infosecn1nja
/
DeTTECT
mirror of https://github.com/infosecn1nja/DeTTECT.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rename to DeTT&CT

master
Marcus Bakker 2019-04-08 07:24:38 +02:00
parent be6fab4af5
commit a90e03b2ea
3 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -1,14 +1,14 @@
<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/logo.png" alt="Blue ATT&CK" width=20% height=20%> <img src="https://github.com/rabobank-cdc/DeTTACT/wiki/images/logo.png" alt="DeTT&CT" width=20% height=20%>
# Blue ATT&CK # DeTT&CT
#### Mapping your blue team to ATT&CK #### Detect Tactics, Techniques & Combat Threats
To get started with Blue ATT&CK, check out the To get started with DeTT&CT, check out the
[Wiki](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Getting-started). [Wiki](https://github.com/rabobank-cdc/DeTTACT/wiki/Getting-started).
Blue ATT&CK will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The Blue ATT&CK framework consists of a Python tool, YAML administration files and [scoring tables](https://github.com/rabobank-cdc/Blue-ATTACK/raw/master/scoring_table.xlsx) for the different aspects. DeTT&CT will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The DeTT&CT framework consists of a Python tool, YAML administration files and [scoring tables](https://github.com/rabobank-cdc/DeTTACT/raw/master/scoring_table.xlsx) for the different aspects.
Blue ATT&CK will help you to: DeTT&CT will help you to:
- Administrate and score the quality of your data sources. - Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints. - Get insight on the visibility you have on for example endpoints.
@ -16,7 +16,7 @@ Blue ATT&CK will help you to:
- Map threat actor behaviours. - Map threat actor behaviours.
- Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts. - Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.
The colored visualisations are created with the help of MITRE's [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator). The coloured visualisations are created with the help of MITRE's [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator).
## Authors and contribution ## Authors and contribution
This project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@bakker3m](https://twitter.com/bakk3rm)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubenb_2](https://twitter.com/rubenb_2/)). Feel free to contact, DMs are open. This project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@bakker3m](https://twitter.com/bakk3rm)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubenb_2](https://twitter.com/rubenb_2/)). Feel free to contact, DMs are open.
@ -24,9 +24,9 @@ This project is developed and maintained by [Marcus Bakker](https://github.com/m
We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc. We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.
### Work of others ### Work of others
Some functionality within Blue ATT&CK was inspired by work of Some functionality within DeTT&CT was inspired by work of
others: others:
- Roberto Rodriguez's work on data quality and scoring of ATT&CK techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)). - Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)).
- The MITRE ATT&CK Mapping project on GitHub: - The MITRE ATT&CK Mapping project on GitHub:
https://github.com/siriussecurity/mitre-attack-mapping. https://github.com/siriussecurity/mitre-attack-mapping.
@ -37,12 +37,12 @@ of which can be visualised by loading JSON layer files into the [ATT&CK Navigato
See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage: See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage:
<img src="https://github.com/rabobank-cdc/Blue-ATTACK/wiki/images/example_data_sources.png" alt="Blue ATT&CK"><br> <img src="https://github.com/rabobank-cdc/DeTTACT/wiki/images/example_data_sources.png" alt="DeTT&CT"><br>
## Installation and requirements ## Installation and requirements
See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank-cdc/Blue-ATTACK/wiki/Installation-and-requirements). See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank-cdc/DeTTACT/wiki/Installation-and-requirements).
## Future developments ## Future developments
@ -55,7 +55,7 @@ See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank
- [ ] Techniques administration YAML file: visibility coverage. - [ ] Techniques administration YAML file: visibility coverage.
- [ ] Techniques administration YAML file: detection coverage. - [ ] Techniques administration YAML file: detection coverage.
- Data quality Excel sheet: - Data quality Excel sheet:
- [ ] Add colors to the data quality scores in the Excel sheet. - [ ] Add colours to the data quality scores in the Excel sheet.
- YAML files: - YAML files:
- [ ] Create an option within the tool to migrate an old administration YAML file version to a new version (such as adding specific key-value pairs). - [ ] Create an option within the tool to migrate an old administration YAML file version to a new version (such as adding specific key-value pairs).
- MITRE ATT&CK updates - MITRE ATT&CK updates
@ -65,5 +65,5 @@ See our GitHub Wiki: [Installation and requirements](https://github.com/rabobank
- [ ] Integrate information into the framework on what a minimal set of visibility for a technique should be, before you can say to have useful visibility (e.g. technique X requires at least to have visibility on process monitoring, process command line monitoring and DLL monitoring). - [ ] Integrate information into the framework on what a minimal set of visibility for a technique should be, before you can say to have useful visibility (e.g. technique X requires at least to have visibility on process monitoring, process command line monitoring and DLL monitoring).
## License: GPL-3.0 ## License: GPL-3.0
[Blue ATT&CK's GNU General Public License v3.0](https://github.com/rabobank-cdc/Blue-ATTACK/blob/master/LICENSE) [DeTT&CT's GNU General Public License v3.0](https://github.com/rabobank-cdc/DeTTACT/blob/master/LICENSE)

4
blue_attack.py → dettact.py
View File

@ -9,8 +9,8 @@ def init_menu():
Initialise the command line parameter menu. Initialise the command line parameter menu.
:return: :return:
""" """
menu_parser = argparse.ArgumentParser(description='Create MITRE ATT&CK layers for visibility, detection and groups.', menu_parser = argparse.ArgumentParser(description='Detect Tactics, Techniques & Combat Threats',
epilog='Source: https://github.com/rabobank-cdc/Blue-ATTACK') epilog='Source: https://github.com/rabobank-cdc/DeTTACT')
menu_parser.add_argument('--version', action='version', version='%(prog)s ' + VERSION) menu_parser.add_argument('--version', action='version', version='%(prog)s ' + VERSION)
menu_parser.add_argument('-i', '--interactive', help='launch the interactive menu, which has support for all modes', menu_parser.add_argument('-i', '--interactive', help='launch the interactive menu, which has support for all modes',
action='store_true') action='store_true')

6
generic.py
View File

@ -2,10 +2,10 @@ import os
import pickle import pickle
from datetime import datetime as dt from datetime import datetime as dt
import yaml import yaml
# Import for attackcti is because of performance reasons in the function that uses this library. # Due to performance reasons the import of attackcti is within the function that makes use of this library.
APP_NAME = 'Blue ATT&CK' APP_NAME = 'DeTT&CT'
APP_DESC = 'Mapping your blue team to ATT&CK' APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
VERSION = '1.0' VERSION = '1.0'
EXPIRE_TIME = 60*60*24 EXPIRE_TIME = 60*60*24