CISA Releases Decider Tool to Help with MITRE ATT&CK Mapping
CISA released Decider, a free tool to help the cybersecurity community map threat actor behavior to the MITRE ATT&CK framework. Created in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI) and MITRE, Decider helps make mapping quick and accurate through guided questions, a powerful search and filter function, and a cart functionality that lets users export results to commonly used formats.
Network defenders, analysts, and researchers can see CISA’s video, fact sheet, and blog to get started with Decider. CISA encourages the community to use the tool in conjunction with the recently updated Best Practices for MITRE ATT&CK® Mapping guide.
A web application that assists network defenders, analysts, and researcher in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
Before developing, please set up a virtualenv and install the pre-commit git hook scripts.
Decider uses Black and Flake8 with a line length of 119.
Please ensure you are using Python 3.8.10.
To do this, after cloning the repository, run:
sudo apt install -y python3-pip python3 -m venv venv/ source venv/bin/activate pip3 install wheel==0.37.1 pip3 install -r requirements.txt pip3 install -r requirements_dev.txt pre-commit install
Decider is a tool to help analysts map adversary behavior to the MITRE ATT&CK framework. Decider makes creating ATT&CK mappings easier to get right by walking users through the mapping process. It does so by asking a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or subtechnique. Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator™ heatmaps.
There are 3 different components to Decider: the PostgreSQL database, the web server (uWSGI), and the Decider application. Decider and its components are tested on Ubuntu 20.04 / CentOS 7. Installation and management should be done on either of these platforms.
This is documented inside of Decider’s Admin Guide.
- The database will need a new login made., Tthis login will be used by Decider to make queries. There is no default login for security purposes.
- You can create a login by running:
- The Database Setup section of the Decider Admin Guide has a detailed set of steps to follow.
- This script will prompt the user to create two logins and an encryption key (basically a password).
- One login is the account Decider will use to query the database.
- The other login is the initial admin account to be made. Users will use this to log-in to the Decider app website itself. From here, they can use the user management feature to add more users.
- The encryption key is used by Decider to encrypt carts that are stored in the database.
Decider is configured by two files:
- Holds secrets; specifically, a PostgreSQL login used by Decider to query the database, and an encryption key that encrypts carts stored on the database.
- All fields in
.env.examplemust exist/be defined in either
.envor the environment itself for Decider to launch/run build scripts.
initial_setup.pyto create this file. The script will ask for the creation of two logins and an encryption key.
- Users only need to run this if they are setting up a new database.
- More information is available in the Database Setup section of the Decider Admin Guide.
- Holds more general configuration options.
- There is a set of config classes; one can be chosen when launching the application / building the database.
- The fields used in creation of the
SQLALCHEMY_DATABASE_URIvariable can be tweaked:
port: specify the PostgreSQL server endpoint location.
database: specifies which DB on the server to use.
- The fields used in creation of the
- Decider can be launched by running the command below.
python3 decider.py --config CONFIG
- Note: this is not to be used in production. Decider uses uWSGI in production as the Flask server is not recommended; it does work just fine for development and testing however.
- To run Decider in production mode on a server, consult the Decider Admin Guide.
(from the root decider_tool/ directory)
python -m app.utils.db.actions.full_build [--config CONF]: /jsons/source → DB
Postgres Backup and Restore
pg_dump -U DB_USER -W -F t -h HOSTNAME DB_NAME > decider.sql
pg_restore -U DB_USER -W -h localhost -d DB_NAME < app/utils/decider.sql