Ethical Hacking Tools Power-up – Data Quality Assessment Tool for Penetration Testers

Power-up – Data Quality Assessment Tool for Penetration Testers

Power-up is a tool to assess data quality, built on top of the superior OSSEM project. Power-up uses OSSEM Detection Data Model (DDM) as the inspiration of its data quality assessment. The main reason for it is because it provides a structured approach to correlate ATT&CK Data Sources, Common information model entities (CIM), and Data Dictionaries (events) with one another.
For these unfamiliar the DDM structure, here’s a sample:

ATT&CK Data Source Sub Data Source Source Data Object Relationship Destination Data Object EventID
Process monitoring process creation process created process 4688
Process monitoring process creation process created process 1
Process monitoring process termination process terminated 4689
Process monitoring process termination process terminated 5

As you may see each entry within the DDM defines a sub data source (scope) utilizing summary entities like process, user, file, etc. Each of those entries also contain an event ID, where the scope applies. You can read more about these entitites here.
In a nutshell, DDM entries play a significant role on removing the complexity of raw events, by providing a scope that defines how a log source (data channels) could be consumed.

Data Quality Dimensions
Power-up assesses data quality score in line with 5 distinct dimensions:

Dimension Type Description
Coverage Data channel How many devices or network segments are covered by the data channel
Timeliness Data channel How long does it take for the event to be available
Retention Data channel How long does the event remain available
Structure Event How complete is the event, if relevant fields can be found
Consistency Event How standard are the event fields, if fields have been normalized

Every dimension is rated with a score between 0 (none) to five (wonderful).

Coverage, Timeliness and Retention
These dimensions are tied to data channels, and propagate to all events provided by it.
Due to the character of those dimensions, they have to be rated manually, in line with the specifies of the data channels.
Power-up uses resources/dcs.yml to define data channel and rate the scale:

data channel: sysmon
description: sysmon monitoring
coverage: 2
timeliness: 5
retention: 2
---
data channel: security
description: windows security auditing
coverage: 5
timeliness: 5
retention: 2

Structure
In order to calculate how complete the event structure is, power-up compares the data dictionary standard names with the fields of the entities (CIM) referenced within the DDM entry (source and destination).
Because not all entity fields are relevant (is determined by the context), power-up uses the concept of profiles to select which fields have to match the data dictionary standard names. For example:

# OSSEM CIM Profile
process:
    - process_name
    - process_path
    - process_command_line

Note: There is an example profile in profiles/default.yml for you to play with.

The structure score is calculated with the next formula:
SCORE_PERCENT = (MATCHED_FIELDS / TOTAL_RELEVANT_FIELDS) * 100
For the sake of clarity, right here is an example of how structure score is calculated:

Note: Because Sysmon Event Id 1 data dictionary matches 100% of the relevant entity fields, the structure score shall be rated as 5 (wonderful).

The structure score is translated to the 0-5 scale within the following method:

Percentage Score
0 0
1 to 25 1
26 to 50 2
51 to 75 3
76 to 99 4
100 5

Note: Depending on the use case (SIEM, Threat Hunting, Forensics), you may define different profiles so as to rate your logs differently.

Consistency
To calculate consistency, power-up merely calculates the share of fields with a standard name in a data dictionary. Data dictionaries with a high variety of fields mapped to a standard name usually tend to correlate with CIM entities.
The consistency score is calculated with the next formula:
SCORE_PERCENT = (STANDARD_NAME_FIELDS / TOTAL_FIELDS) * 100
The consistency score is translated to the 0-5 scale within the following method:

Percentage Score
0 0
1 to 50 1
51 to 99 3
100 5

How to make use of

Before you start

  • Power-up is a python script, be sure you pip install -r requirements.txt
  • Be certain to have a local copy of OSSEM repository

Running power-up

> python3 powerup.py --help

As you may see power-up can consume OSSEM data from two different formats:

  • OSSEM markdown – The native format of OSSEM if you clone from git.
  • OSSEM yaml – A sumarized format of OSSEM, only the data fields and a few metadata. You can power-up to transform OSSEM markdown to yaml.

Currently, Power-up exports OSSEM output to:

  • Yaml – Creates OSSEM structures in yaml, within the output/ folder
  • Excel – Creates an OSSEM DDM table, enriched with the data quality scores, within the output/ folder
  • Elastic – Creates an OSSEM structure in elastic, the indexes are as follows:
    • ossem.ddm – OSSEM DDM table, enriched with the data quality scores
    • ossem.cim – OSSEM CIM entries
    • ossem.dds – OSSEM Data Dictionaries
    • ossem.dcs – OSSEM Data Channels

Note: if no profile file path is specified power-up uses profiles/default.yml by default.

Exporting to YAML

> python3 powerup.py -o ../OSSEM --yaml 

The aim of exporting/importing to/from YAML is to facilitate OSSEM customization. Chances are that the primary you’ll do is create your individual data dictionaries, after which add new DDM entries, so YAML will make updates easier.

Note 1: modify resources/config.yml to instruct power-up concerning the file names for the right structures. Then you only want to put then in a folder and pass to OSSEM_YAML argument.

Note 2: power-up doesn’t parse the whole OSSEM objects to YAML, only the data fields and a few metadata (i.e. description). The reason for that is that I wanted to maintain the YAML object as lean as doable, just with the data you’ll want to assess data quality.

Exporting to EXCEL

> python3 powerup.py -o ../OSSEM --excel 

When exporting to Excel, power-up will create an eye fixed-sweet DDM, with the respective data quality dimensions for every entry:

Exporting to ELASTIC

> python3 powerup.py -o ../OSSEM --elastic

When exporting to Elastic, power-up will store all OSSEM data in elastic. Because the DDM can be enriched with the respective data quality dimensions, it is possible for you to to create dashboards like this:

Exporting to ATT&CK Navigator

> python3 powerup.py -o ../OSSEM --layer 

When exporting to layer, power-up will create an Attack Navigator Layer JSON file, with the respective data quality dimensions for every techniques as shown below:

Note: technique scores are derived from data sources average scores within the DDM.

LEAVE A REPLY

Please enter your comment!
Please enter your name here