Comments (5)
beerMT
commented on August 25, 2024
1
I appreciate you all being open to feedback. Cheers!
from dettect.
rubinatorz
commented on August 25, 2024
1
hi @beerMT! It took some time but we finally implemented your idea! We were working on the change for ATT&CK Campaigns and that was a good moment to also include your idea. Note from the release notes:
We added a new option to the Group mode: --include-software. Thanks to beerMT. He came up with the idea to include software techniques in the scores of the heat map when a threat actor uses specific software. Until now we only had the option to show what software is used (--software -group), but that option did not influence the score.
Checkout the new version:
https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-180
from dettect.
rubinatorz
commented on August 25, 2024
hi @beerMT
DeTT&CT uses the information on threat actors documented in ATT&CK (also available in their STIX/TAXII feed):
https://attack.mitre.org/groups/
MITRE ATT&CK has based their information on a bunch of open source intelligence reports. So the documented (sub) techniques are techniques that have been seen and reported on.
The DeTT&CT group mode will show exactly those techniques that are documented in ATT&CK. Those will get a score, so that you can see which techniques are used the most. Our thought was: when a group uses a piece of software, it also has capabilities to use techniques that are covered within that software but which they didn't use it before (at least, that's what we know based on the intel reports mentioned above). You can say: this is the potential of the TA, because they are using specific software. And that's what we want to show with the --software-group option. It doesn't influence the score, because based on what we now on the intel available in ATT&CK the TA didn't use the technique before, but it's capable of using it.
from dettect.
beerMT
commented on August 25, 2024
Interesting interpretation. Please allow me to offer up some counters. This is only to help further the project and its TA coverage and should not be viewed as nitpicking. My understanding is the following:
Lets look at TA505 (G0092) or FIN6 (G0037). These TAs are commonly associated with the Software they have developed in order to achieve their objectives. TA505 frequently leverages Trickbot and it would be remiss to not track the associated Trickbot techniques along with TA505's overall Techniques used. This example holds true for FIN6 (and many others) as they have been found to use Maze Software. No other group is attributed to the Maze Software. Therefore, it seems more appropriate to track both FIN6's known Techniques and Software used (which maps to techniques) to represent a more complete scope of what Techniques the TA actually will use against a target.
From the MITRE Software page, it seems fairly clear that if a Group is associated with a Software it is because there is publicly available information to support the use.
My suggestion is that the Software used by a Group gets populated and scored along with the Techniques used by a group, since there is evidence of the Group leveraging that Software in attacks. In much the same fashion that MITRE includes Techniques used by a group, it is not a guarantee that the TA will use these techniques every time, it is just a representation of what they have used in the past and provides insight into their behaviors.
Hopefully the feed back is useful. I have had to repurpose parts of attackcti and DeTT&CT in order to achieve this desired behavior of tracking "all" Techniques known to be used by a group, so this isn't an ask that I need it to be built. It is more of a discussion that I think there is more fidelity to be achieved in tracking what techniques a TA is actually leveraging against their targets.
Cheers! And as always - thank you for this wonderful contribution to the InfoSec community.
from dettect.
marcusbakker
commented on August 25, 2024
Hi Brad,
Ruben and I have just discussed this and believe you have a valid point. We are thus also of the opinion that changing the default behaviour to include the software techniques in the counting will improve the TA functionality of DeTT&CT.
We have put this improvement on our backlog and are considering providing the user with several options to influence the TA technique count behaviour.
Thank Brad for bringing this to our attention! 😄
Regards,
Marcus
from dettect.
Related Issues (20)
- Feature Request: Export what's missing from Visibility or Detection HOT 3
- Receiving an error when converting data sources to json HOT 5
- Old versions of DeTTECT HOT 5
- unable to open jupyter notebook HOT 5
- error in connecting to MITRE's CTI TAXII server when convert yaml to json HOT 1
- Cannot connect to MITRE's CTI TAXII server HOT 1
- Unable to connect to Mitre Taxii Server HOT 2
- Feature request: add support for ATT&CK Version 14 HOT 2
- Some confusion about the "group" option HOT 1
- Duplicate value for applicable_to HOT 1
- arm64 docker image HOT 2
- Missing Data Sources By Technique
- Seeing some strangeness HOT 2
- Cannot connect to MITRE's CTI TAXII server HOT 2
- Current built mechnism broken - image likely outdated
- Latest techniques not appearing in editor HOT 1
- Mac zsh HOT 5
- Question regarding detection rules/scoring HOT 1
- Question: How to handle non-mappable types of event? HOT 2
- Windows event log is not available while adding data source option. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dettect.