Defending with CISA’s Decider
I’ve decided to review the new Decider tool from the US Cybersecurity and Infrastructure Security Agency (CISA), which was released on March 1, 2023. Decider is designed to provide security analysts with guided assistance in mapping Tactics, Techniques, and Procedures (TTPs) / adversary behaviours to the MITRE ATT&CK Enterprise Matrix. In this post, I’ll provide a brief overview of Decider’s capabilities and how it can augment your existing security operations capabilities.
Decider is an open-source web app developed by CISA and is hosted on GitHub here: https://github.com/cisagov/decider. The repository includes documentation to help you install the web app and get started as either an administrator or a user. The app runs via Python and is in the process of being Dockerized. The components that deliver the app are a PostgreSQL database that houses TTPs and decision trees to enable mapping, a web server (uWSGI), and the web app itself (Flask, Jinja, JS). User queries from the web app are passed back to the Decider backend via the web server, with queries made to the database for requesting or updating information.
For further information on getting started, check out the Admin Guide on the GitHub repo.
Once you’ve set up Decider and logged into the web app, you’ll be prompted with the starting question – “What is the adversary trying to do?” You can answer this question by selecting the goal of an adversary’s behaviour (i.e. a Technique), or you can enter keywords in the search bar to filter TTPs. Using this method, you could either select a single TTP or select a full chain of TTPs to represent the lifecycle of an attack. You can continue answering prompting questions until you hit a Technique (success) page. If you want to go deeper, you can use the advanced search functionality to input keywords and boolean operators and move all the way down to a Sub-technique.
If the Technique or Sub-technique seems relevant to the adversary’s behaviour, review mismappings to ensure you’re not improperly mapping in some way. If the context still seems appropriate, you can add the Technique/Sub-technique to the “Cart,” which is a feature for recording mappings and enabling the import/export of mapped data (either to/from the PostgreSQL database, out to a Word doc, or out in JSON format for the MITRE ATT&CK Navigator). For each mapped TTP (i.e. each TTP in the “Cart”), you have the ability to leave a comment to provide additional context.
Decider also offers some quality search and filtering capabilities. For searching, you can utilise fuzzy searching with automated word-stemming. Filtering is also on offer, with the ability to filter based on tactics, platforms, and data sources.
Another cool feature in Decider is the “Frequently Appears With” tab on each Technique page, which provides a view of which techniques commonly occur alongside the selected Technique (i.e. co-occurrence of techniques based on analysis of threat reports). This allows analysts to identify potentially related techniques that may have been missed using standard analysis techniques.
For additional information on navigating the Decider app, check out the User Guide on the GitHub repo.
Leveraging Decider in workflows:
Decider’s capabilities support analysts in identifying investigative, response, and corrective actions during an incident or following a post-incident review (PIR). By analysing either a live attack or a record of a previous incident, you can use Decider to determine the techniques an adversary likely used/is using/will use and identify actions to either block the TTP(s) or reduce the likelihood of reoccurrence. The co-occurrence feature means you may be able to pick up TTPs you may have missed as certain technique pairs occur more commonly in threat reports than others.
Finally, the export features offered by the “Cart” capability enable visualization of attack paths via the MITRE ATT&CK Navigator and could even be mapped against detections via the open-source DeTT&CT framework.
Overall, the Decider app is a valuable addition to the growing set of tools that build on the capabilities of the MITRE ATT&CK framework. It offers a variety of useful features for defenders conducting PIRs or live response. If you have any feedback or know of any other MITRE ATT&CK-based tools that are interesting or exciting, please let me know in the comments.
Thank you for reading, and I hope you find this post helpful.