Old versions of DeTTECT

Question

Old versions of DeTTECT

palevelmode opened this issue a year ago · comments

Is there a way to install old versions of DeTTECT? I can't find download link to old version. I am overwhelmed by this new version of Mitre ATT&CK framework. But since there's a possibility to use the attack navigator up to old version 4. I'd like to start mapping our datasources/visibility using DeTTECT using mitre attack old version just to start simpler using previous DeTTECT version.

Ruben Bouman · Answer 1 · Fri Sep 15 2023 21:12:05 GMT+0800 (China Standard Time)

@palevelmode

Sure, you can find all releases on the release page: https://github.com/rabobank-cdc/DeTTECT/releases

palevelmode · Answer 2 · Mon Sep 18 2023 22:48:10 GMT+0800 (China Standard Time)

Sorry, I'm not sure if this can be resolve or not. Seems like error reaching Mitre API?

Ruben Bouman · Answer 3 · Wed Sep 20 2023 22:48:30 GMT+0800 (China Standard Time)

@palevelmode That's an issue with the MITRE server indeed, but I think due to version mismatch. So you can't run that DeTT&CT version against the current MITRE TAXII version. We have a possibility to use a local STIX collection, but that option is introduced in version 1.4.3 and that's the version that includes revamped data sources which you are trying to avoid. So I think you'd better try to adopt the new data sources :-)

palevelmode · Answer 4 · Wed Sep 20 2023 23:28:04 GMT+0800 (China Standard Time)

Thanks, I guess there's no other option then. I really like the old version of Mitre ATT&CLK framework as they are much simpler than the convoluted new version.

BY any chance do you guys here in DeTTECT have available documentation regarding what kind of security devices, linux logs, windows logs, etc are going to produce particular mitre data sources?

For example:

Perimeter FW = What kind of data source can produce?

Where can I find data sources or tactics/techniques for network devices such as:
- intrusion detection/intrusion prevention systems
- network/perimeter firewall (e.g fortinet, palo alto, checkpoint, etc)
- web application firewall like Imperva
- Anti DDoS like akamai

Does DeTTECT have this kind of documents/resource available?

Thank you for kind reply, I really appreciate it.

Ruben Bouman · Answer 5 · Sat Sep 23 2023 01:41:16 GMT+0800 (China Standard Time)

hi @palevelmode

I'm not aware of documentation that maps logs of security devices to ATT&CK data sources. That's very specific and vendor dependent. However, when looking at Windows Event Logs, Syslog, Defender for Endpoint, you can have a look at the OSSEM project at https://github.com/OTRF/OSSEM. There you'll find a mapping between event ID's and ATT&CK data sources.