Skip to content
/ DeTTECT Public
forked from rabobank-cdc/DeTTECT

Detect Tactics, Techniques & Combat Threats

License

GPL-3.0 license
0 stars 334 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rcobb-scwx/DeTTECT

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

272 Commits
binder
binder
 
 
editor
editor
 
 
sample-data
sample-data
 
 
threat-actor-data
threat-actor-data
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
constants.py
constants.py
 
 
data-sources.ipynb
data-sources.ipynb
 
 
data_source_mapping.py
data_source_mapping.py
 
 
dettect.py
dettect.py
 
 
editor.py
editor.py
 
 
eql_yaml.py
eql_yaml.py
 
 
generic.py
generic.py
 
 
group_mapping.py
group_mapping.py
 
 
health.py
health.py
 
 
interactive_menu.py
interactive_menu.py
 
 
requirements.txt
requirements.txt
 
 
scoring_table.xlsx
scoring_table.xlsx
 
 
technique_mapping.py
technique_mapping.py
 
 
upgrade.py
upgrade.py
 
 
visibility.ipynb
visibility.ipynb
 
 

Repository files navigation

DeTT&CT

Threat Hunting Training Version

Binder

Detect Tactics, Techniques & Combat Threats

Latest version: 1.3

To get started with DeTT&CT, check out this page, our talk at hack.lu 2019 and our blog on:

DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files, the DeTT&CT Editor and scoring tables for the different aspects.

DeTT&CT provides the following functionality:

  • Administrate and score the quality of your data sources.
  • Get insight on the visibility you have on for example endpoints.
  • Map your detection coverage.
  • Map threat actor behaviours.
  • Compare visibility, detections and threat actor behaviours to uncover possible improvements in detection and visibility. This can help you to prioritise your blue teaming efforts.

The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator.

Authors and contributions

This project is developed and maintained by Marcus Bakker (Twitter: @bakk3rm) and Ruben Bouman (Twitter: @rubenb_2). Feel free to contact, DMs are open.

We welcome contributions! Contributions can be both in code, as well as in ideas you might have for further development, usability improvements, etc.

Work of others

Some functionality within DeTT&CT was inspired by the work of others:

Example

YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).

See below an example of mapping your data sources to ATT&CK, which gives you a rough overview of your visibility coverage:

DeTT&CT - Data quality

Installation and requirements

See our GitHub Wiki: Installation and requirements.

License: GPL-3.0

DeTT&CT's GNU General Public License v3.0

About

Detect Tactics, Techniques & Combat Threats

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

13 tags

Packages

No packages published

Languages

  • Python 28.6%
  • Jupyter Notebook 23.5%
  • CSS 22.6%
  • Vue 21.9%
  • JavaScript 3.1%
  • HTML 0.2%
  • Dockerfile 0.1%