Releases: rabobank-cdc/DeTTECT
v1.2.0
-
Visibility/Detection score logbook
It is now possible to keep track of changes in the visibility and detection score for a particular ATT&CK technique. We have therefore introduced version 1.2 of the techniques administration YAML file:- Visibility and detection scores are now part of a
score
object in the YAML file within ascore_logbook
object. Due to this change, visibility scores are now also having adate
key-value pair. - The key-value pair
date_registered
for the detection score is removed. A detection now has a single date key-value pair nameddate
. You can decide, in the upgrade from v1.1 to v1.2, to keep this key-value pair even though DeTT&CT no longer makes use of it.
For an example of
score_logbook
with multiplescore
objects (for both visibility and detection) see technique T1189 in the sample file: techniques-administration-endpoints.yaml - Visibility and detection scores are now part of a
To allow an easy transition, older technique administration YAML file version are automatically upgraded to this new version. DeTT&CT will automatically prompt you on this.
-
Automatic update of visibility scores
Thedatasource
mode has a new option (-u, --update
) that helps you to automatically update your rough visibility scores within your technique administration YAML file. So, when you have made changes within your data source administration YAML file (e.g. you have added a new data source) this could result in changes within your visibility scores, which you can now auto-update. Another use-case for the auto-update is when MITRE ATT&CK introduced new techniques, makes changes in the data source listed for a technique or adds new data sources.For more info information see: Getting started / How to - Auto-update visibility scores and the use of the
score_logbook
. -
Exclude/include objects from a YAML file using EQL
We have integrated EndGame's Event Query Language (EQL) into DeTT&CT. This provides you with powerful options to exclude or include certain objects (detections, visibility or data sources) from your YAML administration files. Some examples of what you can do:- Once you have build-up history on when detection/visibility scores have changed (within the
score_logbook
). You can visualise this change within an ATT&CK Navigator layer file using an EQL query. Of course also without much history, this can be done purely based on when you have added new detections or visibility. - You can influence the way how data sources (based on their characteristics you have administrated) are excluded or included in the process to draft a rough overview of your visibility coverage.
Be aware that the option
'-a, --applicable'
has been removed and is now replaced by an EQL query. For example, to only include 'client endpoints' the EQL query for that is:--search-detection "techniques where arrayContains(detection.applicable_to, 'client endpoints')"
More information on how to use EQL within DeTT&CT is provided here.
- Once you have build-up history on when detection/visibility scores have changed (within the
-
Several smaller improvements
- New statistics within the
generic
mode to get a sorted count on how many ATT&CK Enterprise or Mobile techniques are covered by a Mitigation (python dettect.py generic -m {enterprise,mobile}
) - The Python library
PyYAML
has been replaced byruamel.yaml
to allow better modification of existing YAML files (to preserve comments and block style and key ordering). - The health check performed on a technique administration file now checks for a few more errors and has a notable increase in performance.
- A health check has been added for the data source administration YAML file.
- A graph can be generated for the number of visibility objects added through time.
- Output files (layers, graphs, Excel, YAML) are nog longer overwritten. Instead, a number is added as a suffix to the filename.
- Numerous other small improvements.
- New statistics within the
-
Other changes
- Updated the Python package
attackcti
to version 0.2.7. - The Python package
eql
version 0.7 is added torequirements.txt
.
- Updated the Python package
-
Bug fix
- A red colour was shown when the visibility score was equal to 0 in a visibility Navigator JSON layer file (this fix has previously already been pushed to the master branch).
v1.1.2
- Made compatible with the latest version of
attackcti
(v0.2.6) resulting in the use of ATT&CK STIX objects instead of a custom schema. - Upgraded all used Python packages to their latest version.
- Fixed a bug that caused the campaign name part of a Group YAML file not to be displayed.
v1.1.1
- Added a new option '--health' to check a technique administration YAML file on possible errors.
- Added the possibility to have a group YAML file type that contains a count on how popular a certain technique is.
- An example has been added to the directory
threat-actor-data
for the Red Canary's Threat Detection Report 2019 (1st edition).
- An example has been added to the directory
- Added both the detection and visibility score in the metadata when doing an overlay of detection/visibility on a group.
v1.1
-
Technique administration YAML file version 1.1
New version (1.1) of the technique administration YAML file introducing the following improvements:- A technique can now have multiple
detection
andvisibility
objects. This allows you to have more detailed scores for a different type of systems by making use of the new key-value pairapplicable_to
. - Added the key-value pair
applicable_to
to thedetection
andvisibility
object. This allows you to specify a list of the type of system(s) to which it applies. For example: crown jewel X, endpoints, etc. You can use the value['all']
to have the detection or visibility be applicable to all type of systems. - Added the key-value pair
technique_name
, containing the techniques' name (e.g. "Process Injection"), to every technique ID.
Older technique administration files can be automatically upgraded to this new version. DeTT&CT will prompt you on this if an upgrade is available.
- A technique can now have multiple
-
Excel output
It is now possible to export your technique administration for visibility and detections to Excel:
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml --excel
File written: output/techniques.xlsx
- Several smaller improvements
- The detection and visibility layer file contains a score to allow sorting within the ATT&CK Navigator.
- Added a score for detection/visibility when overlaid with a group to improve the visual comparison.
- The ATT&CK Navigator's legend is improved when overlaying detection or visibility on a group.
- Added colours to the Excel output to visualise the scores for data source quality, visibility and detections.
- Remember the selected path for a YAML administration file in the interactive menu.
- Added a more detailed error message for invalid YAML files.
- Constants have been moved to its own file
constants.py
.
- Bug fixes
- Fixed a bug reported by @tuckner: issue #3 - product list not appending for visibility ATT&CK layer)
- Fixed a bug that would cause a crash when doing a software-group using a visibility or detection overlay.
- Fixed a bug that would cause a crash when the YAML 'score' key-value pair had no value assigned.
v1.0
The initial release of DeTT&CT.