Skip to content

Releases: rabobank-cdc/DeTTECT

v1.2.0

22 Aug 06:30
Compare
Choose a tag to compare
  • Visibility/Detection score logbook
    It is now possible to keep track of changes in the visibility and detection score for a particular ATT&CK technique. We have therefore introduced version 1.2 of the techniques administration YAML file:

    • Visibility and detection scores are now part of a score object in the YAML file within a score_logbook object. Due to this change, visibility scores are now also having a date key-value pair.
    • The key-value pair date_registered for the detection score is removed. A detection now has a single date key-value pair named date. You can decide, in the upgrade from v1.1 to v1.2, to keep this key-value pair even though DeTT&CT no longer makes use of it.

    For an example of score_logbook with multiple score objects (for both visibility and detection) see technique T1189 in the sample file: techniques-administration-endpoints.yaml

To allow an easy transition, older technique administration YAML file version are automatically upgraded to this new version. DeTT&CT will automatically prompt you on this.

  • Automatic update of visibility scores
    The datasource mode has a new option (-u, --update) that helps you to automatically update your rough visibility scores within your technique administration YAML file. So, when you have made changes within your data source administration YAML file (e.g. you have added a new data source) this could result in changes within your visibility scores, which you can now auto-update. Another use-case for the auto-update is when MITRE ATT&CK introduced new techniques, makes changes in the data source listed for a technique or adds new data sources.

    For more info information see: Getting started / How to - Auto-update visibility scores and the use of the score_logbook.

  • Exclude/include objects from a YAML file using EQL
    We have integrated EndGame's Event Query Language (EQL) into DeTT&CT. This provides you with powerful options to exclude or include certain objects (detections, visibility or data sources) from your YAML administration files. Some examples of what you can do:

    • Once you have build-up history on when detection/visibility scores have changed (within the score_logbook). You can visualise this change within an ATT&CK Navigator layer file using an EQL query. Of course also without much history, this can be done purely based on when you have added new detections or visibility.
    • You can influence the way how data sources (based on their characteristics you have administrated) are excluded or included in the process to draft a rough overview of your visibility coverage.

    Be aware that the option '-a, --applicable' has been removed and is now replaced by an EQL query. For example, to only include 'client endpoints' the EQL query for that is:

    --search-detection "techniques where arrayContains(detection.applicable_to, 'client endpoints')"

    More information on how to use EQL within DeTT&CT is provided here.

  • Several smaller improvements

    • New statistics within the generic mode to get a sorted count on how many ATT&CK Enterprise or Mobile techniques are covered by a Mitigation (python dettect.py generic -m {enterprise,mobile})
    • The Python library PyYAML has been replaced by ruamel.yaml to allow better modification of existing YAML files (to preserve comments and block style and key ordering).
    • The health check performed on a technique administration file now checks for a few more errors and has a notable increase in performance.
    • A health check has been added for the data source administration YAML file.
    • A graph can be generated for the number of visibility objects added through time.
    • Output files (layers, graphs, Excel, YAML) are nog longer overwritten. Instead, a number is added as a suffix to the filename.
    • Numerous other small improvements.
  • Other changes

    • Updated the Python package attackcti to version 0.2.7.
    • The Python package eql version 0.7 is added to requirements.txt.
  • Bug fix

    • A red colour was shown when the visibility score was equal to 0 in a visibility Navigator JSON layer file (this fix has previously already been pushed to the master branch).

v1.1.2

16 Jul 08:08
f0f15ff
Compare
Choose a tag to compare
  • Made compatible with the latest version of attackcti (v0.2.6) resulting in the use of ATT&CK STIX objects instead of a custom schema.
  • Upgraded all used Python packages to their latest version.
  • Fixed a bug that caused the campaign name part of a Group YAML file not to be displayed.

v1.1.1

23 May 08:08
75c4fa6
Compare
Choose a tag to compare
  • Added a new option '--health' to check a technique administration YAML file on possible errors.
  • Added the possibility to have a group YAML file type that contains a count on how popular a certain technique is.
  • Added both the detection and visibility score in the metadata when doing an overlay of detection/visibility on a group.

v1.1

08 May 08:29
4277bc1
Compare
Choose a tag to compare
  • Technique administration YAML file version 1.1

    New version (1.1) of the technique administration YAML file introducing the following improvements:

    • A technique can now have multiple detection and visibility objects. This allows you to have more detailed scores for a different type of systems by making use of the new key-value pair applicable_to.
    • Added the key-value pair applicable_to to the detection and visibility object. This allows you to specify a list of the type of system(s) to which it applies. For example: crown jewel X, endpoints, etc. You can use the value ['all'] to have the detection or visibility be applicable to all type of systems.
    • Added the key-value pair technique_name, containing the techniques' name (e.g. "Process Injection"), to every technique ID.

    Older technique administration files can be automatically upgraded to this new version. DeTT&CT will prompt you on this if an upgrade is available.

  • Excel output

    It is now possible to export your technique administration for visibility and detections to Excel:

python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml --excel
File written: output/techniques.xlsx
  • Several smaller improvements
    • The detection and visibility layer file contains a score to allow sorting within the ATT&CK Navigator.
    • Added a score for detection/visibility when overlaid with a group to improve the visual comparison.
    • The ATT&CK Navigator's legend is improved when overlaying detection or visibility on a group.
    • Added colours to the Excel output to visualise the scores for data source quality, visibility and detections.
    • Remember the selected path for a YAML administration file in the interactive menu.
    • Added a more detailed error message for invalid YAML files.
    • Constants have been moved to its own file constants.py.
  • Bug fixes
    • Fixed a bug reported by @tuckner: issue #3 - product list not appending for visibility ATT&CK layer)
    • Fixed a bug that would cause a crash when doing a software-group using a visibility or detection overlay.
    • Fixed a bug that would cause a crash when the YAML 'score' key-value pair had no value assigned.

v1.0

02 May 07:45
Compare
Choose a tag to compare

The initial release of DeTT&CT.