MITRE DeTTECT - Data Source Visibility and Mapping
Вставка
- Опубліковано 5 лют 2025
- This video shows how to use MITRE DeTTECT (DeTT&CT) to map data source coverage to MITRE ATT&CK. DeTTECT is an open-source project that makes data source mapping and coverage assessment easy. In this video you will learn how to track the data sources your organization currently collects as well as build potential future data sources. The results will be a MITRE Navigator mapping that can be used to communicate the need to add additional data sources.
1:38 MITRE DeTTECT - Tool for mapping data sources
3:52 Installing MITRE DeTTECT
6:45 Running Web Editor
7:13 Demo - Setting current data source coverage
10:42 Convert YAML file to JSON for consumption in MITRE Navigator
11:25 Load visibility map into MITRE Navigator
12:04 Create more demo data for comparison
14:14 Compare various data source coverage against each other
dettect.py commands ran in the video:
Run web editor
python dettect.py editor &
Convert YAML to JSON
python dettect.py ds -fd /mnt/c/Users/JustinHenderson/Downloads/data-sources-new.yaml -l
List coverage by data source
python dettect.py generic -ds
Links:
MITRE Navigator
mitre-attack.g...
MITRE ATT&CK Enterprise Matrix
attack.mitre.o...
MITRE DeTT&CT (Local instance)
localhost:8080/dettect-editor/
MITRE DeTT&CT (Remote instance)
rabobank-cdc.g...
I love DeTT&CT, I wish I have this video 4 years ago so that I can I avoid those days I'm scratching my head how to figure it out. But during that time they dont have the built in web interface and other features. Good job to DeTT&CT team improving this feature through out the years.
Thank you very much!
Excellent video, with a lot of explanations on how to use Dett&ct from a practical perspective. I've been doing my own investigations but this video is really very good in help shaping the detection profile in a company based on MITRE Att&ck techniques and tactics. Really good stuff.
Thank you very much
Hi. I'm trying to convert the file YAML to JSON. It gives me an error. KeyError: 'PRE'.
Now I used and online YAML-->JSON converter, but then ATTACK Navigator says; WARNING: Uploaded layer version (1.2) does not match Navigator's layer version (4.4). The layer configuration may not be fully restored.
When I click continue, I get the empty Matrix and no colouring or values. Is someone that could help me with this?
This is an excellent vid! Thank you!
Thank you very much. More to come!
Hi Justin, I was one of your student in SEC 555 class in 2018, you probably don't remember me, lol as you must have had thousands of students. I have one question here on this video. Around the time 12:45 in the video, you talked about EDR vs monitoring process event logs in SIEM. You mentioned that having only alerts logs in SIEM and trusting vendor vs having processing monitoring logs in SIEM are different and not the same thing. Can you please shed more light on it? Like if we only trust EDR vendor, what are we missing in terms of detection and what security risks are accepted?
That's a great question. I'll try my best to clarify.
If an organization only has EDR and they are not sending the logs to a SIEM, then they are, in effect, trusting the EDR vendor to have signatures, ML, or detection capabilities to identify attacks. The assumption is that the individual vendors know what to look for, so you do not have to.
Yet, vendors are not infallible. They do not know everything and cannot detect all the things. First, it's possible there's a known attack that they have log visibility of but do not have a signature or detection technique to alert you. Second, EDR logs are some of the best logs for completing the "know thyself" directive. By collecting those logs, organizations can implement baselines and anomalies of their own. A simple example would be someone using PowerShell remoting from a domain controller to a backup server. It seems normal, but if you never do that in your environment, the EDR logs could be used to create a custom alert specific to your organization. Third, the data can be rolled into other tools (open-source or commercial) such as machine learning, etc.
I probably could go on and on but hopefully above makes sense.
@@TellaroCyberResilience makes sense
When you were comparing two layers @14:32, does something popup to input score value? Mine has nothing when I select annotated.
After clicking select annotated, you'll need to click the icon in the top right corner for scoring. It's a little icon on the menu bar
Could this tool take a threat model --- and map to Mitre controls?
Hi Justin, I just got Dettect setup but I don't have the same data sources that you show in the video like windows event logs for instance. When I type in windows, I only get windows registry options. Amy help would be appreciated. Thanks
The data sources have changed since the video as it pulls them using a Taxii service to get the latest mappings
@@TellaroCyberResilience Curious on how to map the standard Windows logging based on the current mappings within the tool. Any insights on that?
DeTT&CT is not a MITRE product. I believe it is written by sharp folks at Rabobank in the EU who use ATT&CK as inspiration for data and threat modeling. Really good stuff.
You are correct. I believe I mention it's not an official MITRE product in the beginning although I wish it was. The folks who maintain this tool are amazing
This video is great.
I am currently trying to get a list of the logs in my company using Dettect, but the data sources the tool shows are not the same as the one presented in the video.
Can you tell me how can l get to see data sources like Windows Events logs, PowerShell, etc?
Thanks
A long shot over a year later but did you get to the bottom of this, I am having a similar issue.
@@iandavies2868 no answers from the creator of the video. Sorry
Thanks for this video Justin. This is very helpful. But am stuck with a problem ,After i upload the converted json data sources file into mitre navigator, the corresponding techniques gets highlighted but when i navigate through that , under available data sources it just says {{metada.value. Even for products and Attack data sources, its the same. I think am missing something. Could u help me with this ?
What I'm wondering is if the version of DeTTect didn't match MITRE Navigator. MITRE constantly updates Navigator. It's possible (totally guessing here) that MITRE updated Navigator at the time you ran DeTTect. If you try it again, do you get the same thing? Both Navigator and DeTTect have updated since this post.
[!] Cannot connect to MITRE's CTI TAXII server
When I see this, it's usually caused by TLS inspection at your workplace. DeTTect queries MITRE TAXII servers when ran. Both URL filtering or SSL/TLS Inspection can cause issues with it
@@TellaroCyberResilience I disabled all the TLS inspections in my windows10 machine still getting this error. I am using the latest version of dettect.I have also used their docker image, there also i am getting the same error
@@TellaroCyberResilience Even "python dettect.py generic -ds " this command is giving me the same error
@@soumyakumari9423 Are you getting any errors when you run it? It sounds like there's something blocking access to the CTI TAXII servers. You may even have to fall back to running something like Wireshark when testing DeTTECT to see why it's not able to pull the required information over the internet.
@@TellaroCyberResilience no, not getting any error, also 3 of my colleagues have tried doing it in their systems, none of them are able to do it.