Skip to content

Installation and requirements

Jump to bottom
Marcus Bakker edited this page Jul 8, 2019 · 12 revisions

The DeTT&CT framework consists of a Python tool, YAML administration files and a description on how to administrate and score the different aspects.

We provide a Docker image and file for DeTT&CT, or it can be installed locally.

Docker

First, make sure to have Docker available on your system.

You can choose to get the DeTT&CT docker image from Docker Hub or build it yourself.

Image

Get your image from Docker Hub

  • Download the image: docker pull rabobankcdc/dettect:latest

Building the image yourself

  1. Clone the GitHub repository: git clone https://github.com/rabobank-cdc/DeTTECT
  2. Go into the DeTT&CT directory: cd DeTTECT
  3. Build the Docker image: docker build -t dettect . (this can take a while)

Run the DeTT&CT image and interact with your container

The below two directories are essential when using DeTT&CT with Docker. These are shared between your Docker container and the host system to allow easy exchange of files:

  • input
    Within this directory, you can put your data source, technique and group YAML administration files.
  • output
    Within this directory, the output files from DeTT&CT are written. Such as ATT&CK Navigator layer files.

Run/start the image

  • Execute the appropriate command to run the image and mount the input and output directories. The -v flag should create the "input" and "output" directories on the host they do not yet exist. If not, you have to create them manually. Make sure to remove the namespace "rabobankcdc" when you have built the image yourself.

    • Linux and MacOS: docker run -v $(pwd)/output:/opt/DeTTECT/output -v $(pwd)/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash
    • Windows (cmd.exe): docker run -v %cd%/output:/opt/DeTTECT/output -v %cd%/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash
    • PowerShell: docker run -v ${PWD}/output:/opt/DeTTECT/output -v ${PWD}/input:/opt/DeTTECT/input --name dettect -it rabobankcdc/dettect:latest /bin/bash

  • Start the container when it is no longer running: docker start -i dettect (this should bring you straight back into the container with an interactive Bash shell)

Local installation

Requirements

  • Python 3.6 and higher
  • Have the following Python packages installed with its appropriate version: attackcti, simplejson, PyYAML, plotly, pandas and xlsxwriter. See below on how to perform the installation using the requirements.txt file.

Installation

  1. git clone https://github.com/rabobank-cdc/DeTTECT
  2. pip install -r requirements.txt

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally