Decider : Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

Decider is a Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework.

Notifications

• Manual installation for Ubuntu & CentOS is much nicer.
  • Scroll down to Manual Install for details!
• Will be adding information about hardware requirements soon

What is it?

The Short

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.

The Long

Decider is a tool to help analysts map adversary behavior to the MITRE ATT&CK framework. Decider makes creating ATT&CK mappings easier to get right by walking users through the mapping process. It does so by asking a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or subtechnique. Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator™ heatmaps.

The Screenshots

Decider’s Question Tree

(you are here)[Matrix > Tactic] > Technique > SubTechnique

Decider’s Full Technique Search

Boolean expressions, prefix-matching, and stemming included.

The Notice

This project makes use of MITRE ATT&CK – ATT&CK Terms of Use

Usage

Read the User Guide

Installation

Docker

Best option for 99% of people

git clone https://github.com/cisagov/decider.git
cd decider
cp .env.docker .env

# if you want HTTPS instead of HTTP
# - edit .env
#   + WEB_HTTPS_ON='yes'
# - populate cert / key files
#   + /app/utils/certs/decider.key
#   + /app/utils/certs/decider.crt

[sudo] docker compose up
# sudo for Linux only

It is ready when Starting uWSGI appears

Default Endpoint: http://localhost:8001/

Default Login:

• Email: admin@admin.com
• Password: admin

Endpoint Determination (.env vars):

• WEB_HTTPS_ON='' -> http://WEB_IP:WEB_PORT/
• WEB_HTTPS_ON='anything' -> https://WEB_IP:WEB_PORT/

HTTPS Cert Location:

• Write these 2 files before docker compose up to set your SSL cert up
  • /app/utils/certs/decider.key
  • /app/utils/certs/decider.crt
• If either file is missing, a self-signed cert is generated and used instead

DB Persistence Note: Postgres stores its data in a Docker volume to persist the database.

Linux tested on:

• Ubuntu Jammy 22.04.2 LTS
• Docker Engine
  • Not Docker Desktop (couldn’t get nested-virt in my VM)

Windows tested on:

• Windows 11 Home, version 22H2, build 22621.1344
• Home doesn’t support HyperV
  • Thus tested on Docker Desktop via WSL backend

macOS (M1) tested on:

• macOS Ventura 13.2.1 (22D68)
• Mac M1 Processor
• On Docker Desktop installed via .dmg

Manual Install

Ubuntu 22.04

Ubuntu Install Guide

CentOS 7

CentOS Install Guide

Other OSes

Read the Ubuntu & CentOS guides and recreate actions according to your platform.

Windows

open() in Python uses the system’s default text encoding

• This is utf-8 on macOS and Linux
• This is windows-1252 on Windows
  • This causes issues in reading the jsons for the database build process
  • Adding encoding='utf-8' as an arg in each open() may allow Windows deployment

macOS

(M1 users at least) Make sure to (1) install Postgres before (2) installing the pip requirements

1. brew install postgresql
2. pip install -r requirements.txt

Please consider following and supporting us to stay updated with the latest information.