Skip to content

DeTT&CT data sources

Jump to bottom
Marcus Bakker edited this page Dec 20, 2021 · 1 revision

DeTT&CT has an extension on the native ATT&CK data sources, which we call the DeTT&CT data sources (Web, Email, Internal DNS and DHCP). These data sources significantly improve your rough visibility's automatic calculation based on the number of available data sources. In addition, it provides the capability to score and administrate these important data sources separately.

Content:

Why custom data sources?

We introduced these data sources to have more specific data sources available for the ATT&CK data component: Network Traffic Content. Network Traffic Content covers all kinds of protocols, like DHCP, DNS, FTP, HTTP, SMTP etc. However, in how we use data sources in DeTT&CT this will result in a challenge.

For example: when scoring Network Traffic Content in DeTT&CT, you can have the situation that you score if from the perspective of web proxy logs. Because Network Traffic Content also covers email (including many other things), this will result in an inaccurate rough visibility overview when you do not have email logs at your disposal.

Therefore, we concluded that it's very desirable to have custom data sources for the most common and most used network-related data sources: Web, Email, Internal DNS and DHCP. The advantages are:

  • The capability to score and administrate these important data sources separately (instead of all being part of Network Traffic Content).
  • A far more accurate rough visibility overview (based on the number of data sources you have available per technique).

How are DeTT&CT data sources mapped to Techniques?

For every (sub-)technique with Network Traffic Content as a data component, we manually determine if it needs to be supplemented with one or multiple DeTT&CT data sources. We can thus have techniques with both DeTT&CT data sources and Network Traffic Content. Such as T1572/Protocol Tunneling, which has Web (HTTP), Internal DNS and Network Traffic Content listed as data sources. Network Traffic Content is included because Protocol Tunneling can also be performed using other protocols besides DNS and HTTP.

This process of mapping DeTT&CT data sources to (sub-)techniques could also result in Network Traffic Content no longer being part of a technique. That is because some techniques belong specifically to one or multiple DeTT&CT data sources. For example, T1071.001/Web Protocols has only Web as a data source. Network Traffic Content is not included because Web suffices, and adding it would give a less accurate rough visibility score.

You can find the result of this exercise within this Excel file (which is automatically translated to a JSON file so that it can easily be consumed by the DeTT&CT CLI).

DeTT&CT data sources

Web

This data source refers to log data on outgoing HTTP traffic (including the responses) originating from a web proxy or other capability to produce event logs on outgoing HTTP traffic. Regarding a proxy, this includes different kinds: transparent, non-transparent and with or without TLS interception.

This data source does not cover a reverse web proxy as commonly seen in front of web applications and APIs.

Email

Log data on incoming and outgoing email messages as provided by a SaaS email provider or an on-prem hosted email solution.

The log data can include, for example, the SMTP envelope and message headers such as MAIL FROM, Received, To, From, Subject and message body or critical parts like URLs and metadata on attachments. Security-related event data from post-processing events regarding spam, phishing and malware detection are also part of this data source.

Actions to change the email server's configuration and/or email client are not part of this data source. For example, the creation of an email forwarding rule (T1114.003) which is part of the ATT&CK data component Application Log Content.

Internal DNS

This source consists of log data for executed DNS queries (requests and responses) performed by your internal DNS resolver(s). Or said otherwise: a DNS resolver that your endpoints send their DNS requests to and then answers with a response. This includes queries to internal and external domains and thereby facilitating the DNS protocol within your IT landscape.

We choose to prefix this data source with "Internal" to bring it in line with the ATT&CK data components from the Domain Name data source as listed here.

DHCP

Log data on received and sent DHCP messages (DISCOVER, OFFER, etc.) from the context of the DHCP server(s).

Exceptions

We found some techniques that are not mapped to Network Traffic Content or not mapped to a data source at all. To improve the visibility score for those techniques, we've mapped them to DeTT&CT data sources:

  • T1200/Hardware Additions: has no data sources in ATT&CK. We've mapped this technique to the DeTT&CT data source DHCP. Awaiting our contribution to ATT&CK (Network Traffic, Drive, Application Log).
  • T1568.002/DGA domains: only has Network Traffic Creation and Network Traffic Flow as data components in ATT&CK. We decided to also include the DeTT&CT data sources Web and Internal DNS.

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally