AttackGen - Generate Custom Incident Response Scenarios with MITRE ATT&CK

AttackGen - Generate Custom Incident Response Scenarios with MITRE ATT&CK

AttackGen is a powerful cybersecurity tool designed to enhance incident response testing by leveraging large language models (LLMs) and the MITRE ATT&CK framework. It allows organizations to create tailored incident response scenarios based on their specific needs, such as threat actor groups and organizational details.

This guide provides a detailed overview of AttackGen, including its features, installation, usage, and more.

What is AttackGen?

AttackGen is a tool that simplifies the creation of incident response scenarios by utilizing:

  • Large Language Models (LLMs): Supports OpenAI, Google AI, Mistral, Groq APIs, and locally hosted Ollama models.

  • MITRE ATT&CK Framework: Offers both Enterprise and ICS (Industrial Control Systems) matrices for comprehensive threat modeling.

It generates scenarios customized to an organization’s size, industry, and selected threat actor groups. Users can also create custom scenarios by selecting specific ATT&CK techniques.

Key Features

AttackGen provides a range of features to streamline incident response testing:

  • Scenario Generation:

    • Tailored scenarios based on user-selected threat actor groups.

    • Custom scenarios built from specific ATT&CK techniques.

    • Quick-start templates for common cyber incidents like phishing or ransomware attacks.

  • Threat Actor Insights:

    • Displays detailed techniques used by selected threat actor groups from the MITRE ATT&CK database.

  • Advanced Model Integration:

    • Supports various LLMs, including OpenAI’s latest reasoning models, Google’s Gemini models, Groq’s high-performance APIs, and more.

  • User Feedback:

    • Collects feedback on scenario quality to improve future outputs.

  • Export Options:

    • Scenarios can be downloaded in Markdown format for easy sharing and documentation.

  • Interactive Assistant:

    • A chat interface (AttackGen Assistant) for refining and updating scenarios iteratively.

  • Secure Credential Management:

    • Uses .env files for securely storing API keys and secrets.

  • Deployment Flexibility:

    • Available as a Docker container for easy deployment.

Latest Releases

v0.7 Highlights

  • Groq API Integration: Faster scenario generation with models like llama-3.3-70b-versatile.

  • Enhanced Model Display: Collapsible widgets show reasoning alongside generated scenarios.

  • Updated OpenAI Models: Support for OpenAI’s o3 reasoning model and GA version of o1.

v0.6 Highlights

  • ICS Matrix Support: Expanded scope with MITRE ATT&CK ICS matrix for industrial environments.

  • Updated Threat Intelligence: Incorporates MITRE ATT&CK v15.1 data and new threat actor groups like Scattered Spider.

v0.5 Highlights

  • AttackGen Assistant: Chat-based interface for iterative scenario refinement.

  • Quick Start Templates: Predefined templates for common cyber incidents.

  • Google AI API Integration: Supports Gemini models for scenario generation.

System Requirements

To use AttackGen, ensure you have the following:

  1. A recent version of Python installed on your system.

  2. Required Python packages:

    • pandas, streamlit, langchain, mitreattack, among others (listed in requirements.txt).

  3. Access to an API key for your chosen model provider (e.g., OpenAI or Google AI).

  4. MITRE ATT&CK datasets (enterprise-attack.json, ics-attack.json, groups.json) in STIX format.

  5. .env file for securely storing API keys and secrets.

Installation

Option 1: Clone the Repository

1.Clone the repository:

git clone https://github.com/mrwadams/attackgen.git

2.Navigate into the cloned directory:

cd attackgen

3.Install required Python packages:

pip install -r requirements.txt

Option 2: Use Docker

1.Pull the Docker image:

docker pull mrwadams/attackgen

2.Run the container:

docker run -p 8501:8501 mrwadams/attackgen

Data Setup

Download the latest MITRE ATT&CK datasets in STIX format and place them in the ./data/ directory within the repository:

  1. enterprise-attack.json

  2. ics-attack.json

  3. groups.json

Running AttackGen

Option 1: Locally via Streamlit

1.Run the Streamlit app:

streamlit run 00_👋_Welcome.py

2.Open your browser and navigate to the URL provided by Streamlit.

Option 2: Using Docker

1.Start the Docker container:

docker run -p 8501:8501 mrwadams/attackgen

2.Open your browser at http://localhost:8501.

Using AttackGen

Standard Scenario Generation

  1. Select your preferred model provider (e.g., OpenAI, Google AI).

  2. Enter your API key or deployment details for Azure OpenAI Service if applicable.

  3. Choose your organization’s industry and size from dropdown menus.

  4. Navigate to the "Threat Group Scenarios" page.

  5. Select a Threat Actor Group to simulate.

  6. Click "Generate Scenario" to create an incident response scenario.

Custom Scenario Generation

  1. Follow steps 1–3 above.

  2. Navigate to the "Custom Scenario" page.

  3. Use the multi-select box to choose relevant ATT&CK techniques.

  4. Click "Generate Scenario" to create a tailored incident response scenario.

Note: You can provide feedback using 👍 or 👎 buttons if LangChain is configured with an API key.

Contributing

Contributions are welcome! Submit issues or pull requests on GitHub to help improve AttackGen.

License

AttackGen is licensed under GNU GPLv3, ensuring it remains free and open-source for community use.

With its robust feature set and flexibility, AttackGen is an essential tool for organizations looking to enhance their cybersecurity preparedness through realistic incident response testing scenarios tailored to their unique needs! You can learn more and Download AttackGen in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog