Skip to content

Defensible Architecture: Starting with Navigator and DeTT&CT

Intro

Documentation space for docker containers and other tools utilized in building defensible architecture with a goal of less to zero trust environment. Level of detail captured will be bare initially and likely built out over time.

Starting Point

Identify Crown Jewels

The first step is to have/gain an understanding of both your company's crown jewels and who the attackers are who would covet said jewels. Once you have identified what makes your company excel and what type of attack would destroy the company, you'll have identified what it is you need to protect. So if you're in the retail biz, perhaps your crown jewels are in a secret sauce (intellectual property) that make it bomb-diggity. How well-protected is that recipe? What type of tactics, techniques, or procedures do attackers of I.P. tend to use?

Identify Adversaries

Using MITRE ATT&CK's search function and typing in 'intellectual property' gives an idea of what we are up against.
intellectual property In this example, Cinnamon Tempest and FIN13 look to be threats to our business.

MITRE ATT&CK Navigator

The following command spins up a docker container for the MITRE ATT&CK Navigator tool. It will allow us to run our research locally on our host machine from port 4200. 

docker run -p 4200:4200 --rm --name navigator aboutsecurity/attack_navigator:latest
Once the container is running, navigating to your browser will bring up the Navigator tool at localhost:4200.

Create new layer

What is the significance of each version? If you switch versions, what are the considerations? Do you have to use the same version for Navigator as DeTT&CT? What would be the advantages/disadvantages?
domain: Enterprise Create layer from version

Now we can add in the TTP information about Cinnamon Tempest to this layer. Since we'll be housing APT-specific details in this layer, renaming it can be useful. Do this by clicking on the "layer information" icon, then double-clicking on the default name of "layer." If you click the magnifying glass, this takes you to a search bar on the right where you can search for the threat group by name and then click "select." After that, click the mangnifying glass again to close that function. To harness the power of the tool and incorporate multiple layers, we will want to add scoring to this layer. Generally, a scoring of 1 might be appropriate.

Additional layers can be added about other ATPs or threat groups (or really any other TTP-related data that you want to be able to have integrated at times, but isolated at other times.) After adding additional layers, you can combine them into one layer using the option "Create layer from other layers."

Summary

1) Create a layer 2) name it 3) select the threat group's info you want 4) add scoring 5) repeat steps for any additional APTs 6) add a layer that combines the previous layers and adjusts coloring of techniques based on the scores for each technique (if more than one APT employs the same technique, it will have a higher score). 7)

DeTT&CT

Get the latest docker image for DeTT&CT 

docker pull rabobankcdc/dettect:latest
Run the container, open a bash shell, and set up specific path connections between the host machine and the container. 
docker run --rm -p 8080:8080 -v host/machine/path/to/output:/opt/DeTTECT/output -v host/machine/path/to/input:/opt/DeTTECT/input -v host/machine/path/to/threat-actor-data:/opt/DeTTECT/threat-actor-data --name dettect -it rabobankcdc/dettect:latest /bin/bash
Without transferring any files: 
docker run --rm -p 8080:8080 --name dettect -it rabobankcdc/dettect:latest /bin/bash
Once in the container, you can spin up the web server to use the DeTT&CT tool 
python dettect.py editor &
Now you can use localhost:8080 to access the tool in your browser. This is where you'll use the "Data Sources" section to upload the yaml files you transferred from your host machine.

This yaml file can also be used (as-is or modified for enhanced quality) to create a json file. 

python dettect.py ds -fd input/data-sources-traditional.yaml -l --local-stix-path input/cti-att-ck-v.latest -of data-sources-traditional.json
Running this command results the json file being put into the host's output folder.

Using DeTT&CT output for Navigator

Now you can pull up a new tab of the localhost:4200 Navigator tool and upload the json file as a layer using the "Open Existing Layer" option. This output gives insight into what techniques the company currently has visibility.

If we add the threat groups to this layer, it will provide an understanding of where we have gaps in visibility as it will only colorize the TTPs where visibiltiy is present.

Heatmaps can also be created.