mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 19:55:16 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
169 lines
6.2 KiB
Python
169 lines
6.2 KiB
Python
#!/usr/bin/env python3
|
|
"""Agent for sector-specific threat landscape assessment.
|
|
|
|
Uses the attackcti library to query MITRE ATT&CK for threat groups
|
|
targeting a sector, analyzes common techniques, maps attack vectors,
|
|
and generates a strategic threat landscape report.
|
|
"""
|
|
|
|
import json
|
|
import sys
|
|
from datetime import datetime
|
|
from collections import Counter
|
|
|
|
try:
|
|
from attackcti import attack_client
|
|
HAS_ATTACKCTI = True
|
|
except ImportError:
|
|
HAS_ATTACKCTI = False
|
|
|
|
|
|
SECTOR_GROUPS = {
|
|
"financial": ["FIN7", "FIN8", "FIN11", "Carbanak", "Lazarus Group",
|
|
"Cobalt Group", "TA505"],
|
|
"healthcare": ["FIN12", "Wizard Spider", "Vice Society", "Conti"],
|
|
"energy": ["Sandworm Team", "Dragonfly", "TEMP.Veles", "XENOTIME"],
|
|
"government": ["APT29", "APT28", "Turla", "Gamaredon Group",
|
|
"Mustang Panda", "APT41"],
|
|
"manufacturing": ["APT41", "TEMP.Veles", "Dragonfly", "HEXANE"],
|
|
"technology": ["APT41", "Lazarus Group", "APT10", "Winnti Group"],
|
|
"retail": ["FIN7", "FIN8", "Carbanak", "Magecart"],
|
|
}
|
|
|
|
SECTOR_VECTORS = {
|
|
"financial": {
|
|
"primary": ["Spearphishing (T1566)", "Exploit Public-Facing App (T1190)",
|
|
"Valid Accounts (T1078)", "Supply Chain (T1195)"],
|
|
"emerging": ["MFA Fatigue", "QR Phishing", "BEC", "API Key Theft"],
|
|
},
|
|
"healthcare": {
|
|
"primary": ["Spearphishing (T1566)", "Exploit Public-Facing App (T1190)",
|
|
"External Remote Services (T1133)", "Valid Accounts (T1078)"],
|
|
"emerging": ["IoMT Exploitation", "Telehealth Attacks",
|
|
"EHR Supply Chain"],
|
|
},
|
|
"energy": {
|
|
"primary": ["Spearphishing (T1566)", "Supply Chain (T1195)",
|
|
"External Remote Services (T1133)"],
|
|
"emerging": ["OT/ICS Protocol Exploitation", "SCADA Remote Access",
|
|
"Vendor VPN Exploitation"],
|
|
},
|
|
}
|
|
|
|
|
|
class ThreatLandscapeAgent:
|
|
"""Conducts sector-specific cyber threat landscape assessment."""
|
|
|
|
def __init__(self, sector):
|
|
self.sector = sector.lower()
|
|
self.client = attack_client() if HAS_ATTACKCTI else None
|
|
self.actor_profiles = []
|
|
self.technique_ranking = []
|
|
|
|
def profile_sector_actors(self):
|
|
"""Query ATT&CK for groups known to target this sector."""
|
|
target_names = SECTOR_GROUPS.get(self.sector, [])
|
|
if not self.client:
|
|
return [{"name": n, "source": "static_mapping"} for n in target_names]
|
|
|
|
all_groups = self.client.get_groups()
|
|
for group_name in target_names:
|
|
group = next(
|
|
(g for g in all_groups
|
|
if g.get("name", "").lower() == group_name.lower()
|
|
or group_name.lower() in
|
|
[a.lower() for a in g.get("aliases", [])]),
|
|
None)
|
|
if not group:
|
|
self.actor_profiles.append({"name": group_name, "found": False})
|
|
continue
|
|
|
|
attack_id = ""
|
|
for ref in group.get("external_references", []):
|
|
if ref.get("source_name") == "mitre-attack":
|
|
attack_id = ref.get("external_id", "")
|
|
break
|
|
|
|
techniques = []
|
|
if attack_id:
|
|
techs = self.client.get_techniques_used_by_group(attack_id)
|
|
for t in techs:
|
|
for ref in t.get("external_references", []):
|
|
if ref.get("source_name") == "mitre-attack":
|
|
techniques.append({
|
|
"id": ref.get("external_id", ""),
|
|
"name": t.get("name", ""),
|
|
})
|
|
break
|
|
|
|
self.actor_profiles.append({
|
|
"name": group.get("name", ""),
|
|
"attack_id": attack_id,
|
|
"aliases": group.get("aliases", [])[:5],
|
|
"description": (group.get("description", "") or "")[:300],
|
|
"technique_count": len(techniques),
|
|
"techniques": techniques[:25],
|
|
})
|
|
return self.actor_profiles
|
|
|
|
def rank_techniques(self):
|
|
"""Rank techniques by how many sector actors use them."""
|
|
counter = Counter()
|
|
for actor in self.actor_profiles:
|
|
for tech in actor.get("techniques", []):
|
|
key = f"{tech['id']}|{tech['name']}"
|
|
counter[key] += 1
|
|
|
|
self.technique_ranking = [
|
|
{"technique_id": k.split("|")[0],
|
|
"name": k.split("|")[1] if "|" in k else "",
|
|
"actor_count": count,
|
|
"actors": [a["name"] for a in self.actor_profiles
|
|
if any(t["id"] == k.split("|")[0]
|
|
for t in a.get("techniques", []))]}
|
|
for k, count in counter.most_common(20)
|
|
]
|
|
return self.technique_ranking
|
|
|
|
def get_attack_vectors(self):
|
|
"""Return known attack vectors for this sector."""
|
|
return SECTOR_VECTORS.get(self.sector, {
|
|
"primary": ["Spearphishing (T1566)",
|
|
"Exploit Public-Facing App (T1190)"],
|
|
"emerging": ["Supply Chain Compromise"],
|
|
})
|
|
|
|
def generate_report(self):
|
|
"""Generate sector threat landscape report."""
|
|
self.profile_sector_actors()
|
|
self.rank_techniques()
|
|
|
|
report = {
|
|
"sector": self.sector,
|
|
"report_date": datetime.utcnow().isoformat(),
|
|
"threat_actors": len(self.actor_profiles),
|
|
"actor_profiles": self.actor_profiles,
|
|
"top_techniques": self.technique_ranking[:15],
|
|
"attack_vectors": self.get_attack_vectors(),
|
|
"recommendations": [
|
|
"Prioritize detections for top 10 techniques",
|
|
"Conduct threat-informed red team exercises",
|
|
"Join sector ISAC for real-time sharing",
|
|
"Map defenses to MITRE ATT&CK Navigator",
|
|
"Monitor sector-specific threat advisories",
|
|
],
|
|
}
|
|
|
|
print(json.dumps(report, indent=2, default=str))
|
|
return report
|
|
|
|
|
|
def main():
|
|
sector = sys.argv[1] if len(sys.argv) > 1 else "financial"
|
|
agent = ThreatLandscapeAgent(sector)
|
|
agent.generate_report()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|