Skip to content

Releases: rabobank-cdc/DeTTECT

v2.0.0

22 Nov 14:45
@rubinatorz rubinatorz
v2.0.0
07b3d3b
Compare
Choose a tag to compare
v2.0.0 Latest
Latest

Please note: if you use the --local-stix-path command line option, please use the new STIX repository:
https://github.com/mitre-attack/attack-stix-data

Contributors

MrSeccubus
Assets 2
Loading

v1.9.0

11 May 18:45
@rubinatorz rubinatorz
v1.9.0
98c10b7
Compare
Choose a tag to compare
v1.9.0
  • DeTT&CT now supports Mobile data sources which are introduced in MITRE ATT&CK version 13.
Assets 2
Loading

v1.8.0

21 Dec 18:54
@rubinatorz rubinatorz
v1.8.0
998187b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.8.0
  • DeTT&CT now supports ATT&CK Campaigns. It's included within the Group mode of the DeTT&CT CLI that allows you to make heat maps and overlays for both groups and campaigns. Because of this, we changed the --software-group option to --software to also support campaigns.
  • We added a new option to the Group mode: --include-software. Thanks to beerMT. He came up with the idea to include software techniques in the scores of the heat map when a threat actor uses specific software. Until now we only had the option to show what software is used (--software -group), but that option did not influence the score.
  • We extended the cache expiry period for ATT&CK information from 24 hours to 7 days.
Assets 2
Loading

v1.7.0

04 Oct 14:53
@rubinatorz rubinatorz
v1.7.0
aef564d
Compare
Choose a tag to compare
v1.7.0
  • With the financial sponsorship of the Dutch National Police, we added support for ATT&CK Mobile to DeTT&CT.
  • Due to overlapping STIX ID's for threat actor groups in multiple ATT&CK matrices, some groups were not to be found. This issue is now solved.
  • Due to inconsistent name and alias lists for threat actor groups in ATT&CK STIX data, some groups were not to be found. This issue is now solved.
  • Within the Editor DeTT&CT data sources were visible for ICS (having platform=all), while those are not applicable to ICS.
Assets 2
Loading

v1.6.0

08 Mar 14:22
@marcusbakker marcusbakker
v1.6.0
2d6bb76
Compare
Choose a tag to compare
v1.6.0

CLI

  • With the financial sponsorship of the Cyber Security Sharing & Analytics (CSSA), we added support for ATT&CK ICS to DeTT&CT.
    • In the current ATT&CK release of ICS, there are inconsistencies between the data on the ICS wiki and the STIX objects. Be aware that the ICS data from STIX is leading for DeTT&CT, and thus not the wiki because that cannot be accessed via an API. For more information see this page: 7. ICS - Inconsistencies.
  • Improved the data source statistics (python3 dettect.py ge -ds) by adding:
    • The option to only include data sources for selected platforms.
    • The corresponding ATT&CK platforms per data source in the output.
  • Removed the interactive menu. We have decided to do this for the following reasons:
    • Our list of improvements and new features for DeTT&CT is long. Therefore, we want to spend as much time as possible on improving the core of DeTT&CT and less on maintaining functionality that is already provided differently.
    • The interactive menu has not been kept up to date with the latest features and thus features available from the command-line interface.
  • Removed the functionality to update the technique administration YAML file to ATT&CK with sub-techniques.
  • Numerous small improvements.
  • Updated all Python dependencies.
    • Due to Pandas being updated to version 1.4.0, the minimal required Python version is now 3.8.

Editor

Assets 2
Loading

v1.5.0

20 Dec 09:15
@marcusbakker marcusbakker
v1.5.0
18ab017
Compare
Choose a tag to compare
v1.5.0

Generic

  • We've added multiple custom data sources (Web, Email, Internal DNS and DHCP) as an extension to the native ATT&CK data sources. We call these custom data sources: DeTT&CT data sources. These data sources will significantly improve the automatic calculation of your rough visibility based on the number of available data sources. In addition, it provides the capability to score and administrate these important data sources separately. You can find more information here.
    • Please note that your rough visibility score will be lower for some of the techniques because we've added DeTT&CT data sources.
  • Sample-data: the technique administration is now in sync again with the data source administration.

CLI

Data sources - Applicable to / type of System

Similar to the technique administration file, we added support for applicable to within the data source administration. The CLI automatically upgrades version 1.0 data source administration files to data format v1.1.

This upgrade can only ensure the data format will be in line with v1.1. But cannot handle how you've recorded information on your data sources. It's therefore advised to put some manual work into the data source administration file after this upgrade. For example, to do things like:

  • Assign data sources to the correct type of Systems (which are furthermore linked to ATT&CK platforms).
  • As we recommend and explain here, have matching Systems/applicable to between your technique and data source administration YAML file.
  • Merge multiple data source files into one single file when you had multiple data source files per ATT&CK platform, type of system, environment, etc. The new v1.1 data format supports combining all of that within the same data source YAML file using the new Systems object.

You can find further information on this new applicable to/type of System functionality here.

Other CLI Changes

  • Within the datasource mode, the platform filter argument (-p/--platform) has been replaced by an option to filter on applicable to value (-a/--applicable_to).
  • Added a graceful exit of DeTT&CT when MITRE's CTI server could not be reached.
  • The following functionality has been removed:

    • Upgrading a technique administration file from version 1.0 to 1.1 and version 1.1. to 1.2.

    • Letting you know that you are missing specific data sources within your data source administration file. This was implemented in the health check and Excel output.

      We noticed that this check could be bothersome when you knew that a data source was missing. We have implemented new features within the Editor to get you informed on relevant data sources.

  • Support for DeTT&CT data sources: Web, Email, Internal DNS and DHCP. You can find more information here.
  • Updated all Python dependencies.
  • Numerous small improvements.

Editor

  • Data sources
    • Added support for the data source schema version 1.1, including support for:
      • Editing the Systems object with its applicable to values and corresponding ATT&CK platforms.
      • A drop-down menu to link a data source to one or more Systems/applicable to values.
    • Improved the autofill dropdown for data sources to only show data sources which are not yet administrated and apply to the included ATT&CK platforms.
    • Added a new button to add all data sources at once for the ATT&CK platforms in scope.
      Source of the idea: @SecurePeacock
  • Techniques
    • Auto suggest list for applicable to values.
  • UI improvement: collapsable file details section (will close on scroll).
    This behaviour can be prevented by using the lock icon.
  • Support for DeTT&CT data sources: Web, Email, Internal DNS and DHCP. You can find more information here.
  • Updated all JavaScript dependencies. (already published before the release of 1.5.0)
  • Numerous small improvements and bug fixes.
Assets 2
Loading

v1.4.4

22 Oct 19:00
@marcusbakker marcusbakker
v1.4.4
3c9ecc3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.4

CLI

  • Added support for the ATT&CK v10 data sources.
  • Navigator layer files now have better default settings for the score aggregation. (already published before the release of 1.4.4)
  • Numerous minor bug fixes. (already published before the release of 1.4.4)

Editor

  • Added support for the ATT&CK v10 data sources.
  • Numerous minor bug fixes. (already published before the release of 1.4.4)
  • Numerous small improvements. (already published before the release of 1.4.4)
Assets 2
Loading

v1.4.3

30 Apr 18:19
@marcusbakker marcusbakker
v1.4.3
76f5e04
Compare
Choose a tag to compare
v1.4.3

CLI

  • Added support for the revamped data sources introduced with ATT&CK v9. Please note that this version of DeTT&CT no longer supports the old data source names as they are simply no longer part of the most recent version of ATT&CK. Using them is still possible with version 1.4.2 and a local copy of ATT&CK v8 provided to DeTT&CT with the argument --local-stix-path.
    • You can find more information on ATT&CK v9 and the new data sources on this blog post from MITRE, the data source YAML files (also from MITRE) and on this page on the Wiki.
    • We currently do not yet support data source to technique mapping (to calculate the rough visibility score per technique) for the PRE platform. Support will be added once MITRE has, in a future release of ATT&CK, defined the data sources for this platform.
  • Added support for the ATT&CK Navigator version 4.3 and layer version 4.2.
  • Bugfix:
    • Issue #40 reported by @sherlon1. A crash could occur in the interactive menu when doing a group overlay. (already pushed to master before the release of 1.4.3)

Editor

  • Added support for the revamped data sources introduced with ATT&CK v9.
  • Multiple UI improvements. (already published before the release of 1.4.3)
  • Updated all JavaScript dependencies. (already published one time before the release of 1.4.3, and for a second time with this release)

Generic

  • The sample data source YAML files have not been updated yet to reflect the new data source of ATT&CK v9. We choose to postpone this for a later time to allow a quicker release of v1.4.3.
Assets 3
Loading

v1.4.2

04 Nov 11:20
@marcusbakker marcusbakker
v1.4.2
55ff109
Compare
Choose a tag to compare
v1.4.2

CLI

  • Added support for the new platforms PRE and Network.
  • Updated the data sources per platform mapping.
  • Added support for the ATT&CK Navigator version 4.0.
  • Removed support for PRE-ATT&CK from the Group menu (PRE-ATT&CK has been replaced by the new platform PRE).
  • Bug fixes:
    • all as a platform value for the argument -p/--platform, to include all ATT&CK platforms, was broken.
    • Issue #36 reported by @sherlon1. A crash could occur when retrieving data sources for a technique, in ATT&CK CTI, which had no data sources.
    • Two small bug fixes in the data source and technique administration health check.
  • Updated all Python dependencies.

Editor

  • Added support for the new platforms PRE and Network.
  • Updated all JavaScript dependencies.

Generic

Assets 2
Loading

v1.4.1

24 Oct 10:46
@marcusbakker marcusbakker
v1.4.1
45ce222
Compare
Choose a tag to compare
v1.4.1

CLI

  • Added a new argument (-p/--platform) to the data source, detection and visibility menu that allows you to overwrite, when generating a Navigator layer, the platform value(s) as specified in the YAML file.
    • This also improves the group menu, as this now allows you to specify multiple ATT&CK platforms by providing extra -p/--platform arguments.
  • Changed how ATT&CK Groups are specified within the group menu. No longer are multiple Groups provided using a double-quoted string in which Groups are separated by commas. Instead, multiple Groups can be provided by additional -g/--group arguments.
  • Updated all Python packages.
  • Bug fixes:
    • Crash on updating a techniques file based on a data source when having null values in the date key-value pair in the visibility score_logbook. (already pushed to master before the release of 1.4.1)
    • Issue #36 reported by @driesbuyck. DeTT&CT crashed when generating a detection or visibility layer file when having a technique administration file with different Python date formats. (already pushed to master before the release of 1.4.1)
    • Detections with a score of -1, or visibility items with a score of 0 were included in the graph showing the progression of added detection/visibility over time. (already pushed to master before the release of 1.4.1)
    • Within particular circumstances the update of visibility scores, based on updated data sources, would not write the updated technique YAML file to disk.
    • Techniques with a detection score of 0 and a visibility score of 0 where coloured white within a detection/visibility overlay instead of purple.

Editor

  • Moved the maximise icon within text fields more to the left to improve the user experience for browsers running on Windows.
  • The list editor for the detection's locations no longer shows empty values. This improves the user experience.
  • Removed the service worker module to solve a caching problem that could prevent a new version of the Editor from being loaded in the browser.
  • Updated all JavaScript dependencies.
  • Bug fixes:
    • The detection score slider was missing the score 0 (already pushed to master before the release of 1.4.1)
    • A very long group name would run off the page.

Generic

  • Added threat intelligence data from Cisco Talos: 20200901-Cisco-Talos.yaml
    • (already pushed to master before the release of 1.4.1)
Assets 2
Loading