Detect Tactics, Techniques & Combat Threats
 
 
 
 
 
 
Go to file
Marcus Bakker e55e597e34 Updated to version 1.1 2019-04-23 13:51:46 +02:00
sample-data Updated to version 1.1 2019-04-23 13:51:46 +02:00
LICENSE initial commit 2019-03-29 15:26:25 +01:00
README.md Rename to DeTT&CT 2019-04-08 07:35:12 +02:00
constants.py Moved all constants to its own file 2019-04-23 13:13:07 +02:00
data_source_mapping.py Added support for tech. admin. file version 1.1 2019-04-23 13:22:03 +02:00
dettact.py Added applicable_to parameter in command line arguments and interactive menu, to filter on this field while generating a layer file. 2019-04-18 15:32:35 +02:00
generic.py Added functionality to migrate technique administration YAML files with version 1.0 to version 1.1 2019-04-23 13:19:29 +02:00
group_mapping.py Fixed a bug that would cause a crash when doing a software-group using a visibility or detection overlay 2019-04-23 13:21:27 +02:00
interactive_menu.py Added functionality to migrate technique administration YAML files with version 1.0 to version 1.1 2019-04-23 13:19:29 +02:00
requirements.txt initial commit 2019-03-29 15:26:25 +01:00
scoring_table.xlsx Corrections/improvements on the data quality, visibility and detection scores. 2019-04-02 12:33:16 +02:00
technique_mapping.py Fixed a bug that would cause a crash when the 'score' key-value pair had not value assigned 2019-04-23 13:29:27 +02:00
upgrade.py Added functionality to migrate technique administration YAML files with version 1.0 to version 1.1 2019-04-23 13:19:29 +02:00

README.md

DeTT&CT

Detect Tactics, Techniques & Combat Threats

To get started with DeTT&CT, check out the Wiki.

DeTT&CT will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The DeTT&CT framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.

DeTT&CT will help you to:

  • Administrate and score the quality of your data sources.
  • Get insight on the visibility you have on for example endpoints.
  • Map your detection coverage.
  • Map threat actor behaviours.
  • Compare visibility, detections and threat actor behaviours in order to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.

Authors and contribution

This project is developed and maintained by Marcus Bakker (Twitter: @bakker3m) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

Work of others

Some functionality within DeTT&CT was inspired by work of others:

Example

YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK which gives you a rough overview of your visibility coverage:

DeTT&CT

Installation and requirements

See our GitHub Wiki: Installation and requirements.

Future developments

  • Add more graphs:
    • Detections: improvement based on newly added detections and improvements on the level/score of existing detections. Possibly with a changelog.
    • Visibility: improvement in the quality of an existing data source.
  • Groups:
    • Have a group YAML file type that contains a count on how popular a certain technique is. This can be very useful to map things such as Red Canary's Threat Detection Report 2019.
  • Excel output for:
    • Techniques administration YAML file: visibility coverage.
    • Techniques administration YAML file: detection coverage.
  • Data quality Excel sheet:
    • Add colours to the data quality scores in the Excel sheet.
  • YAML files:
    • Create an option within the tool to migrate an old administration YAML file version to a new version (such as adding specific key-value pairs).
  • MITRE ATT&CK updates
    • Have a smart way of knowing what to update in your data source and technique administration files once MITRE publishes updates.
    • Data sources: check for missing data sources in data sources administration files.
  • Minimal visibility
    • Integrate information into the framework on what a minimal set of visibility for a technique should be, before you can say to have useful visibility (e.g. technique X requires at least to have visibility on process monitoring, process command line monitoring and DLL monitoring).

License: GPL-3.0

DeTT&CT's GNU General Public License v3.0