Detection Navigator

Setting Up Detection Navigator

1. Docker

The steps to setup docker container are as followed.

v2.2$ docker pull desijarvis/detectionnavigator:v2.2
$ docker run -p 127.0.0.1:8443:443 -it desijarvis/detectionnavigator:v2.2
< This will drop you in interactive container shell >root@<containerID># service apache2 start
root@<containerID># service mysql start
root@<containerID># netstat -antp
v1.2$ docker pull desijarvis/detectionnavigator:v1.2
$ docker run -p 127.0.0.1:8443:443 -it desijarvis/detectionnavigator:v1.2
< This will drop you in interactive container shell >root@<containerID># service apache2 start
root@<containerID># service mysql start
root@<containerID># netstat -antp
Credentialsusername : detectionchartadmin
password : detectionchartpassword1

2. Virtual Machine

If you want to use a VM instead of docker to setup Detection Navigator , you can download the ova file to VirtualBox from here. It is a Ubuntu 20.04 server with Django and Apache already setup. The username and password for the VM are as followed.

username : detectionnav
password : detectionnavpassword1!

Navigating Detection Navigator

Detection Navigator is very simple to use. It has 4 color schemes and 3 features. To choose a color for the box of a TTP , you just have to click on that TTP.

Detection Chart v2.2

The color schemes as mentioned below.

  • Red means TTP is not detected at all.
  • Orange means TTP is detected but not its variations.
    For example , bitsadmin is detected but not certutil.
  • Green means TTP and its all known variations are detected.
  • Grey means T1197 is irrelevant for this environment
    For example , don’t have single windows machine so don’t need to worry about that.
  • White means no detection score is associated.

The features include

Download

This feature allows you to export the detection chart to MS Excel and pass it along.

Backup Database

This feature can be used to manually backup database. This is helpful if the db ever gets corrupted. You can simply login to docker container and follow these steps.

root@<containerID># cd /var/www/DetectionNavigator/BackupDBs/
root@<containerID># mysql --one-database detectionnav < manual-backup-alldatabases-<%datetime%>.sql

Update Database

This feature can be used when a new tactic , technique OR sub-technique added to MITRE ATT&CK. This will retain your current data on the Detection Scores as well as update the framework for new TTPs.

Reset Database

This feature can be used to reset entire database which will remove all the detection score associations with it. It will also pull new tactics , techniques OR sub techniques if new TTPs are added.

Atomic Tests

It includes python scripts for some of the OSX / Linux atomic tests. Would require python3 installation.

Use Cases

The use cases of Detection Navigator include following situations.

Managing Detection Chart(s)

Detection Navigator is a seamless way to create and manage Detection Chart. This tool quickly allows you to create , maintain update ( beta ) and reset the detection chart.

Post Red Team Operation(s)

After executing red team operation , you can quickly whip out a detection chart using this tool , export it to excel and pass it over to your blue team.

Driving Content Creation as well as Purple Team Exercise(s)

Once you have sense of visibility and detection gaps in your environment , you can use it to input content creation into your adversary detection pipeline as well as unit test the blind spots via Purple Team Exercise.

Caveats

It is recommended if you use the VM, interface should be behind NAT OR if you use docker container, only allow it to connect locally.

In Summary

Detection Navigator helps you quickly whip out a Detection Chart as well as maintain it and share it. This is very powerful for Red Team Operators as they can provide more value to blue team by quickly creating a Detection Scorecard from the engagements. It is definitely useful to the blue team as they can use it to maintain current blind spots and drive content creation.

CREDITS

Special Thanks to Brad Richardson ( Brad Richardson) for working with me on the Download feature.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Madhav Bhatt

Madhav Bhatt

Effective collaboration between red and blue can produce offensive defense a.k.a blue team quickly detecting, responding and disrupting attackers activities.