Getting started
At this section you will find instructions on how to start using the framework.
The Python tool supports two modes:
Besides a few optional arguments, DeTT&CT has five modes which are described in the help text below. Please note that each mode has a dedicated help function. For example, the help function for group can be shown using the following command: python dettect.py group -h. An overview of all help texts can be found here.
usage: dettect.py [-h] [--version] [-i] ...
Detect Tactics, Techniques & Combat Threats
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
-i, --interactive launch the interactive menu, which has support for all
modes
MODE:
Select the mode to use. Every mode has its own arguments and help info
displayed using: {visibility, detection, group, generic} --help
datasource (ds) data source mapping and quality
visibility (v) visibility coverage mapping based on techniques and data
sources
detection (d) detection coverage mapping based on techniques
group (g) threat actor group mapping
generic (ge) includes: statistics on ATT&CK data source and updates on
techniques, groups and software
When using the interactive mode, a menu will be shown that allows you to browse through all functionality interactively.
-= DeTT&CT =-
-- Detect Tactics, Techniques & Combat Threats --
version 1.1.2
Select a mode:
1. Data source mapping
2. Visibility coverage mapping
3. Detection coverage mapping
4. Threat actor group mapping
5. Updates
6. Statistics
9. Quit
>>
Below are some examples to further explain how to use the framework. Two general comments we would like to make:
- Use the tool in the way it works best for you. For example, scoring every single technique within the ATT&CK Matrix can be a lot of work. Therefore you may only score what you know at that time and what you want to communicate with others or want to verify/compare.
- It is recommended to periodically have a good look at your data source and techniques administration to see if anything has changed during the recent time, and therefore need to be updated. It can be useful to draw up a checklist for this, which you can then repeated after X time has passed.
Contents:
- Score data quality
- Map data sources
- Score visibility
- Visibility coverage
- Determine your detection coverage
- Threat actor group heat map
- Compare group or red team exercise with detection/visibility coverage
- Compare visibility and detection coverage
- Which data source are covering the most techniques?
Start with scoring the quality of your data sources within a data source administration YAML file. This will later on be very useful in scoring visibility. More on scoring data quality can be found here: Data sources.
Based on the YAML file you can generate an Excel sheet containing all your data sources, attributes, notes and data quality scores:
python dettect.py ds -f sample-data/data-sources-endpoints.yaml -e
Generate an ATT&CK Navigator layer file based on data sources recorded in the YAML file. Based on the amount of data sources, techniques are mapped and visualised in the layer file. This gives you a rough overview of your visibility coverage. Often, this is the first step in getting an overview of your actual visibility coverage.
python dettect.py ds -f sample-data/data-sources-endpoints.yaml -l
A next step can be to determine the exact visibility per technique. To help you with this, you can generate a techniques administration YAML file based on your data sources administration:
python dettect.py ds -f sample-data/data-sources-endpoints.yaml -y
Within this YAML file, you can score visibility per technique based on expert knowledge and the previously defined quality of your data sources (in this same YAML file you can also score detection). There are several reasons why manual scoring is required. For example:
- You may have 1 data source available from the total 3 data sources mentioned within a particular ATT&CK technique. However, in some cases that single data source could not be sufficient for detection on that technique. And hence the visibility score based on the number of data sources needs to be adjusted.
- The quality of a particular data source is considered too low to be useful for visibility.
- You do have a certain level of visibility on a technique. But this is based on a data source currently not mentioned within MITRE ATT&CK for that particular technique.
Visibility scores are rated from 0 to 4. The explanation on the scores can be found here: visibility scoring. Use the score that fits best.
Generate an ATT&CK Navigator layer file based on the technique administration in the YAML file. The visibility scores defined in the YAML file are also used to colour the techniques in the layer file. This gives you an overview of your visibility coverage:
python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -l
Generate an ATT&CK Navigator layer file based on detection scores you have determined per technique in the YAML administration file. The detection scores in the YAML file are also used to colour the techniques in the layer file. This gives you an overview of your detection coverage:
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -l
Generate an ATT&CK Navigator layer file based on threat actor group data in ATT&CK. Or your own threat actor data stored in a YAML file. Please note that like all data, there is bias. As very well explained by MITRE: Building an ATT&CK Sightings Ecosystem.
The below-generated layer file contains a heat map based on all threat actor data within ATT&CK. The darker the colour in the heat map, the more often the technique is being used among groups:
python dettect.py g
It is also possible to create a heat map based on a subset of groups present in ATT&CK:
python dettect.py g -g 'fin7, cobalt group'
Or based on threat actor data you store in a YAML group administration file:
python dettect.py g -g sample-data/groups.yaml
Read the help for group on all available functionality. Including how threat actor groups can be compared: python dettect.py g -h
A groups YAML file with either data on a red team exercise or a specific threat actor group can be compared with your detection or visibility. DeTT&CT can generate an ATT&CK Navigator layer file in which the differences are visually shown with a legend explaining the colours.
python dettect.py g -g sample-data/groups.yaml -o sample-data/techniques-administration-endpoints.yaml -t detection
It is possible to compare your visibility and detection coverage in one ATT&CK Navigator layer file. This will give you insight in where you have visibility, detection and both.
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -o
# or:
python dettect.py v -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml -o
Using the command python dettect.py generic --statistics we can determine which data sources within ATT&CK are covering the most number of techniques:
Count Data Source
--------------------------------------------------
169 Process monitoring
97 Process command-line parameters
97 File monitoring
43 API monitoring
39 Process use of network
36 Packet capture
36 Windows Registry
28 Authentication logs
27 Netflow/Enclave netflow
22 Network protocol analysis
22 Windows event logs
18 DLL monitoring
18 Binary file metadata
13 Loaded DLLs
9 SSL/TLS inspection
9 Network intrusion detection system
9 System calls
9 Malware reverse engineering
8 Network device logs
7 Kernel drivers
7 Anti-virus
6 Application logs
6 Data loss prevention
4 Web logs
4 Services
4 PowerShell logs
4 Email gateway
4 Web proxy
4 Windows Error Reporting
4 User interface
4 Host network interface
3 Web application firewall logs
3 BIOS
3 MBR
3 Third-party application logs
2 Sensor health and status
2 Component firmware
2 DNS records
2 Detonation chamber
2 Mail server
2 Environment variable
1 Asset management
1 Browser extensions
1 Access tokens
1 Digital certificate logs
1 Disk forensics
1 WMI Objects
1 VBR
1 Named Pipes
1 EFI