v1.2.0

• Visibility/Detection score logbook
  It is now possible to keep track of changes in the visibility and detection score for a particular ATT&CK technique. We have therefore introduced version 1.2 of the techniques administration YAML file:

  • Visibility and detection scores are now part of a score object in the YAML file within a score_logbook object. Due to this change, visibility scores are now also having a date key-value pair.
  • The key-value pair date_registered for the detection score is removed. A detection now has a single date key-value pair named date. You can decide, in the upgrade from v1.1 to v1.2, to keep this key-value pair even though DeTT&CT no longer makes use of it.

  For an example of score_logbook with multiple score objects (for both visibility and detection) see technique T1189 in the sample file: techniques-administration-endpoints.yaml

To allow an easy transition, older technique administration YAML file version are automatically upgraded to this new version. DeTT&CT will automatically prompt you on this.

• Automatic update of visibility scores
  The datasource mode has a new option (-u, --update) that helps you to automatically update your rough visibility scores within your technique administration YAML file. So, when you have made changes within your data source administration YAML file (e.g. you have added a new data source) this could result in changes within your visibility scores, which you can now auto-update. Another use-case for the auto-update is when MITRE ATT&CK introduced new techniques, makes changes in the data source listed for a technique or adds new data sources.

  For more info information see: Getting started / How to - Auto-update visibility scores and the use of the score_logbook.

• Exclude/include objects from a YAML file using EQL
  We have integrated EndGame's Event Query Language (EQL) into DeTT&CT. This provides you with powerful options to exclude or include certain objects (detections, visibility or data sources) from your YAML administration files. Some examples of what you can do:

  • Once you have build-up history on when detection/visibility scores have changed (within the score_logbook). You can visualise this change within an ATT&CK Navigator layer file using an EQL query. Of course also without much history, this can be done purely based on when you have added new detections or visibility.
  • You can influence the way how data sources (based on their characteristics you have administrated) are excluded or included in the process to draft a rough overview of your visibility coverage.

  Be aware that the option '-a, --applicable' has been removed and is now replaced by an EQL query. For example, to only include 'client endpoints' the EQL query for that is:

  --search-detection "techniques where arrayContains(detection.applicable_to, 'client endpoints')"

  More information on how to use EQL within DeTT&CT is provided here.

• Several smaller improvements

  • New statistics within the generic mode to get a sorted count on how many ATT&CK Enterprise or Mobile techniques are covered by a Mitigation (python dettect.py generic -m {enterprise,mobile})
  • The Python library PyYAML has been replaced by ruamel.yaml to allow better modification of existing YAML files (to preserve comments and block style and key ordering).
  • The health check performed on a technique administration file now checks for a few more errors and has a notable increase in performance.
  • A health check has been added for the data source administration YAML file.
  • A graph can be generated for the number of visibility objects added through time.
  • Output files (layers, graphs, Excel, YAML) are nog longer overwritten. Instead, a number is added as a suffix to the filename.
  • Numerous other small improvements.

• Other changes

  • Updated the Python package attackcti to version 0.2.7.
  • The Python package eql version 0.7 is added to requirements.txt.

• Bug fix

  • A red colour was shown when the visibility score was equal to 0 in a visibility Navigator JSON layer file (this fix has previously already been pushed to the master branch).