Skip to content

Getting started

Jump to bottom
Marcus Bakker edited this page Apr 9, 2019 · 38 revisions

At this section you will find instructions on how to start using the framework: How to use the framework

The Python tool supports two modes:

Command line

Besides a few optional arguments, DeTT&CT has five modes which are described in the help text below. Please note that each mode has a dedicated help function. For example, the help function for group can be shown using the following command: python dettact.py group -h

usage: dettact.py [-h] [--version] [-i]  ...

Detect Tactics, Techniques & Combat Threats

optional arguments:
  -h, --help         show this help message and exit
  --version          show program's version number and exit
  -i, --interactive  launch the interactive menu, which has support for all
                     modes

MODE:
  Select the mode to use. Every mode has its own arguments and help info
  displayed using: {visibility, detection, group, generic} --help


    datasource (ds)  data source mapping and quality
    visibility (v)   visibility coverage mapping based on techniques and data
                     sources
    detection (d)    detection coverage mapping based on techniques
    group (g)        threat actor group mapping
    generic (ge)     includes: statistics on ATT&CK data source and updates on
                     techniques, groups and software

Interactive menu

When using the interactive mode, a menu will be shown that allows you to browse through all functionality interactively.

                  -= DeTT&CT =-
-- Detect Tactics, Techniques & Combat Threats --
                   version 1.0

Select a mode:
1. Data source mapping
2. Visibility coverage mapping
3. Detection coverage mapping
4. Threat actor group mapping
5. Updates
6. Statistics
9. Quit
 >>

How to use the framework

Below are some examples to further explain how to use the framework. A general comment we would like to make: use the tool in the way it works best for you. For example, scoring every single technique within the ATT&CK Matrix can be a lot of work. You therefore may only score what you know at that time and what you want to communicate to others or want to verify/compare.

Score data quality

Start with scoring the quality of your data sources. This will later on be very useful in scoring visibility. More on scoring data quality can be found here: Data sources.

You can generate an Excel sheet containing all your data sources, attributes, notes and data quality scores:

python dettact.py ds -f sample-data/data-sources-endpoints.yaml -e

Map data sources

Generate an ATT&CK Navigator layer file based on data sources defined in the YAML file. Based on the amount of data sources, techniques are mapped and visualised in the layer file. This gives you a rough overview on your visibility coverage. Often, this is the first step in getting an overview on your actual visibility coverage.

python dettact.py ds -f sample-data/data-sources-endpoints.yaml -l

Score visibility

A next step can be to determine the exact visibility per technique. To help you with this, you can generate a techniques administration YAML file based on your data sources administration:

python dettact.py ds -f sample-data/data-sources-endpoints.yaml -y

Within this YAML file, you can score visibility per technique based on expert knowledge and the previously defined quality of your data sources (in this same YAML file you can also score detection). There are several reasons why manual scoring is required. For example:

  • You may have 1 data source available from the total 3 data sources mentioned within a particular ATT&CK technique. However, in some cases that single data source could not be sufficient for detection on that technique. And hence the visibility score based on number of data sources needs to be adjusted.
  • The quality of a particular data source is considered too low to be useful for visibility.
  • You do have a certain level of visibility on a technique. But this is based on a data source currently not mentioned within MITRE ATT&CK for that particular technique.

Visibility scores are rated from 0 to 4. The explanation on the scores can be found here: visibility scoring. Use the score that fits best.

Visibility coverage

Generate an ATT&CK Navigator layer file based on the technique administration in the YAML file. The visibility scores defined in the YAML file are also used to colour the techniques in the layer file. This gives you an overview of your visibility coverage:

python dettact.py v -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -l

Detection coverage

Generate an ATT&CK Navigator layer file based on the technique administration defined in the YAML file. The detection scores in the YAML file are also used to colour the techniques in the layer file. This gives you an overview of your detection coverage:

python dettact.py d -ft sample-data/techniques-administration-endpoints.yaml -l

Threat actor group heat map

Generate an ATT&CK Navigator layer file based on threat actor group data in ATT&CK. Or your own threat actor data stored in a YAML file. Please note that like all data there is bias. As very well explained by MITRE: Building an ATT&CK Sightings Ecosystem.

The below generated layer file contains a heat map based on all threat actor data within ATT&CK. The darker the colour in the heat map, the more often the technique is being used among groups:

python dettact.py g

It is also possible to create a heat map based on a subset of groups present in ATT&CK:

  • python dettact.py g -g 'fin7, cobalt group'

Or based on threat actor data you store in a YAML group administration file:

  • python dettact.py g -g sample-data/groups.yaml


Read the help for group on all available functionality. Including how threat actor groups can be compared: python dettact.py g -h

Compare visibility and detection coverage

It is possible to compare your visibility and detection coverage in one ATT&CK Navigator layer file. This will give you insight in where you have visibility, detection and both.

python dettact.py d -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -o

# or:

python dettact.py v -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -o

Compare group or red team exercise with detection/visibility coverage

A groups YAML file with either data on a red team exercise or a specific threat actor group can be compared with your detection or visibility. DeTT&CT can generate an ATT&CK Navigator layer file in which the differences are visually shown with a legend explaining the colours.

python dettact.py g -g sample-data/groups.yaml -o sample-data/techniques-administration-endpoints.yaml -t detection

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor

Clone this wiki locally