rubinatorz
commented
4 years ago Hi Tim,
If you look up a technique on the MITRE ATT&CK website, you'll find a list of data sources for that specific technique:
https://attack.mitre.org/techniques/T1055/
For example for T1055 Process Injection you'll find the following data sources:
API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
This means that traces of process injection can be found in these data sources.
In DeTT&CT you can administrate your data sources, and DeTT&CT will then map those data sources to the techniques in ATT&CK. This will give you a rough overview of your visibility coverage.
Hope this answers your question.
Regards, Ruben
After looking at the documentation for DETT&CT, I see that there are detection and visibility scores for techniques and data quality scores for data sources, but am unsure how they relate to each other. I looked at the sample YAML files and am still unclear on how data sources and techniques are correlated. Would you mind explaining this or showing me where I can find an explanation?
-Tim