anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): fail-closed validation that lifter+UKC IDs resolve in ATT&CK bundle

Browse Source 
Drift between the technique/tactic IDs hardcoded in the lifters and
what the loaded ATT&CK STIX bundle actually contains is silent in the
status quo: a renamed-or-retired technique just stops being tagged.
Every emission point now has an explicit validator that asserts its
IDs resolve in the loaded bundle, called once at TTP-worker boot.

- intel_lifter.all_emitted_technique_ids() collects every technique
  the four provider tables (AbuseIPDB / GreyNoise / Feodo / ThreatFox)
  plus the decision-flow constants in _greynoise_decisions and
  _feodo_decisions can emit. validate_against_attack_bundle() runs it
  through attack_stix.assert_known_technique_ids().
- ukc.validate_against_attack_bundle() asserts every key in
  ATTACK_TACTIC_TO_UKC resolves, with TA0100..TA0106 documented as
  _NON_ENTERPRISE_TACTICS (lives in the ICS bundle, not the
  enterprise bundle DECNET loads).
- decnet/ttp/worker.py:run_ttp_worker_loop calls both validators
  before subscribing to the bus. A bundle-vs-code mismatch refuses
  to start the worker rather than silently mistagging events.
- tests/ttp/test_attack_bundle_validation.py covers the happy path
  for both validators, the negative path (injected bogus tactic ID
  raises AttackBundleError), the ICS exemption, and the lone T1078
  reference in credential_lifter.
This commit is contained in:
anti
2026-05-09 05:58:06 -04:00
parent d743d38cac
commit 432057f44a
4 changed files with 154 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
decnet/ttp/impl/intel_lifter.py
View File

@@ -375,7 +375,40 @@ def _emit_filtered(
return out
__all__ = ["IntelLifter"]
def all_emitted_technique_ids() -> frozenset[str]:
"""Every technique ID this lifter could emit, drawn from all four provider tables.
Used by :func:`validate_against_attack_bundle` (and
:mod:`tests.ttp.test_attack_catalog`-adjacent tests) to assert that
every provider-driven emission resolves in the loaded ATT&CK STIX
bundle. Includes the bare-classification emissions in
``_greynoise_decisions`` and the unconditional emissions in
``_feodo_decisions`` — those don't appear in the lookup tables
above because they're decision-flow constants, not table entries.
"""
ids: set[str] = set()
for techs in _ABUSEIPDB_CATEGORY_TO_TECHNIQUES.values():
ids.update(techs)
for techs in _GREYNOISE_TAG_TO_TECHNIQUES.values():
ids.update(techs)
for techs in _THREATFOX_THREAT_TYPE_TO_TECHNIQUES.values():
ids.update(techs)
# Decision-flow constants (see _greynoise_decisions, _feodo_decisions).
ids.update({"T1071", "T1595", "T1588"})
return frozenset(ids)
def validate_against_attack_bundle() -> None:
"""Assert every technique ID this lifter could emit resolves in the loaded ATT&CK STIX bundle."""
from decnet.ttp.attack_stix import assert_known_technique_ids
assert_known_technique_ids(
list(all_emitted_technique_ids()),
source="decnet.ttp.impl.intel_lifter",
)
__all__ = ["IntelLifter", "all_emitted_technique_ids", "validate_against_attack_bundle"]
# Suppress unused-import lint; emit_tags is exposed for parity with the