Latest version: 1.4.3
To get started with DeTT&CT, check out one of these resources:
- This page on the Wiki.
- Our talk at hack.lu 2019.
- Blog: mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack or
- Blog: siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack.
- The video from Justin Henderson on data source visibility and mapping.
DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files, the DeTT&CT Editor and scoring tables for the different aspects.
DeTT&CT provides the following functionality:
- Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints.
- Map your detection coverage.
- Map threat actor behaviours.
- Compare visibility, detection coverage and threat actor behaviours to uncover possible improvements in detection and visibility (which is based on your available data sources). This can help you to prioritise your blue teaming efforts.
The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.
This project is developed and maintained by Marcus Bakker (Twitter: @bakk3rm) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open. We do appreciate if you ask any question on how to use DeTT&CT by making a GitHub issue. Having the questions and answers over there will greatly help others having similar questions and challenges.
We welcome contributions! Contributions can be both in code and in ideas you might have for further development, usability improvements, etc.
The work of others inspired some functionality within DeTT&CT:
- Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK™ techniques (How Hot Is Your Hunt Team?, Ready to hunt? First, Show me your data!).
- The MITRE ATT&CK Mapping project on GitHub: https://github.com/siriussecurity/mitre-attack-mapping.
YAML files are used for administrating scores and relevant properties. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and properties can also be exported to Excel).
See below an example of mapping your data sources to ATT&CK, which gives you a rough overview of your visibility coverage:
See our GitHub Wiki: Installation and requirements.