MITRE ATT&CK framework has become a de facto standard when working in threat hunting, incident response, among other areas in defensive security. The online navigator provided by MITRE can be useful in understanding the current state of the attack campaign, what to do next, and can also help in attack attribution. However, I don’t feel very comfortable using an “online” tool hosted by someone else in mapping an ongoing attack in an organization. You might be a bit old-school like me, and that’s what landed you on this page. This is only possible because MITRE has provided a version that you can host and use locally.
Make sure that you have Docker installed before you start. If you don’t have it installed, you can install it using the steps mentioned here.
The following steps show how to install and run the MITRE ATT&CK Navigator locally as a container on an Ubuntu machine:
git clone https://github.com/mitre-attack/attack-navigator.git cd attack-navigator/nav-app/src/assets wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/enterprise-attack/enterprise-attack.json wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/mobile-attack/mobile-attack.json wget https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/ics-attack/ics-attack.json
The first command will download the whole repo, and the last three commands will download the required assets from the website so that your setup can get it locally, without contacting the server.
The next step is to change the configuration of the navigator to use the local assets instead of the internet-based ones. Edit the ~/attack-navigator/nav-app/src/assets/config.json file to change each of the “data” fields in the “ATT&CK v14” space to the local resources:
Change
"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/enterprise-attack/enterprise-attack.json"]
to:
"data": ["assets/enterprise-attack.json"]
And change:
"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/mobile-attack/mobile-attack.json"]
to:
"data": ["assets/mobile-attack.json"]
And finally change:
"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v14.1/ics-attack/ics-attack.json"]
to:
"data": ["assets/ics-attack.json"]
The next step is to go back to the ~/atttack-navigator folder, and create the new docker container:
cd ~/attack-navigator sudo docker build -t attack_navigator .
Finally, we start the container locally:
sudo docker run -p 4200:4200 attack_navigator
Wait for a minute, or two, and then open your browser and go to http://127.0.0.1:4200