DeTTECT/README.md

<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/logo.png" alt="Blue ATT&CK" width=20% height=20%>

# Blue ATT&CK
#### Mapping your blue team to ATT&CK

To get started with Blue ATT&CK, check out the
[Wiki](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Getting-started).

Blue ATT&CK will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The Blue ATT&CK framework consists of a Python tool, YAML administration files and [scoring tables](https://github.com/rabobank-cdc/Blue-ATTACK/raw/master/scoring_table.xlsx) for the different aspects.

Blue ATT&CK will help you to:

- Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints.
- Map your detection coverage.
- Map threat actor behaviours.
- Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

## Authors and contribution
This project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@bakker3m](https://twitter.com/bakk3rm)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubenb_2](https://twitter.com/rubenb_2/)). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

### Work of others
Some functionality within Blue ATT&CK was inspired by work of
others:
- Roberto Rodriguez's work on data quality and scoring of ATT&CK techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)).
- The MITRE ATT&CK Mapping project on GitHub:
  https://github.com/siriussecurity/mitre-attack-mapping.

## Example

YAML files are used for administrating scores and relevant metadata. All
of which can be visualised by loading JSON layer files into the [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator) (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage:

<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/example_data_sources.png" alt="Blue ATT&CK"><br>


## Installation and requirements

See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Installation-and-requirements).

## Future developments

-  Add more graphs:
   - [ ]  Detections: improvement based on newly added detections and improvements on the level/score of existing detections. Possibly with a changelog with support for comments.
   - [ ]  Visibility: improvement in the quality of an existing data source.
- Groups:
  - [ ]   Have groups YAML file type that contains a count on how popular a certain technique is. This can be very useful to map things such as Red Canary's [Threat Detection Report 2019](https://redcanary.com/resources/guides/threat-detection-report/).
- Excel output for:
   - [ ]  Techniques administration YAML file: visibility coverage
   - [ ]  Techniques administration YAML file: detection coverage
- Data quality Excel sheet:
  - [ ]  Add colors to the data quality scores in the Excel sheet.
- YAML files:
  - [ ]  Create an option within the tool to migrate an old administration YAML file version to a new version (such as adding specific key-value pairs).
- MITRE ATT&CK updates
  - [ ]  Have a smart way of knowing what to update in your data source and technique administration files once MITRE releases updates.
  - [ ]  Data sources: check for missing data sources in data sources administration files.
- Minimal visibility
  - [ ]  Integrate information into the framework on what a minimal set of visibility for a technique should be, before you can say to have useful visibility (e.g. technique X requires at least to have visibility on process monitoring, process command line monitoring and DLL monitoring.)

## License: GPL-3.0
[Blue ATT&CK's GNU General Public License v3.0](https://github.com/rabobank-cdc/Blue-ATTACK/blob/master/LICENSE)
initial commit 2019-03-29 14:26:25 +00:00			`<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/logo.png" alt="Blue ATT&CK" width=20% height=20%>`

			`# Blue ATT&CK`
			`#### Mapping your blue team to ATT&CK`

			`To get started with Blue ATT&CK, check out the`
			`[Wiki](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Getting-started).`

			`Blue ATT&CK will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The Blue ATT&CK framework consists of a Python tool, YAML administration files and [scoring tables](https://github.com/rabobank-cdc/Blue-ATTACK/raw/master/scoring_table.xlsx) for the different aspects.`

			`Blue ATT&CK will help you to:`

			`- Administrate and score the quality of your data sources.`
			`- Get insight on the visibility you have on for example endpoints.`
			`- Map your detection coverage.`
			`- Map threat actor behaviours.`
			`- Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.`

			`## Authors and contribution`
			`This project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@bakker3m](https://twitter.com/bakk3rm)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubenb_2](https://twitter.com/rubenb_2/)). Feel free to contact, DMs are open.`

			`We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.`

			`### Work of others`
			`Some functionality within Blue ATT&CK was inspired by work of`
			`others:`
			`- Roberto Rodriguez's work on data quality and scoring of ATT&CK techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)).`
			`- The MITRE ATT&CK Mapping project on GitHub:`
			`https://github.com/siriussecurity/mitre-attack-mapping.`

			`## Example`

			`YAML files are used for administrating scores and relevant metadata. All`
			`of which can be visualised by loading JSON layer files into the [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator) (some types of scores and metadata can also be written to Excel).`

			`See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage:`

			`<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/example_data_sources.png" alt="Blue ATT&CK"><br>`


			`## Installation and requirements`

			`See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Installation-and-requirements).`

			`## Future developments`

			`- Add more graphs:`
			`- [ ] Detections: improvement based on newly added detections and improvements on the level/score of existing detections. Possibly with a changelog with support for comments.`
			`- [ ] Visibility: improvement in the quality of an existing data source.`
			`- Groups:`
			`- [ ] Have groups YAML file type that contains a count on how popular a certain technique is. This can be very useful to map things such as Red Canary's [Threat Detection Report 2019](https://redcanary.com/resources/guides/threat-detection-report/).`
			`- Excel output for:`
			`- [ ] Techniques administration YAML file: visibility coverage`
			`- [ ] Techniques administration YAML file: detection coverage`
			`- Data quality Excel sheet:`
			`- [ ] Add colors to the data quality scores in the Excel sheet.`
			`- YAML files:`
			`- [ ] Create an option within the tool to migrate an old administration YAML file version to a new version (such as adding specific key-value pairs).`
			`- MITRE ATT&CK updates`
			`- [ ] Have a smart way of knowing what to update in your data source and technique administration files once MITRE releases updates.`
			`- [ ] Data sources: check for missing data sources in data sources administration files.`
			`- Minimal visibility`
			`- [ ] Integrate information into the framework on what a minimal set of visibility for a technique should be, before you can say to have useful visibility (e.g. technique X requires at least to have visibility on process monitoring, process command line monitoring and DLL monitoring.)`

			`## License: GPL-3.0`
			`[Blue ATT&CK's GNU General Public License v3.0](https://github.com/rabobank-cdc/Blue-ATTACK/blob/master/LICENSE)`