Decider User Guide

Introduction

About

Decider is a web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.

Produced For
Department of Homeland Security

Produced By
Homeland Security Systems Engineering and Development Institute (HSSEDI™)

Code: Decider’s GitHub Repo

Notice: This project makes use of MITRE ATT&CK® - ATT&CK Terms of Use

What is the ‘Kiosk’?

Decider Kiosk is a loginless version of Decider meant to be hosted as a publicly-accessible website.
User accounts, database-saved carts, and content authoring have all been removed from the application.
The frontend was also cleaned up - to improve accessibility and responsiveness.
The UI works on phones without issue.

Key Features

Decider has 3 key features:

Question Tree
Full Technique Search
Shopping Cart

Question Tree Summary

(structured progression through ATT&CK)

Decider’s homepage is the root of a question tree (matrix level).
The answer cards on this page are Tactics (adversary goals).
Clicking one progresses you along.

You descend down the hierarchy as such:
Matrix > Tactic > Technique > SubTechnique

Once you reach a (Sub)Technique, you can view a detailed page about it.
Should the description align with the adversary behavior you observed - you can add the Technique to your shopping cart.

Answer cards can be:

filtered by relevant Platforms / Data Sources
- knowing what systems a behavior occurred against / what data sources the behavior can be detected from reduces the amount of options to deal with
re-ordered by a keyword search
- providing key terms allows progressing through cards in a more optimal order

Full Technique Search Summary

(ability to search and filter all Techniques at once)

Search Technique IDs / names / descriptions using:

prefix matching
boolean expressions
phrase matching

Filter Techniques by relevant:

Tactics
Platforms
Data Sources

Shopping Cart Summary

(a place to store your mappings, add context, and export to files)

The ‘CTI Shopping Cart’ is a place where your mappings are stored.

Cart entries have a text box where you can place mapping content / rationale / evidence
Carts can be saved-to and loaded-from JSON files
Carts can be exported to a(n)
- ATT&CK Navigator layer
  - (to visualize the attack heatmap in relation to defenses / existing adversary heatmaps)
- Microsoft Word Doc
  - (creates a table of mapped Techniques + mapping context that can be embedded in a report)

Support / Troubleshooting

Please create an issue / discussion on Decider’s GitHub.

Does Decider Compete with the ATT&CK Website?

No, Decider complements the ATT&CK website.

Decider does not contain all of the information that is available on the ATT&CK website.
It primarily contains information on Tactics, Techniques, and the Platforms / Data Sources related to Techniques.

The goal of Decider is to aid in mapping threat reporting / adversary behaviors.
Once one has mappings - they can leverage the ATT&CK website for further insights / next steps (i.e. detections, mitigations).

Proposed Workflow

Go to the question tree homepage (click Decider (Tree Home) in the top left)
Identify the goal of the adversary’s actions (Tactic) - click this card
Identify what Platform(s) the adversary’s actions occurred on/against and set these filters
- (optionally set Data Sources their behavior could be detected by)
Follow the remaining prompts to end up on a (Sub)Technique Success Page
Read the Technique’s description
- A. if it matches the observed behavior, then add it to your cart
  - Before adding to your cart
    - If the Mismappings section is present
      - double check that the Other Potential Technique(s) do not apply instead
  - After adding to your cart
    - If the Frequently Appears With section is present
      - skim the suggested Techniques, as the adversary may have leveraged them too
- B. if it does not match the observed behavior, backtrack
  - a different SubTechnique may apply
  - (or) the ‘Base’ Technique may apply instead of one of its SubTechniques
  - (or) a different Technique may apply
  - (or) a different Tactic may apply even

CISA Best Practices for MITRE ATT&CK Mapping

The mapping steps below follow those identified in CISA’s ATT&CK Mapping Guide. Analysts may choose their own starting point based on their familiarity with ATT&CK and the technical details / context available in the report.

Identify Tactics – Comb through the report to identify the adversary’s tactics and the flow of the attack. To identify the tactics (the adversary’s goals), focus on what the adversary was trying to accomplish and why. Review the tactic definitions to determine how the identified behaviors might translate into a specific tactic. Each tactic includes a finite number of actions an adversary can take to implement their goal. Understanding the flow of the attack can help identify the techniques or sub-techniques that an adversary may have employed.
Identify Techniques – After identifying the tactics, review the technical details associated with how the adversary tried to achieve their goals. Note: if you have insufficient detail to identify an applicable technique, you will be limited to mapping to the tactic level, which alone is not actionable information for detection purposes. Compare the behavior in the report with the description of the ATT&CK techniques listed under the identified tactic. If one of them matches, then it may be an appropriate technique. Be aware that multiple techniques may apply concurrently to the same behavior.
Identify Sub-Techniques – Review sub-technique descriptions to see if they match the information in the report. A match here may be an appropriate sub-technique. Read sub-technique descriptions carefully to understand the differences between them. In cases where the parent of a sub-technique aligns to multiple tactics, make sure to choose the appropriate tactic. Note: map solely to the parent technique only if there is not enough context to identify a sub-technique.

Consider techniques and sub-techniques as elements of an adversary’s playbook, rather than as isolated activities. Adversaries often use information they obtain from each activity in an operation to determine what additional techniques they will use next in the attack cycle. Because of this, techniques and sub-techniques are often linked in the attack chain.

Navigating Decider

Question Tree (Home) + Navbar

The Question Tree allows you to locate which Technique occurred by answering questions that narrow from Tactic to Technique, and optionally, SubTechnique.
The Navbar allows you to quickly access key parts of the app: the start of the question tree, the full search page, the CTI shopping cart, and app documentation.

Question Tree on Matrix to Tactics Page (Home). Read the Usage section just below this for a long description

Usage

Answer the Question (8) by clicking one of the Answer Cards (11).
Optionally reduce the amount of cards to sift through by settings Filters (9).
Optionally order the answer cards by keyword relevance using Search Answers (10).

CISA Logo - Links to CISA.gov
Decider Tree Home - Takes you to this page (the question tree home)
Version Picker - Lets you to change what version of ATT&CK data you’re viewing
Mini Technique Search - Lets you quickly jump to a Technique’s page by its name or ID
Docs - Opens this user guide
Full Technique Search - Opens the Full Technique Search page, which supports searching/filtering all Techniques at once
CTI Shopping Cart - Opens the CTI Shopping Cart, where your mappings can be viewed, edited, saved, or exported
Question - You select the Answer Card (11) that best answers this prompt
Filters - These allows hiding Answer Cards (11) that do not match the specified criteria
- Filter Types
  - Platforms are the system types that the behavior occurred on/against
  - Data Sources are means by which behavior could have been detected
- Filtering Advice
  - Ignore on the homepage, there are only 14 Tactics to pick from, no need to filter here
    - Also, Tactics have all Platforms / Data Sources of the Techniques under them. Setting a Platform filter + a Data Source filter may show a Tactic that has no Techniques under it fulfilling that filter combo
  - Be generous, an answer card is shown if it matches any of the filters (of a given type)
    - Accidentally hiding the correct answer card by mis-selecting would be detrimental
    - The goal of filters is to generally narrow how many answer card you need to look at (Defense Evasion has 42 ‘Base’ Techniques as of v13)
Search Answers - This re-orders the Answer Cards (11) by relevance to the keywords you’ve entered
- Search Functionality
  - On Matrix → Tactics Homepage
    - There are only 14 Tactics, this is a basic keyword search
  - On Deeper Pages
    - Advanced search functionality is supported here
    - Typed words are OR’d together by default
    - & (ampersand) requires both terms to be present
    - | (pipe) requires either term to be present
    - ~ (tilde) requires a term to be absent
    - () (parentheses) can be used to order AND/OR/NOT operators
    - * (asterisk) is used for prefix matching (proc* → proc, process, procedure)
    - "" (double quotes) specify that each word in a phrase must be present (non a-z0-9 characters are stripped)
Answer Cards - You pick the answer that best answers the Question (8).
- These represent Tactics, the Techniques, and finally SubTechniques as you progress through the ATT&CK hierarchy structure.
- Clicking the card progresses you through the tree (same as clicking ‘Select Card’).
- Clicking ‘ATT&CK Page’ opens the ATT&CK page for the given Tactic/Technique

Navbar > Mini Technique Search

The mini search allows you to quickly reach a Technique’s Success Page by its name or ID.

Usage

Use to quickly jump to a Technique’s Success Page.
Or to start a Full Technique Search.

Searching - Techniques can be searched by Name or ID here
Keyboard Navigation is supported as well (in addition to mouse, touchscreen, etc)
- [up] and [down] to select options
- [enter] to open the selected entry
  - If a selection has not yet been made, a Full Technique Search is performed by default

Question Tree > Tactic

A Tactic card was clicked to reach this page. This page allows picking which Technique under the current Tactic applies.

Question Tree on Tactic to Techniques Page. Read the Usage section just below this for a long description

Usage

Breadcrumb Bar - This shows your progress through the question tree
- You can click crumbs to navigate back up the tree
Page Select - These buttons allow you to flip through the available answer card pages
- 5 answer cards are shows per page

Question Tree > Technique

A Tactic card and then a Technique card were clicked to reach this page. This page allows picking which SubTechnique under the current Technique applies (to view its Success Page). Or, if no SubTechnique applies, allows picking the base Technique to view its Success Page.

Question Tree on Technique to SubTechniques Page. Read the Usage section just below this for a long description

Usage

Base Technique Card - Notice that this answer card has the same ID as the question page we’re on. This is because the ‘Base’ Technique still applies even if we did not find behavior specific to any of the SubTechniques. (This card’s heading matches the current page breadcrumb that is above the question).

Question Tree > Technique Success Page

This Technique page is reachable through either the Question Tree, Full Search, Mini Search, or CTI Shopping Cart. It provides information about the Technique.

Technique Success Page. Read the Usage section just below this for a long description

Usage

Technique Name / ID - The ID is also a link to the Technique’s ATT&CK page
Technique Description - This is the same description as on the Technique’s ATT&CK page
Map Technique Under Tactic + Add to Cart
- ‘Technique Success Pages’ can be reached through the Question Tree or through the Full Technique Search
  - The Question Tree already gives you the Tactic context you’re working with (dropdown is pre-selected)
  - Whereas getting to a Success Page via Search will require you to select a Tactic before the Add-to-Cart button works
- Clicking Add-to-Cart places an entry for the selected Technique+Tactic combo in your mapping cart
Tactics - Goals this behavior can achieve
Platforms - Systems this Technique can be leveraged against/on
Tech and Subs - Success Page links for the Base Technique and its Sub Techniques
Mismappings - Techniques listed here may have occurred instead of the Technique on this page
- That is, this table records knowledge of previously incorrectly mapped Techniques (user editable)
- Decider does not provide any mismappings out of the box
- Mismappings can be added via JSON during the build process
  - (or) a Decider 2.x.y instance can be pointed at the same database used by Kiosk (Decider 3.x.y) in order to edit these
- (This section is hidden if the Technique has no mismappings)
Frequently Appears With - Techniques here are likely to have occurred with the current Technique being viewed
- Skim the Technique descriptions to see if any match the observed adversary behaviors
- The table shows a slightly randomized subset of suggested Techniques - this is to help prevent availability bias in mapping
  - Checking Show All will list all suggestions
- This dataset comes from Andy Applebaum’s work - Medium Article
  - In short: Techniques that frequently appear together in CTI reports, may appear together in future adversary behavior too
- (This section is hidden if the Technique has no cooccurrences)
Usage Examples - These are examples of the Technique being used by Campaigns, Groups, Software, and Tools.
- Reports covering / mapping the observation are linked too
- (This section is hidden if the Technique has no usage examples)

CTI Shopping Cart

The cart allows you to record Techniques for observed behaviors, along with rationales for mapping them. Carts can be saved, loaded, and exported to Word Docs or ATT&CK Navigator sheets.

Shopping Cart Pane. Read the Usage section just below this for a long description

Usage

Close Cart Panel - Closes the cart panel
Edit Name - Allows naming the cart (changes name of exported files + saved / loaded cart)
Save to .json File - Saves the contents of the cart as a JSON file
Load from .json File - Loads a prior-saved JSON cart file
Export to Docx Table - Creates a Microsoft Word DOCX file containing a table of the Tactics / Techniques mapped and their mapping rationales
Export to ATT&CK Navigator Layer - Creates a MITRE ATT&CK® Navigator layer with cart entries highlighted. The mapping rationales are also added to the Navigator layer in the form of comments
View Suggested Techniques - A cart-wide variant of the Technique Success Page > Frequently Appears With listing
Empty Cart (has confirmation screen) - Deletes the cart. Make sure you saved to a JSON before clicking this - otherwise the cart is irrecoverable
Cart Entry - A mapped Technique + Tactic combo
- App Success Page - Takes you to the Technique Success Page for this entry
- Delete - Removes this entry from your cart
- Mapping Rationale - An area for you to record context / rationale / evidence as to why this entry was mapped. A good place for notes too

Cart-Wide Frequently Appears With

This page suggests other Techniques that may have occurred, based upon the contents of your cart.

Cart-Wide Frequently Appears With Page. Read the Usage section just below this for a long description

Usage

A cart-wide variant of Technique Success Page > Frequently Appears With
Suggests Techniques that may have occurred based upon the contents of your cart

Skim the Technique descriptions to see if any match the observed adversary behaviors.
Read the full description to confirm a mapping before adding it to your cart.

Full Technique Search

The full search page allows you to locate Techniques by searching their names, IDs, and descriptions and by filtering on the Tactics, Platforms, and Data Sources that apply to them.

Usage

Filters - Only Techniques that match at least 1 filter (per each type) are shown. (a filter is ignored if 0 are set)
- Filter Types
  - Tactics: goals of the adversary’s behaviors
  - Platforms: systems that the Technique was performed on/against
  - Data Sources: sources that can be used to detect the behavior
- Filtering Advice
  - Be generous, it’s better to accidentally include slightly more results than to miss the correct Technique by over-constraining
Search Techniques - Your search goes here
- Searched Fields
  - IDs
  - Names
  - Descriptions
- Usage
  - Basic Search
    - By default, terms are AND’d together here
    - So, typing more terms will constrain further
    - You can use | (pipe) between terms to OR them together for a simple keyword search
  - Advanced Search
    - Advanced search functionality is supported here
    - Typed words are AND’d together by default
    - & (ampersand) requires both terms to be present
    - | (pipe) requires either term to be present
    - ~ (tilde) requires a term to be absent
    - () (parentheses) can be used to order AND/OR/NOT operators
    - * (asterisk) is used for prefix matching (proc* → proc, process, procedure)
    - "" (double quotes) specify that each word in a phrase must be present (non a-z0-9 characters are stripped)
Search Status - Provides feedback on your search
- Warns if the search query is malformed / invalid
- (otherwise) Indicates how the search query was interpreted
Technique Cards - The Technique results from your search
- Clicking a card opens its Technique Success Page (same as clicking ‘Select Card’)
- Clicking ‘ATT&CK Page’ opens the Technique’s ATT&CK Page

Introduction

About

What is the ‘Kiosk’?

Key Features

Question Tree Summary

Full Technique Search Summary

Shopping Cart Summary

Support / Troubleshooting

Does Decider Compete with the ATT&CK Website?

Proposed Workflow

CISA Best Practices for MITRE ATT&CK Mapping

Navigating Decider

Question Tree (Home) + Navbar

Usage

Navbar > Version Picker

Usage

Navbar > Mini Technique Search

Usage

Question Tree > Tactic

Usage

Question Tree > Technique

Usage

Question Tree > Technique Success Page

Usage

CTI Shopping Cart

Usage

Cart-Wide Frequently Appears With

Usage

Full Technique Search

Usage