Visibility coverage
Blue teams need to have a good understanding of where they have visibility, the level of visibility and where they lack visibility. Using the YAML techniques administration file you can administrate the level of visibility you have on ATT&CK techniques.
Use DeTT&CT in the way it works best for you. Scoring every single technique for visibility within the ATT&CK Matrix can be a lot of work. Therefore you may only score what you know at that time and what you want to communicate with others or want to verify/compare.
A starting point to score your visibility could be to create a YAML techniques administration file based on your data sources, as explained in: How to use the framework: Score visibility. Of course, other approaches are possible.
Automatically update your rough visibility scores when having changes within your data source administration YAML file (e.g. you have added a new data source) is also possible. For more info on the latter see: Auto-update visibility scores and the use of the score_logbook
.
You can record the following in the YAML techniques administration file:
- The type of system(s) the visibility applies to (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.).
- You can have multiple visibility objects per technique in the YAML file to allow detailed scoring of your visibility. This can be achieved using the
applicable_to
property. - We recommend using the same
applicable_to
values between your technique and your data source administration file.
- You can have multiple visibility objects per technique in the YAML file to allow detailed scoring of your visibility. This can be achieved using the
- A possible comment.
- If you want to have a multiline comment in the Excel output. We recommend making use of
|
. For more info have a look at: https://yaml-multiline.info/.
- If you want to have a multiline comment in the Excel output. We recommend making use of
- A visibility score. More on this can be found here.
- You can keep track of changes in the score by having multiple
score
objects within ascore_logbook
. See for example ATT&CK technique T1568 in the sample technique administration file.
- You can keep track of changes in the score by having multiple
- You can add anything else you want to record by adding your own key-value pairs.
To generate a layer file for the ATT&CK Navigator based on the technique administration file you can run the following command:
python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml -l
You can generate an Excel sheet containing all information within the YAML file on your visibility:
python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml --excel
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph