Skip to content

Visibility coverage

Jump to bottom
ruben edited this page Nov 1, 2023 · 13 revisions

Blue teams need to have a good understanding of where they have visibility, the level of visibility and where they lack visibility. Using the YAML techniques administration file you can administrate the level of visibility you have on ATT&CK techniques.

Use DeTT&CT in the way it works best for you. Scoring every single technique for visibility within the ATT&CK Matrix can be a lot of work. Therefore you may only score what you know at that time and what you want to communicate with others or want to verify/compare.

Getting started

A starting point to score your visibility could be to create a YAML techniques administration file based on your data sources, as explained in: How to use the framework: Score visibility. Of course, other approaches are possible.

Automatically update your rough visibility scores when having changes within your data source administration YAML file (e.g. you have added a new data source) is also possible. For more info on the latter see: Auto-update visibility scores and the use of the score_logbook.

What information can be recorded

You can record the following in the YAML techniques administration file:

  • The type of system(s) the visibility applies to (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.).
    • You can have multiple visibility objects per technique in the YAML file to allow detailed scoring of your visibility. This can be achieved using the applicable_to property.
    • We recommend using the same applicable_to values between your technique and your data source administration file.
  • A possible comment.
    • If you want to have a multiline comment in the Excel output. We recommend making use of |. For more info have a look at: https://yaml-multiline.info/.
  • A visibility score. More on this can be found here.
  • You can add anything else you want to record by adding your own key-value pairs.

Visualise in the ATT&CK Navigator

To generate a layer file for the ATT&CK Navigator based on the technique administration file you can run the following command:

python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml -l
DeTT&CT - Visibility coverage

Excel output

You can generate an Excel sheet containing all information within the YAML file on your visibility:

python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml --excel
DeTT&CT - Visibility Excel output

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally