DeTTECT

Detect Tactics, Techniques & Combat Threats

Go to file

GitHub Action c78e6b35a2 New build of the Editor		2021-03-01 18:00:58 +00:00
.github/workflows	Added new action for auto-update of the Wiki Help-texts.md	2020-11-01 10:59:37 +01:00
editor	New build of the Editor	2021-03-01 18:00:58 +00:00
mitre-data	Updated to the newest version from MITRE. T1059.007 was missing.	2020-07-17 08:57:48 +02:00
sample-data	Added new data sources	2020-10-31 11:14:02 +01:00
threat-actor-data	Added intel from Cisco Talos	2020-09-10 20:07:41 +02:00
.dockerignore	Added .github/	2020-07-16 21:55:35 +02:00
.gitignore	Added multiple entries for the DeTT&CT Editor	2020-03-17 14:38:05 +01:00
Dockerfile	Bumped the version number	2020-10-30 21:16:51 +01:00
LICENSE	initial commit	2019-03-29 15:26:25 +01:00
README.md	Update on the text	2021-02-25 17:56:22 +01:00
constants.py	Bumped the version number	2020-10-30 21:16:51 +01:00
data_source_mapping.py	Removed support for PRE-ATT&CK from the Group mode	2020-10-31 21:01:09 +01:00
dettect.py	Removed support for PRE-ATT&CK from the Group mode	2020-10-31 21:01:09 +01:00
editor.py	editor rename, print message when running editor.py	2020-03-10 08:48:03 +01:00
eql_yaml.py	Moved the function _traverse_dict to generic.py	2020-10-12 12:04:21 +02:00
generic.py	Improved exception handling for MITRE's CTI TAXII server connection problems	2021-02-13 13:27:51 +01:00
group_mapping.py	bugfix for issue #40	2020-12-21 15:23:21 +01:00
health.py	Fixed a bug regarding the 'platform' kv-pair value 'all'	2020-10-31 11:13:30 +01:00
interactive_menu.py	bugfix for issue #40	2020-12-21 15:23:21 +01:00
requirements.txt	Updated the dependencies	2020-11-04 11:09:53 +01:00
scoring_table.xlsx	Changed the colour for detection score 0 (forensics)	2020-06-18 08:57:03 +02:00
technique_mapping.py	Added support for Navigator 4.1 and the metada divider	2020-12-21 16:52:56 +01:00
upgrade.py	Only show message about sub-techniques added when there's a detection score and visibility score is not auto_generated	2020-07-10 12:27:26 +02:00

README.md

Detect Tactics, Techniques & Combat Threats

Latest version: 1.4.2

To get started with DeTT&CT, check out one of these resources:

This page on the Wiki.
Our talk at hack.lu 2019.
Blog: mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack or
Blog: siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack.
The video from Justin Henderson on data source visibility and mapping.

DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files, the DeTT&CT Editor and scoring tables for the different aspects.

DeTT&CT provides the following functionality:

Administrate and score the quality of your data sources.
Get insight on the visibility you have on for example endpoints.
Map your detection coverage.
Map threat actor behaviours.
Compare visibility, detections and threat actor behaviours to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.

Authors and contributions

This project is developed and maintained by Marcus Bakker (Twitter: @bakk3rm) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

Work of others

Some functionality within DeTT&CT was inspired by the work of others:

Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK™ techniques (How Hot Is Your Hunt Team?, Ready to hunt? First, Show me your data!).
The MITRE ATT&CK Mapping project on GitHub: https://github.com/siriussecurity/mitre-attack-mapping.

Example

YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK, which gives you a rough overview of your visibility coverage:

Installation and requirements

See our GitHub Wiki: Installation and requirements.

License: GPL-3.0

DeTT&CT's GNU General Public License v3.0