modified",
"@type": "xsd:dateTime"
(continues on next page)

55
Attack Flow, Release v2.0.0

(continued from previous page)

},
"first_seen": {
"@id": "stix:first_seen",
"@type": "xsd:dateTime"
},
"last_seen": {
"@id": "stix:last_seen",
"@type": "xsd:dateTime"
},
"url": {
"@id": "stix:url",
"@type": "@id"
},
"start_refs": {
"@id": "af:start_ref",
"@type": "@id"
},
"effect_refs": {
"@id": "af:effect_ref",
"@type": "@id"
},
"technique_ref": {
"@id": "af:technique_ref",
"@type": "@id"
},
"source_ref": {
"@id": "af:source_ref",
"@type": "@id"
}
}
}

Some important notes on the above context:

• The @base URI and kb namespace should be set to something unique per document.
• The stix namespace should be checked against the most recent TAC ontology release, and each of the standard
STIX properties should be matched against a corresponding type in TAC.
• Because the Attack Flow project has not released its own ontology aligned against the TAC ontology, we recom-
mend that the af namespace be set to a consistent URI within your organization.

8.3 Objects

Once the @context has been defined, a @type property must be added to all JSON objects in the document. Care
should be taken to map the objects to the appropriate type in the TAC ontology, as STIX JSON and TAC RDF types
have different names for the same objects.

56 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

Listing 2: Top-level properties from the Tesla flow converted to JSON-

LD. The @context value should be filled in as above.
{
"@context": {},
"type": "bundle",
"@type": "stix:Report",
"id": "bundle--9cfa7cd7-9fb1-426b-ba9b-afb02fe88c99",
}

Listing 3: Sample object from the Tesla flow converted to JSON-LD.

{
"type": "attack-flow",
"@type": "af:attack-flow",
"spec_version": "2.1",
"id": "attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f",
"created_by_ref": "identity--61d33cc7-dc05-4657-8c58-157c456651c0",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"name": "Tesla Kubernetes Breach",
"description": "A vulnerable Kubernetes console leads to cryptojacking and exposure␣
˓→of AWS storage credentials.",

8.4 Converting to RDF

There are many tools for converting JSON-LD into RDF. In the above examples, we have stayed with the prescripts of
JSON-LD 1.0 for maximum compatibility. Below, we use RDF Toolkit to convert the flow into Turtle (an alternative
RDF syntax):

$ java -jar [Link] -sfmt json-ld -tfmt turtle -s [Link] -t [Link]

8.4. Converting to RDF 57

Attack Flow, Release v2.0.0

Listing 4: Snippet from the above conversion of a Flow object into Turtle
syntax
kb:attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f
a af:attack-flow ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:created_by_ref "identity--61d33cc7-dc05-4657-8c58-157c456651c0" ;
stix:description "A vulnerable Kubernetes console leads to cryptojacking and␣
˓→exposure of AWS storage credentials." ;

stix:extensions _:blank09 ;
stix:external_references _:blank02 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:name "Tesla Kubernetes Breach" ;
stix:scope "incident" ;
stix:spec_version "2.1" ;
stix:type "attack-flow" ;
af:start_ref kb:attack-condition--0d8b4b52-5f61-42f1-8b4e-f09fca687233 ;
.

_:blank02
a stix:reference ;
stix:description "RedLock CSI Team. Feb 20 2018." ;
stix:source_name "The Cryptojacking Epidemic" ;
stix:url <[Link] ;

_:blank09
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank23 ;
.

_:blank23
stix:extension_type "new-sdo" ;
.

8.5 Full Code Listing

Below, you can find the full conversion of the Tesla flow into JSON-LD, as well as the resulting RDF in Turtle syntax.

Listing 5: Full code listing for the JSON-LD Tesla flow

58 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

"@type": "xsd:dateTime"
},
"modified": {
"@id": "stix:modified",
"@type": "xsd:dateTime"
},
"first_seen": {
"@id": "stix:first_seen",
"@type": "xsd:dateTime"
},
"last_seen": {
"@id": "stix:last_seen",
"@type": "xsd:dateTime"
},
"url": {
"@id": "stix:url",
"@type": "@id"
},
"start_refs": {
"@id": "af:start_ref",
"@type": "@id"
},
"effect_refs": {
"@id": "af:effect_ref",
"@type": "@id"
},
"technique_ref": {
"@id": "af:technique_ref",
"@type": "@id"
},
"source_ref": {
"@id": "af:source_ref",
"@type": "@id"
}
},
"type": "bundle",
"@type": "stix:Report",
"id": "bundle--9cfa7cd7-9fb1-426b-ba9b-afb02fe88c99",
"objects": [
{
"type": "extension-definition",
"@type": "stix:ExtensionDefinition",
"id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4",
"spec_version": "2.1",
"name": "Attack Flow",
"description": "Extends STIX 2.1 with features to create Attack Flows.",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"created_by_ref": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
"schema": "./[Link]",
"version": "2.0.0",
"extension_types": [
(continues on next page)

8.5. Full Code Listing 59

Attack Flow, Release v2.0.0

(continued from previous page)

"new-sdo"
],
"external_references": [
{
"@type": "stix:reference",
"source_name": "Documentation",
"description": "Documentation for Attack Flow",
"url": "[Link]
˓→ flow"
},
{
"@type": "stix:reference",
"source_name": "GitHub",
"description": "Source code repository for Attack Flow",
"url": "[Link]
˓→ flow"
}
]
},
{
"type": "identity",
"@type": "stix:identity",
"spec_version": "2.1",
"id": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
"created_by_ref": "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c",
"created": "2022-08-02T[Link].143Z",
"modified": "2022-08-02T[Link].143Z",
"name": "MITRE Engenuity Center for Threat-Informed Defense",
"identity_class": "organization"
},
{
"type": "identity",
"@type": "stix:identity",
"spec_version": "2.1",
"id": "identity--61d33cc7-dc05-4657-8c58-157c456651c0",
"created_by_ref": "identity--61d33cc7-dc05-4657-8c58-157c456651c0",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"name": "Mark Haase",
"contact_information": "mhaase@[Link]",
"identity_class": "individual"
},
{
"type": "attack-flow",
"@type": "af:attack-flow",
"spec_version": "2.1",
"id": "attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f",
"created_by_ref": "identity--61d33cc7-dc05-4657-8c58-157c456651c0",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"name": "Tesla Kubernetes Breach",
"description": "A vulnerable Kubernetes console leads to cryptojacking and␣
˓→exposure of AWS storage credentials.", (continues on next page)

60 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

"scope": "incident",
"start_refs": [
"attack-condition--0d8b4b52-5f61-42f1-8b4e-f09fca687233"
],
"external_references": [
{
"@type": "stix:reference",
"source_name": "The Cryptojacking Epidemic",
"description": "RedLock CSI Team. Feb 20 2018.",
"url": "[Link]
}
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-condition",
"@type": "af:attack-condition",
"spec_version": "2.1",
"id": "attack-condition--0d8b4b52-5f61-42f1-8b4e-f09fca687233",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"description": "Tesla's Kubernetes dashboard is exposed to the public␣
˓→internet with no password required for access.",

"on_true_refs": [
"attack-action--fcd630b0-9958-43ad-977e-d9e236c14a29"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--fcd630b0-9958-43ad-977e-d9e236c14a29",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1133",
"name": "External Remote Services",
"technique_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3",
"description": "The adversary logs into the Kubernetes console.",
"confidence": 90,
"effect_refs": [
"attack-action--430a4928-4eef-498d-a5ba-a2c739908a4c",
"attack-action--35c10b05-2035-4a72-bf40-a82ee548f363"
],
(continues on next page)

8.5. Full Code Listing 61

Attack Flow, Release v2.0.0

(continued from previous page)

"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--430a4928-4eef-498d-a5ba-a2c739908a4c",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1610",
"name": "Deploy Container",
"technique_ref": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"description": "The adversary deploys a new container on the Kubernetes␣
˓→cluster.",

"confidence": 90,
"effect_refs": [
"attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--9f649ddc-687c-4f58-8c72-0a361c460d62",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1583.004",
"name": "Acquire Infrastructure: Server",
"technique_ref": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337",
"description": "The adversary runs an \"unlisted\" mining pool server on a␣
˓→non-standard port to evade IP and port blocklists.",

"effect_refs": [
"attack-action--16002983-8519-46d6-9a2b-7a983557e3a9"
],
"confidence": 90,
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "infrastructure",
(continues on next page)

62 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

"@type": "af:infrastructure",
"spec_version": "2.1",
"id": "infrastructure--cb0106c0-6705-44d7-905f-9a1d855ead11",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"name": "Unlisted Mining Pool",
"infrastructure_types": [
"unknown"
]
},
{
"type": "relationship",
"@type": "af:relationship",
"spec_version": "2.1",
"id": "relationship--9ec9afcc-4adf-4324-b32e-3bda5e0dd986",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"relationship_type": "related-to",
"source_ref": "attack-action--9f649ddc-687c-4f58-8c72-0a361c460d62",
"target_ref": "infrastructure--cb0106c0-6705-44d7-905f-9a1d855ead11"
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--16002983-8519-46d6-9a2b-7a983557e3a9",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T0884",
"name": "Connection Proxy",
"technique_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
"description": "The adversary proxies their mining pool through Cloudflare␣
˓→ CDN.",
"effect_refs": [
"attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2"
],
"confidence": 90,
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-operator",
"@type": "af:attack-operator",
"spec_version": "2.1",
"id": "attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"operator": "AND",
"effect_refs": [
(continues on next page)

8.5. Full Code Listing 63

Attack Flow, Release v2.0.0

(continued from previous page)

"attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1496",
"name": "Resource Highjacking",
"technique_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
"description": "The adversary runs cryptomining software in the container,␣
˓→configured to use their private mining pool.",

"confidence": 90,
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "relationship",
"@type": "af:relationship",
"spec_version": "2.1",
"id": "relationship--9ec9afcc-4adf-4324-b32e-3bda5e0dd986",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"relationship_type": "related-to",
"source_ref": "attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd",
"target_ref": "infrastructure--cb0106c0-6705-44d7-905f-9a1d855ead11"
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--35c10b05-2035-4a72-bf40-a82ee548f363",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1552.001",
"name": "Unsecured Credentials: Credentials In Files",
"technique_ref": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc",
"description": "The adversary could view plaintext AWS keys in the␣
˓→Kubernetes console.",

"confidence": 0,
"effect_refs": [
(continues on next page)

64 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

"attack-action--834f885b-718d-47d7-b94d-a7c15f0bcf34"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--834f885b-718d-47d7-b94d-a7c15f0bcf34",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1078.004",
"name": "Valid Accounts: Cloud Accounts",
"technique_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65",
"description": "The adversary authenticates to AWS S3 using the discovered␣
˓→credentials.",

"confidence": 0,
"effect_refs": [
"attack-action--24728445-761a-42d6-afd8-548c82669544"
],
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
},
{
"type": "attack-action",
"@type": "af:attack-action",
"spec_version": "2.1",
"id": "attack-action--24728445-761a-42d6-afd8-548c82669544",
"created": "2022-08-24T[Link].000Z",
"modified": "2022-08-24T[Link].000Z",
"technique_id": "T1530",
"name": "Data from Cloud Storage Object",
"technique_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
"description": "The adversary can access data in private S3 buckets.",
"confidence": 0,
"extensions": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"extension_type": "new-sdo"
}
}
}
]
}

8.5. Full Code Listing 65

Attack Flow, Release v2.0.0

@prefix adversary: <[Link] .

@prefix af: <[Link] .
@prefix kb: <[Link] .
@prefix owl: <[Link] .
@prefix rdf: <[Link] .
@prefix rdfs: <[Link] .
@prefix stix: <[Link] .
@prefix xsd: <[Link] .

kb:attack-action--16002983-8519-46d6-9a2b-7a983557e3a9
a af:attack-action ;
stix:confidence "90"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary proxies their mining pool through Cloudflare CDN." ;
stix:extensions _:blank05 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T0884" ;
stix:name "Connection Proxy" ;
stix:type "attack-action" ;
af:effect_ref kb:attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2 ;
af:technique_ref kb:attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783 ;
.

kb:attack-action--24728445-761a-42d6-afd8-548c82669544
a af:attack-action ;
stix:confidence "0"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary can access data in private S3 buckets." ;
stix:extensions _:blank11 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1530" ;
stix:name "Data from Cloud Storage Object" ;
stix:type "attack-action" ;
af:technique_ref kb:attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 ;
.

kb:attack-action--35c10b05-2035-4a72-bf40-a82ee548f363
a af:attack-action ;
stix:confidence "0"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary could view plaintext AWS keys in the Kubernetes␣
˓→console." ;

stix:extensions _:blank08 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1552.001" ;
stix:name "Unsecured Credentials: Credentials In Files" ;
stix:type "attack-action" ;
af:effect_ref kb:attack-action--834f885b-718d-47d7-b94d-a7c15f0bcf34 ;
af:technique_ref kb:attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc ;
.
(continues on next page)

66 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

kb:attack-action--430a4928-4eef-498d-a5ba-a2c739908a4c
a af:attack-action ;
stix:confidence "90"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary deploys a new container on the Kubernetes cluster." ;
stix:extensions _:blank14 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1610" ;
stix:name "Deploy Container" ;
stix:type "attack-action" ;
af:effect_ref kb:attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2 ;
af:technique_ref kb:attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92 ;
.

kb:attack-action--834f885b-718d-47d7-b94d-a7c15f0bcf34
a af:attack-action ;
stix:confidence "0"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary authenticates to AWS S3 using the discovered␣
˓→credentials." ;

stix:extensions _:blank10 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1078.004" ;
stix:name "Valid Accounts: Cloud Accounts" ;
stix:type "attack-action" ;
af:effect_ref kb:attack-action--24728445-761a-42d6-afd8-548c82669544 ;
af:technique_ref kb:attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 ;
.

kb:attack-action--9f649ddc-687c-4f58-8c72-0a361c460d62
a af:attack-action ;
stix:confidence "90"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description 'The adversary runs an "unlisted" mining pool server on a non-
˓→standard port to evade IP and port blocklists.' ;

stix:extensions _:blank04 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1583.004" ;
stix:name "Acquire Infrastructure: Server" ;
stix:type "attack-action" ;
af:effect_ref kb:attack-action--16002983-8519-46d6-9a2b-7a983557e3a9 ;
af:technique_ref kb:attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337 ;
.

kb:attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd
a af:attack-action ;
stix:confidence "90"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
(continues on next page)

8.5. Full Code Listing 67

Attack Flow, Release v2.0.0

(continued from previous page)

stix:description "The adversary runs cryptomining software in the container,␣
˓→configured to use their private mining pool." ;

stix:extensions _:blank07 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1496" ;
stix:name "Resource Highjacking" ;
stix:type "attack-action" ;
af:technique_ref kb:attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783 ;
.

kb:attack-action--fcd630b0-9958-43ad-977e-d9e236c14a29
a af:attack-action ;
stix:confidence "90"^^xsd:integer ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "The adversary logs into the Kubernetes console." ;
stix:extensions _:blank13 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:spec_version "2.1" ;
stix:technique_id "T1133" ;
stix:name "External Remote Services" ;
stix:type "attack-action" ;
af:effect_ref
kb:attack-action--35c10b05-2035-4a72-bf40-a82ee548f363 ,
kb:attack-action--430a4928-4eef-498d-a5ba-a2c739908a4c
;
af:technique_ref kb:attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3 ;
.

kb:attack-condition--0d8b4b52-5f61-42f1-8b4e-f09fca687233
a af:attack-condition ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:description "Tesla's Kubernetes dashboard is exposed to the public internet␣
˓→with no password required for access." ;

stix:extensions _:blank12 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:on_true_refs "attack-action--fcd630b0-9958-43ad-977e-d9e236c14a29" ;
stix:spec_version "2.1" ;
stix:type "attack-condition" ;
.

kb:attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f
a af:attack-flow ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:created_by_ref "identity--61d33cc7-dc05-4657-8c58-157c456651c0" ;
stix:description "A vulnerable Kubernetes console leads to cryptojacking and␣
˓→exposure of AWS storage credentials." ;

68 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

stix:spec_version "2.1" ;
stix:type "attack-flow" ;
af:start_ref kb:attack-condition--0d8b4b52-5f61-42f1-8b4e-f09fca687233 ;
.

kb:attack-operator--31982617-e0c7-4113-a4b0-830783d96fc2
a af:attack-operator ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:extensions _:blank06 ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:operator "AND" ;
stix:spec_version "2.1" ;
stix:type "attack-operator" ;
af:effect_ref kb:attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd ;
.

kb:bundle--9cfa7cd7-9fb1-426b-ba9b-afb02fe88c99
a stix:Report ;
stix:type "bundle" ;
.

kb:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4
a stix:ExtensionDefinition ;
stix:created "2022-08-02T[Link].143Z"^^xsd:dateTime ;
stix:created_by_ref "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c" ;
stix:description "Extends STIX 2.1 with features to create Attack Flows." ;
stix:extension_types "new-sdo" ;
stix:external_references
_:blank01 ,
_:blank03
;
stix:modified "2022-08-02T[Link].143Z"^^xsd:dateTime ;
stix:name "Attack Flow" ;
stix:schema "./[Link]" ;
stix:spec_version "2.1" ;
stix:type "extension-definition" ;
stix:version "2.0.0" ;
.

kb:identity--61d33cc7-dc05-4657-8c58-157c456651c0
a stix:identity ;
stix:contact_information "mhaase@[Link]" ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:created_by_ref "identity--61d33cc7-dc05-4657-8c58-157c456651c0" ;
stix:identity_class "individual" ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:name "Mark Haase" ;
stix:spec_version "2.1" ;
stix:type "identity" ;
.

kb:identity--d673f8cb-c168-42da-8ed4-0cb26725f86c
(continues on next page)

8.5. Full Code Listing 69

Attack Flow, Release v2.0.0

(continued from previous page)

a stix:identity ;
stix:created "2022-08-02T[Link].143Z"^^xsd:dateTime ;
stix:created_by_ref "identity--d673f8cb-c168-42da-8ed4-0cb26725f86c" ;
stix:identity_class "organization" ;
stix:modified "2022-08-02T[Link].143Z"^^xsd:dateTime ;
stix:name "MITRE Engenuity Center for Threat-Informed Defense" ;
stix:spec_version "2.1" ;
stix:type "identity" ;
.

kb:infrastructure--cb0106c0-6705-44d7-905f-9a1d855ead11
a af:infrastructure ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:infrastructure_types "unknown" ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:name "Unlisted Mining Pool" ;
stix:spec_version "2.1" ;
stix:type "infrastructure" ;
.

kb:relationship--9ec9afcc-4adf-4324-b32e-3bda5e0dd986
a af:relationship ;
stix:created "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:modified "2022-08-24T[Link].000Z"^^xsd:dateTime ;
stix:relationship_type "related-to" ;
stix:spec_version "2.1" ;
stix:target_ref "infrastructure--cb0106c0-6705-44d7-905f-9a1d855ead11" ;
stix:type "relationship" ;
af:source_ref
kb:attack-action--9f649ddc-687c-4f58-8c72-0a361c460d62 ,
kb:attack-action--b5f27faa-f66d-438a-80dc-878ade2644fd
;
.

_:blank01
a stix:reference ;
stix:description "Documentation for Attack Flow" ;
stix:source_name "Documentation" ;
stix:url <[Link] ;
.

_:blank02
a stix:reference ;
stix:description "RedLock CSI Team. Feb 20 2018." ;
stix:source_name "The Cryptojacking Epidemic" ;
stix:url <[Link] ;
.

_:blank03
a stix:reference ;
stix:description "Source code repository for Attack Flow" ;
stix:source_name "GitHub" ;
(continues on next page)

70 Chapter 8. Translation to OWL/RDF

Attack Flow, Release v2.0.0

(continued from previous page)

stix:url <[Link] ;
.

_:blank04
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank16 ;
.

_:blank05
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank17 ;
.

_:blank06
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank18 ;
.

_:blank07
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank19 ;
.

_:blank08
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank20 ;
.

_:blank09
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank23 ;
.

_:blank10
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank21 ;
.

_:blank11
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank22 ;
.

_:blank12
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank24 ;
.

_:blank13
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank25 ;
.

_:blank14
stix:extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4 _:blank15 ;
.

_:blank15
stix:extension_type "new-sdo" ;
.

_:blank16
(continues on next page)

8.5. Full Code Listing 71

Attack Flow, Release v2.0.0

(continued from previous page)

stix:extension_type "new-sdo" ;
.

_:blank17
stix:extension_type "new-sdo" ;
.

_:blank18
stix:extension_type "new-sdo" ;
.

_:blank19
stix:extension_type "new-sdo" ;
.

_:blank20
stix:extension_type "new-sdo" ;
.

_:blank21
stix:extension_type "new-sdo" ;
.

_:blank22
stix:extension_type "new-sdo" ;
.

_:blank23
stix:extension_type "new-sdo" ;
.

_:blank24
stix:extension_type "new-sdo" ;
.

_:blank25
stix:extension_type "new-sdo" ;
.

72 Chapter 8. Translation to OWL/RDF

CHAPTER

NINE

CHANGELOG

9.1 Attack Flow 2

2.0.0 – October 27th, 2022 This major update to Attack Flow is based on community feedback from Attack Flow 1
and extensive collaboration with our research partners. The major improvements include:
• The new specification is based on STIX 2.1 and addresses known limitations and feedback on the Attack
Flow 1 specification.
• Completely overhauled Attack Flow Builder tool: more powerful and more user-friendly.
• Greatly expanded the documentation (you’re reading it right now!) to provide a better ramp up for learning
Attack Flow as well as more depth when you’re ready to become an Attack Flow expert.
• Added a dozen new attack flows to the public corpus. These flows are useful for learning Attack Flow, for
evaluating future changes to the Attack Flow specification, and data mining.
This release is not backwards-compatible with 1.0.0.

9.2 Attack Flow 1

1.0.0 – March 2nd, 2022 The initial release of Attack Flow contains a specification for a machine-readable specifica-
tion for describing sequences (or more generally “graphs”) of adversary behaviors. The release also contains a
web application for creating attack flows visually as well as Python library code for validating flows.

Common questions