Detection Navigator
In my previous article, I have discussed how to build detection chart using MITRE ATT&CK Framework. However, as I mentioned at the very end of the article , to sustain this long term , working with the Detection Chart should be more seamless and spreadsheets are anything but seamless.
Thus, I built a Detection Navigator ( Long Live Django Framework ! ) which makes it much more easier to build a Detection Chart. This web server is available in both the docker and .ova formats. If you know how to setup a Django web sever with Apache , you can also just download the code and set it up yourself.
In this article, we will discuss how to setup Detection Navigator , how to use it as well as potential use cases.
Setting Up Detection Navigator
1. Docker
The steps to setup docker container are as followed.
You would have to manually start apache , mysql when you start the container.
Detection Navigator v2.2 is deliberately using slightly old ATT&CK version with sample Detection Chart.
Click Update Database OR Reset Database function to update to latest ATT&CK Framework.
v2.2$ docker pull desijarvis/detectionnavigator:v2.2
$ docker run -p 127.0.0.1:8443:443 -it desijarvis/detectionnavigator:v2.2 < This will drop you in interactive container shell >root@<containerID># service apache2 start
root@<containerID># service mysql start
root@<containerID># netstat -antpv1.2$ docker pull desijarvis/detectionnavigator:v1.2
$ docker run -p 127.0.0.1:8443:443 -it desijarvis/detectionnavigator:v1.2< This will drop you in interactive container shell >root@<containerID># service apache2 start
root@<containerID># service mysql start
root@<containerID># netstat -antpCredentialsusername : detectionchartadmin
password : detectionchartpassword1
Once you have followed these steps , go to https://127.0.0.1:8443 to access Detection Navigator.
2. Virtual Machine
If you want to use a VM instead of docker to setup Detection Navigator , you can download the ova file to VirtualBox from here. It is a Ubuntu 20.04 server with Django and Apache already setup. The username and password for the VM are as followed.
The VM is no longer maintained. It uses older version 1.2.
You may have to change some of the settings for the VM.
For example , if you get a network interface error , that might be because your network interface is named differently. Change the network settings to your preference. Change USB setting from USB 2.0 to USB 1.1/1.0 if you see a USB 2.0 error.
username : detectionnav
password : detectionnavpassword1!Once you get the IP of the VM , you can go to https://<IP> to go to the Detection Navigator.
Navigating Detection Navigator
Detection Navigator is very simple to use. It has 4 color schemes and 3 features. To choose a color for the box of a TTP , you just have to click on that TTP.
The color change goes from Red -> Orange -> Green -> Grey -> White.
The color schemes as mentioned below.
- Red means TTP is not detected at all.
- Orange means TTP is detected but not its variations.
For example , bitsadmin is detected but not certutil. - Green means TTP and its all known variations are detected.
- Grey means T1197 is irrelevant for this environment
For example , don’t have single windows machine so don’t need to worry about that. - White means no detection score is associated.
The features include
Download
This feature allows you to export the detection chart to MS Excel and pass it along.
Database backed up using “Backup Database” function follows naming convention “manual-backup-alldatabases-<%datetime%>.sql”
Database backed up using “Update Database” and “Reset Database” function follow naming convention “automatic-backup-alldatabases-<%datetime%>.sql”
if your database ever gets corrupted , you should try restoring it using any of the most recent backed up databases from the folder : /var/www/DetectionNavigator/BackupDBs/
Backup Database
This feature can be used to manually backup database. This is helpful if the db ever gets corrupted. You can simply login to docker container and follow these steps.
root@<containerID># cd /var/www/DetectionNavigator/BackupDBs/
root@<containerID># mysql --one-database detectionnav < manual-backup-alldatabases-<%datetime%>.sqlUpdate Database
This feature can be used when a new tactic , technique OR sub-technique added to MITRE ATT&CK. This will retain your current data on the Detection Scores as well as update the framework for new TTPs.
This function automatically backs up database.
Reset Database
This feature can be used to reset entire database which will remove all the detection score associations with it. It will also pull new tactics , techniques OR sub techniques if new TTPs are added.
This function automatically backs up database.
Atomic Tests
It includes python scripts for some of the OSX / Linux atomic tests. Would require python3 installation.
Use Cases
The use cases of Detection Navigator include following situations.
Managing Detection Chart(s)
Detection Navigator is a seamless way to create and manage Detection Chart. This tool quickly allows you to create , maintain update ( beta ) and reset the detection chart.
Post Red Team Operation(s)
After executing red team operation , you can quickly whip out a detection chart using this tool , export it to excel and pass it over to your blue team.
Driving Content Creation as well as Purple Team Exercise(s)
Once you have sense of visibility and detection gaps in your environment , you can use it to input content creation into your adversary detection pipeline as well as unit test the blind spots via Purple Team Exercise.
Caveats
It is recommended if you use the VM, interface should be behind NAT OR if you use docker container, only allow it to connect locally.
This is meant to be a quick and dirty way to locally maintain Detection Scorecards . If you have to share, you can always share it by exporting it to Excel.
In Summary
Detection Navigator helps you quickly whip out a Detection Chart as well as maintain it and share it. This is very powerful for Red Team Operators as they can provide more value to blue team by quickly creating a Detection Scorecard from the engagements. It is definitely useful to the blue team as they can use it to maintain current blind spots and drive content creation.
CREDITS
Special Thanks to Brad Richardson ( Brad Richardson) for working with me on the Download feature.
