question about the techniques administration file about dettect HOT 3 CLOSED

Hi Sriram,

We have put a short instruction on the Wiki on how to get started with the docker instance :-).

When you refer to "the detection map", you are referring to this picture? The command python3 dettect.py ds -f sample-data/data-sources-endpoints.yaml -y will provide you with a YAML technique administration file. In this file, detections are left blank. Only visibility is filled in based on your data sources (data-sources-endpoints.yaml). The result is YAML file with a rough overview of your visibility coverage. In the file techniques-administration-endpoints.yaml we choose the manually score the visibility of some of the techniques. If I understand you correctly, that will explain the difference in the score of the visibility.

Regarding the relation between visibility and detection. These are two separate things. Visibility tells you something about what you could potentially detect. When you want to use DeTT&CT for your Linux fleet it can be a good idea to:

• start with creating a data source administration file
• use that file to draft a tech. admin. YAML file
• the visibility scores within this file a rough estimation
• manually start scoring your detection per technique in this tech. admin. YAML file
• where it makes sense or where it is of value, you can then manually score the visibility of a technique. There can be multiple reasons why this is necessary. See: Score visibility.
• have a look at the scoring tables to help you. Use the score that fits best.

Does the above answer your questions and helps you to get started?

Regards,
Marcus

from dettect.

Thanks Marcus, I think I see your perspective on this now.

However, I'm presuming you have also explored the concept of how Organisational protection policies implemented on these technologies may map against the MITRE ATT&CK f/w. Prima facie, it would have to be a sub set of the feature set advertised by a vendor product. How did that experience go, if I may ask?

from dettect.

Yes, we have. That part is not, yet, integrated with DeTT&CT (it is on the list for Future Developments). Besides having preventive or protective measures provided by a vendor as a subset of the features they offer or being their primary functionality. We could of course also have taken for example measures within an OS (like enabling credential guard in Windows).

from dettect.