It is currently compatible with Enterprise ATT&CK versions 11.0 and 12.0 and is a web application that needs to be hosted before being used.
A free and open source tool was made available by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) to assist defenders in mapping adversary behaviour to the MITRE ATT&CK architecture.
Decider is a tool that streamlines the mapping process by assisting users in selecting the appropriate tactics, techniques, or subtechniques by asking them guided questions about opponent action in plain English.
The ATT&CK framework is a publicly available knowledge base and model that details the strategies and procedures used by attackers in real-world situations. It classifies various adversary strategies and describes them so that defenders can create sensible detection and mitigation plans in response.
While mapping ATT&CK is complex and “essential to get right but easy to get wrong,” CISA found that it is being employed for enterprise cybersecurity. “Many stakeholders communicated that they either did not know how to start mapping to ATT&CK, or they were unsure if they were accurately mapping adversary behavior,” said CISA.
Decider uses a decision tree-style series of guided questions as part of its main workflow. Until a mapping is finished, the answers to these questions will direct users into tactics, techniques, and subtechniques.
If no applicable subtechnique is found, the Decider will keep asking pertinent questions until users reach a technique. If the main workflow fails to display the appropriate technique or the user has previously recognised the method utilised, the tool’s search function additionally enables users to directly access a technique and subtechnique.
The open tooling like Decider, according to John Bambenek, chief threat hunter at Netenrich, brings the industry closer to “the promised land of normalised attack information.”
The tool, which was created in collaboration with MITRE and the Homeland Security System Engineering and Development Institute, is currently downloadable via CISA’s GitHub repository.