DeTTECT v1.3 releases: Detect Tactics, Techniques & Combat Threats
DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors. All of which can help, in different ways, to get more resilient against attacks targeting your organization. The DeTT&CT framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.
DeTT&CT provides the following functionality:
- Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints.
- Map your detection coverage.
- Map threat actor behaviors.
- Compare visibility, detections and threat actor behaviors to uncover possible improvements in detection and visibility. This can help you to prioritize your blue teaming efforts.
The colored visualizations are created with the help of MITRE’s ATT&CK™ Navigator.
The Cyber Threat Intelligence Repository of MITRE ATT&CK™ contains loads of valuable information on:
- TTPs (Tactics, Techniques and Procedures)
- Groups (threat actors)
- Software (software used by threat actors)
- Data sources (visibility required for detection)
The relationship between these types of information can be visualized using the following diagram:
You can map the information you have within your organization on the entities available in ATT&CK. DeTT&CT delivers a framework which does exactly that, and it will help you to administrate your blue team’s data sources (including data quality), visibility and detection. It will also provide you with means to administrate threat intelligence that you get from your intelligence team or a third-party provider. This can then also be compared to your current detection or visibility coverage.
DeTT&CT administrates all this information within different YAML files, and a scoring table is provided to have a standardized way of scoring your data quality, visibility, and detection. A Python tool is used (dettect.py) to generate all kind of output:
- ATT&CK Navigator layer files
- Excel files
For example, DeTT&CT can generate a layer file for the ATT&CK Navigator, which shows you your visibility and detection coverage, or techniques and software used by certain threat actors.
- YAML files can now be edited by loading them into the DeTT&CT Editor. It’s no longer necessary to edit YAML files using a text editor!
- All code in the Editor is running within the browser. Therefore, the content of your YAML file is not send to a server.
- The Editor is hosted on GitHub and can be found here. The Editor can also be run locally using the following command:
python dettect.py editor
- With a few exceptions, all key-value pairs within a data source, techniques or group YAML file can be edited. More info can be found here.
- Please note that comments (
my-comment-1: your comment goes here.
- Contributed as a beta tester @rcfontana. Thanks!
- Bug fixes:
- The logic to determine if a data source was available or not contained several errors.
- Using a lowercase value for the key-value pair
platformin a data source YAML file resulted in an error.