DeTTECT

Detect Tactics, Techniques & Combat Threats

Go to file

Marcus Bakker 70a33fc018 update on text		2019-05-23 09:43:07 +02:00
sample-data	fixed a typo in T1171	2019-05-22 10:00:27 +02:00
threat-actor-data	Renamed the .yaml file and created Navigator layers.	2019-05-16 13:30:42 +02:00
LICENSE	initial commit	2019-03-29 15:26:25 +01:00
README.md	update on text	2019-05-23 09:43:07 +02:00
constants.py	Created 3 constants for overlay_type	2019-05-02 20:15:43 +02:00
data_source_mapping.py	Added support for multiple detections and visibility per technique in the technique administration YAML file.	2019-05-02 13:21:01 +02:00
dettact.py	Fixt a small bug causing an exception in the data source menu	2019-05-23 09:36:03 +02:00
generic.py	removed an unnecessary print statement	2019-05-23 09:37:08 +02:00
group_mapping.py	- The health function now checks for very similar values within the key-value pair 'applicable_to'. E.g. 'server' and 'servers'.	2019-05-19 14:10:25 +02:00
interactive_menu.py	fixed a typo	2019-05-20 14:54:16 +02:00
requirements.txt	initial commit	2019-03-29 15:26:25 +01:00
scoring_table.xlsx	Corrections/improvements on the data quality, visibility and detection scores.	2019-04-02 12:33:16 +02:00
technique_mapping.py	fixed a typo	2019-05-20 14:54:16 +02:00
upgrade.py	Hide some functions	2019-04-23 14:19:25 +02:00

README.md

Detect Tactics, Techniques & Combat Threats

Latest version: 1.1.1

To get started with DeTT&CT, check out the Wiki.

DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.

DeTT&CT provides the following functionality:

Administrate and score the quality of your data sources.
Get insight on the visibility you have on for example endpoints.
Map your detection coverage.
Map threat actor behaviours.
Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.

Authors and contribution

This project is developed and maintained by Marcus Bakker (Twitter: @bakker3m) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

Work of others

Some functionality within DeTT&CT was inspired by work of others:

Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK™ techniques (How Hot Is Your Hunt Team?, Ready to hunt? First, Show me your data!).
The MITRE ATT&CK Mapping project on GitHub: https://github.com/siriussecurity/mitre-attack-mapping.

Example

YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage:

Installation and requirements

See our GitHub Wiki: Installation and requirements.

License: GPL-3.0

DeTT&CT's GNU General Public License v3.0