CISA Decider tool helps to map adversary behavior against MITRE ATT&CK framework

The U.S Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), published Wednesday a Decider tool that makes ATT&CK mapping more accessible by walking users through a series of guided questions about adversary activity. The tool takes users through a mapping process, asking them a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or sub-technique.

Decider is a web application that must be hosted to be used. Organizations can host Decider internally to save and share customized mappings, questions, answers, and users per install. CISA does not offer access to a running instance of Decider. Decider is currently compatible with Enterprise ATT&CK versions 11.0 and 12.0.

Since the CISA announced its initial edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, the security agency recently published a second edition of its mapping guide and debuted the Decider tool as a new accompaniment to the guide.  

Apart from mapping adversary behavior to the MITRE ATT&CK framework, the tool helps network defenders, analysts, and researchers create ATT&CK mappings easier to get right by walking users through the mapping process. Many stakeholders communicated that they either did not know how to start mapping to ATT&CK or they were unsure if they were accurately mapping adversary behavior. 

With an eye on these factors, the CISA partnered with the HSSEDI, which worked with the MITRE ATT&CK team, to develop a tool that was easy to understand with minimal technical language and could help users go through the framework steps.

“Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator heatmaps,” according to a CISA GitHub post. There are three different components to the Decider tool – the PostgreSQL database, the web server (uWSGI), and the Decider application. Decider and its components are tested on Ubuntu 20.04 / CentOS 7. Installation and management should be done on either of these platforms.

“The ATT&CK Framework is a proven approach to help organizations more effectively prioritize cybersecurity controls and mitigations that actively reduce the prevalence and impact of intrusions,” Eric Goldstein, executive assistant director for cybersecurity, CISA, said in a media statement. “We are excited to continue our partnership with HSSEDI and MITRE in offering the Decider tool to better guide ATT&CK mapping and help the cybersecurity community accurately understand adversary activities and make well-informed decisions that raise our collective defense.”

“We are proud to partner with CISA to help cyber defenders take a more adversary informed approach to protecting their networks,” Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, said. “With Decider, the greater cyber community will be better equipped to use ATT&CK.”

Decider is a companion to the recently updated Best Practices for MITRE ATT&CK Mapping Guide. The MITRE ATT&CK Framework is used by CISA and other organizations in the cybersecurity community organizations to identify and analyze threat actor behavior. It also enables them to produce a set of mappings to develop adversary profiles; conduct activity trend analyses; and detect, respond to, and mitigate threats.

In the update, CISA along with HSSEDI incorporates significant updates of MITRE ATT&CK version 9 through version 12. Some of the updates include the expansion of macOS and Linux coverage; increased equity between the industrial control systems (ICS), mobile, and enterprise matrices; addition of adversary campaigns, and redefined data sources and detections.

In its outlook guidance, CISA said that in almost every cybersecurity advisory and risk and vulnerability assessment report released by the agency, it provides adversary behavior mapped to the MITRE ATT&CK. “Our intent is to help more cybersecurity partners, whether novice or seasoned cyber defenders, get in the routine practice of using MITRE ATT&CK—a common lexicon does make a difference for the organization and broader community. When correctly applied, the ATT&CK framework allows users to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, and validate mitigation controls,” the agency added

As cyber adversaries evolve; incorporate malicious campaigns; and seek to disrupt, destroy or disable systems of U.S. and international critical infrastructure and governments, CISA will continue to work closely with like-minded domestic and international partners to ensure its resources, tools, and advisories are timely, accurate and useful.

Last month, MITRE released its 2023 ATT&CK roadmap, with key efforts planned for the year ahead ranging from ICS (industrial control systems) assets to more Linux and ATT&CKcon 4.0. In 2023, the focus will be on targeted growth and integration. The agency will work on maintaining framework stability as it builds out content and structure while expanding and increasing the scope of some of ATT&CK’s current platforms.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.