This project contains code for comparing or ranking APT capabilities and operational capacity. The metrics are meant to quantify, rank, order, compare, or visualise quickly threat actors demonstrated operational capacities. In other words, it is meant to answer questions like 'Which APT produces the most binaries yearly', or 'which APT uses the most domains'.
For example, over all indicators, which groups have been the most active?
Or if we examine a specific group, can we make comparisons between how big they are or how much they spend based on IoCs?
For Ransomware, can we estimate how much development time is involved, or how many people participate by comparison to other ransomware groups?
These estimates are not likely to be accurate in any absolute value sense, but they do allow analysis of attributed events in your MISP instance, which can be remarkably useful for some kinds of strategic work. For example, budgeting defenses or increased RE time against certain APTs.
Install Python packages:
pip3 install --user setuptools wheel
pip3 install --user tqdm plotly pymisp
Install additional packages, for example on Red Hat based systems:
sudo dnf install gnuplot ImageMagick
Alternatively, on Debian based systems:
sudo apt-get install gnuplot graphicsmagick
Install Python packages:
$ pip3 install --user setuptools wheel$ pip3 install --user tqdm plotly pymisp
It might be necessary to update the PATH variables in your bash profile.
To install the additional packages install Homebrew if you do not already have it: https://brew.sh/ then run the following commands in Terminal.
$ brew install gnuplot$ brew install imagemagick$ brew install graphicsmagick
Copy settings.default.py to settings.py and edit it for the MISP server and API key you are using. Then run, for example:
python3 generate.py
LogisticalBudget is a collaborative effort between Concinnity Risks, Periapt Systems and xQ Enterprises Ltd.
