Detect Tactics, Techniques & Combat Threats
 
 
 
 
 
 
Go to file
Marcus Bakker 965ecc2a5b Added intel from Cisco Talos 2020-09-10 20:07:41 +02:00
.github/workflows Switched Actions to another branch 2020-07-23 13:49:32 +02:00
editor Moved the ATT&CK refresh script to a better location 2020-07-21 08:10:24 +02:00
mitre-data Updated to the newest version from MITRE. T1059.007 was missing. 2020-07-17 08:57:48 +02:00
sample-data Added techniques in the ransomware campaign 2020-09-10 20:05:18 +02:00
threat-actor-data Added intel from Cisco Talos 2020-09-10 20:07:41 +02:00
.dockerignore Added .github/ 2020-07-16 21:55:35 +02:00
.gitignore Added multiple entries for the DeTT&CT Editor 2020-03-17 14:38:05 +01:00
Dockerfile Bumped the version number to 1.4.0 2020-06-25 21:54:35 +02:00
LICENSE initial commit 2019-03-29 15:26:25 +01:00
README.md Bumped the version number to 1.4.0 2020-06-25 21:54:35 +02:00
constants.py Modified some regexes to support sub-techniques and bumped the version to 1.4 2020-06-25 20:48:51 +02:00
data_source_mapping.py Bugfix for crash on null date in visibility score_logbook while updating techniques file based on data source file. 2020-07-16 12:34:48 +02:00
dettect.py Fixed a typo 2020-07-10 08:14:51 +02:00
editor.py editor rename, print message when running editor.py 2020-03-10 08:48:03 +01:00
eql_yaml.py Made the date kv-pairs compatible with the YAML GUI 2020-02-10 21:57:35 +01:00
generic.py Removed tactic level (not necessary), fixed bug for showing data sources in metadata of visibility layer, fixed bug for setting showSubtechniques 2020-07-13 12:21:23 +02:00
group_mapping.py Bugfix for not showing all groups in groups layer metadata 2020-07-13 14:31:23 +02:00
health.py Bugfix that caused a crash when having an empty 'location' kv-pair. 2020-05-29 09:55:47 +02:00
interactive_menu.py Removed several unnecessary statements 2020-06-19 09:22:54 +02:00
requirements.txt Updated the packages to their latest version 2020-05-29 09:20:08 +02:00
scoring_table.xlsx Changed the colour for detection score 0 (forensics) 2020-06-18 08:57:03 +02:00
technique_mapping.py Removed tactic level (not necessary), fixed bug for showing data sources in metadata of visibility layer, fixed bug for setting showSubtechniques 2020-07-13 12:21:23 +02:00
upgrade.py Only show message about sub-techniques added when there's a detection score and visibility score is not auto_generated 2020-07-10 12:27:26 +02:00

README.md

DeTT&CT

Detect Tactics, Techniques & Combat Threats

Latest version: 1.4.0

To get started with DeTT&CT, check out this page, our talk at hack.lu 2019 and our blog on:

DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files, the DeTT&CT Editor and scoring tables for the different aspects.

DeTT&CT provides the following functionality:

  • Administrate and score the quality of your data sources.
  • Get insight on the visibility you have on for example endpoints.
  • Map your detection coverage.
  • Map threat actor behaviours.
  • Compare visibility, detections and threat actor behaviours to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.

Authors and contributions

This project is developed and maintained by Marcus Bakker (Twitter: @bakk3rm) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

Work of others

Some functionality within DeTT&CT was inspired by the work of others:

Example

YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK, which gives you a rough overview of your visibility coverage:

DeTT&CT - Data quality

Installation and requirements

See our GitHub Wiki: Installation and requirements.

License: GPL-3.0

DeTT&CT's GNU General Public License v3.0