anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): fail-closed validation that lifter+UKC IDs resolve in ATT&CK bundle

Browse Source 
Drift between the technique/tactic IDs hardcoded in the lifters and
what the loaded ATT&CK STIX bundle actually contains is silent in the
status quo: a renamed-or-retired technique just stops being tagged.
Every emission point now has an explicit validator that asserts its
IDs resolve in the loaded bundle, called once at TTP-worker boot.

- intel_lifter.all_emitted_technique_ids() collects every technique
  the four provider tables (AbuseIPDB / GreyNoise / Feodo / ThreatFox)
  plus the decision-flow constants in _greynoise_decisions and
  _feodo_decisions can emit. validate_against_attack_bundle() runs it
  through attack_stix.assert_known_technique_ids().
- ukc.validate_against_attack_bundle() asserts every key in
  ATTACK_TACTIC_TO_UKC resolves, with TA0100..TA0106 documented as
  _NON_ENTERPRISE_TACTICS (lives in the ICS bundle, not the
  enterprise bundle DECNET loads).
- decnet/ttp/worker.py:run_ttp_worker_loop calls both validators
  before subscribing to the bus. A bundle-vs-code mismatch refuses
  to start the worker rather than silently mistagging events.
- tests/ttp/test_attack_bundle_validation.py covers the happy path
  for both validators, the negative path (injected bogus tactic ID
  raises AttackBundleError), the ICS exemption, and the lone T1078
  reference in credential_lifter.
This commit is contained in:
anti
2026-05-09 05:58:06 -04:00
parent d743d38cac
commit 432057f44a
4 changed files with 154 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
decnet/ttp/worker.py
View File

@@ -248,6 +248,21 @@ async def run_ttp_worker_loop(
"""
if tagger is None:
tagger = get_tagger()
# Fail closed at boot if any technique/tactic the worker can emit
# is missing from the loaded ATT&CK STIX bundle. The bundle is the
# canonical source of truth (see decnet/ttp/attack_stix.py) — drift
# between the pinned version and what the lifters reference would
# silently mistag thousands of events. We run this once per worker
# process; the underlying bundle load is itself memoised.
from decnet.clustering.ukc import validate_against_attack_bundle as _validate_ukc
from decnet.ttp.impl.intel_lifter import (
validate_against_attack_bundle as _validate_intel,
)
_validate_intel()
_validate_ukc()
log.info(
"ttp worker started tagger=%s poll_interval_secs=%s topics=%d",
tagger.name, poll_interval_secs, len(_TOPICS),