DeTT&CT: Mapping Blue Team to ATT&CK

Description

Building detection is a complex task, especially with a constantly increasing amount of data sources. Keeping track of these data sources and their appropriate detection rules or avoiding duplicate detection rules covering the same techniques can give a hard time to detection engineers.

For a SOC, it is crucial to have an good overview and a clear understanding of its actual visibility and detection coverage in order to identify gaps, prioritize the development of new detection rules or onboard new data sources.

DeTT&CT stands for Detect Tactics, Techniques & Combat Threats. This framework has been created at the Cyber Defence Center of Rabobank and is developed and at the time of writing maintained by Marcus Bakker and Ruben Bouman.

The purpose of DeTT&CT is to assist blue teams using MITRE ATT&CK to score and compare data log source quality, visibility coverage and detection coverage. By using this framework, blue teams can quickly detect gaps in the detection or visibility coverage and prioritize the ingest of new log sources.

DeTT&CT delivers a framework than can map the information you have on the entities available in ATT&CK and help you manage your blue teams data, visibility, and detection coverage.

Data Sources:

Data sources are the raw logs or events generated by systems, e.g., security appliances, network devices, and endpoints. ATT&CK has over 30 different data sources which are further divided into over 90 data components. All those data components are included in this framework. These data sources are administered within the data source administration YAML file. For each data source, among others, the data quality can be scored. Within ATT&CK, these data sources are listed within the techniques themselves (e.g. T1003 in the Detection section).

TAKE THIS COURSE