Detection Gap Analysis Using DeTT&CT

# Covering Your Attack Surface Detection gap analysis is self-explanatory. However, the process for doing so is not. It's an open ocean of possibilities and it can be hard to find what to prioritize or even get the lay of the land. It's best to depend on a general framework such as those from Mitre for a systematic approach. # DeTT&CT Overview DeTT&CT is a tool where you can bring all of your knowledge of data/intel/event/log sources and analyze your coverage in regards to the Mitre ATT&CK taxonomy. This gap analysis is done qualitatively by grading your data source quality, endpoint visibility, detection coverage, and ultimately mapping it to threat actor behavior. "Data sources are the raw logs or events generated by systems, security appliances, network devices, etc. ATT&CK has over 30 different data sources, which are further divided into over 90 data components." "Visibility is used within DeTT&CT to indicate if you have sufficient data sources with sufficient quality available to be able to see traces of ATT&CK techniques. Visibility is necessary to perform incident response, execute hunting investigations and build [detections](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#detection). Within DeTT&CT you can score the visibility coverage per ATT&CK technique." "When you have the right data sources with sufficient data quality and available to you for data analytics, your visibility can be used to create new detections for ATT&CK techniques." Check out this blog or the GitHub repo for more info - [DeTT&CT : Mapping detection to MITRE ATT&CK – NVISO Labs](https://blog.nviso.eu/2022/03/09/dettct-mapping-detection-to-mitre-attck/) - [Getting started · rabobank-cdc/DeTTECT Wiki](https://github.com/rabobank-cdc/DeTTECT/wiki/Getting-started) # DeTT&CT Setup - DeTT&CT is a completely local or client-side tool, so we don't need a server. You can run this locally using Python or use a container from Dockerhub. In this case, we are using the container they provide along with Podman (arguably better for using container than Docker). ## If you don't want to run it yourself - It's free online here - [DeTT&CT Editor](https://rabobank-cdc.github.io/dettect-editor/#/home) ## Self-Hosting DeTT&CT Editor 1. Download the desktop app from [Podman](https://podman.io/) 2. Follow instructions in the app to set up WSL2 1. you shouldn't need BIOS setup and you only really have to enable the Virtual Machine Platform 2. If you get errors (like 1603) when installing WSL2, just do a power cycle or restart and try again ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021.png) ### If using a container (haven't gotten working yet) 3. Go to DockerHub to get the DeTT&CT container link 1. https://hub.docker.com/r/rabobankcdc/dettect 1. rabobankcdc/dettect 2. If you get weird errors like below, then try building the image yourself instead 1. https://github.com/rabobank-cdc/DeTTECT/wiki/Installation-and-requirements#building-the-image-yourself 2. ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-1.png) 3. To build: 1. Run in cmd -- `git clone https://github.com/rabobank-cdc/DeTTECT` 2. ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-2.png) 3. Got same errors with registry name resolution as before...weird ### Running Locally with Python instead - Easy: - https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/ - `git clone https://github.com/rabobank-cdc/DeTTECT` - cd into your cloned folder - `py -m venv .venv` - `.venv\Scripts\activate` - `where python` - `pip install -r requirements.txt` - `.venv\Scripts\python` - to deactivate the virtual environment - `deactivate` - `py -m pip install --upgrade pip` - `py -m pip --version` - `py -m pip install -r requirements.txt` - Was almost easy: - You'll likely get a pandas error because of some weird 32 bit specific issue with the library - ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-3.png) - Run `python -m pip install pandas` - Change the requirements.txt to not have a specific version of pandas - ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-4.png) - Then run the below command again - `py -m pip install -r requirements.txt` - Run the editor locally - ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-5.png) - ![](__attachments/Detection%20Engineering/IMG-Detection%20Gap%20Analysis%20Using%20DeTT&CT-2024063021-6.png) # Using DeTT&CT For Gap Analysis The Dettectinator tool is a great example of how one can document and analyze threat detection capability. ![](__attachments/Detection%20Engineering/IMG-OL%20Threat%20Detection%20Landscape%20&%20Gaps-2024063021-4.png) The gist: - Initially, the team gathers examples, files, configs, and other general knowledge or information about all the systems used for threat detections. - Notice there is no standard for these data sources. This is all subjective. - This information can then be put into a DeTT&CT YAML via both... - The DeTT&CT Editor - Dettectinator - automatically generates items from various detection system config files (Splunk, etc.) - The detection engineer, threat intel analyst, or security professional goes through with the The DeTT&CT Editor and then grades items, adds APTs, etc. - The organization can use various threat intel sources to find APTs that apply to their company or vertical - Lastly, this information is loaded into the ATT&CK Navigator as a layer and this can be used to find detection gaps