lang: en-US
colorlinks: true linkcolor: blue urlcolor: blue toccolor: black
title: Decider User Guide
Decider is a web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
Produced For
Department of Homeland Security
{width=280}\
Produced By
Homeland Security Systems Engineering and Development Institute (HSSEDI™)
{width=300}\
Code: Decider's GitHub Repo
Notice: This project makes use of MITRE ATT&CK® - ATT&CK Terms of Use
Decider Kiosk is a loginless version of Decider meant to be hosted as a publicly-accessible website.
User accounts, database-saved carts, and content authoring have all been removed from the application.
The frontend was also cleaned up - to improve accessibility and responsiveness.
The UI works on phones without issue.
Decider has 3 key features:
- Question Tree
- Full Technique Search
- Shopping Cart
(structured progression through ATT&CK)
Decider's homepage is the root of a question tree (matrix level).
The answer cards on this page are Tactics (adversary goals).
Clicking one progresses you along.
You descend down the hierarchy as such:
Matrix > Tactic > Technique > SubTechnique
Once you reach a (Sub)Technique, you can view a detailed page about it.
Should the description align with the adversary behavior you observed - you can add the Technique to your shopping cart.
Answer cards can be:
- filtered by relevant Platforms / Data Sources
- knowing what systems a behavior occurred against / what data sources the behavior can be detected from reduces the amount of options to deal with
- re-ordered by a keyword search
- providing key terms allows progressing through cards in a more optimal order
(ability to search and filter all Techniques at once)
Search Technique IDs / names / descriptions using:
- prefix matching
- boolean expressions
- phrase matching
Filter Techniques by relevant:
- Tactics
- Platforms
- Data Sources
(a place to store your mappings, add context, and export to files)
The 'CTI Shopping Cart' is a place where your mappings are stored.
- Cart entries have a text box where you can place mapping content / rationale / evidence
- Carts can be saved-to and loaded-from JSON files
- Carts can be exported to a(n)
- ATT&CK Navigator layer
- (to visualize the attack heatmap in relation to defenses / existing adversary heatmaps)
- Microsoft Word Doc
- (creates a table of mapped Techniques + mapping context that can be embedded in a report)
- ATT&CK Navigator layer
Please create an issue / discussion on Decider's GitHub.
No, Decider complements the ATT&CK website.
Decider does not contain all of the information that is available on the ATT&CK website.
It primarily contains information on Tactics, Techniques, and the Platforms / Data Sources related to Techniques.
The goal of Decider is to aid in mapping threat reporting / adversary behaviors.
Once one has mappings - they can leverage the ATT&CK website for further insights / next steps (i.e. detections, mitigations).
- Go to the question tree homepage (click Decider (Tree Home) in the top left)
- Identify the goal of the adversary's actions (Tactic) - click this card
- Identify what Platform(s) the adversary's actions occurred on/against and set these filters
- (optionally set Data Sources their behavior could be detected by)
- Follow the remaining prompts to end up on a (Sub)Technique Success Page
- Read the Technique's description
- A. if it matches the observed behavior, then add it to your cart
- Before adding to your cart
- If the Mismappings section is present
- double check that the Other Potential Technique(s) do not apply instead
- If the Mismappings section is present
- After adding to your cart
- If the Frequently Appears With section is present
- skim the suggested Techniques, as the adversary may have leveraged them too
- If the Frequently Appears With section is present
- Before adding to your cart
- B. if it does not match the observed behavior, backtrack
- a different SubTechnique may apply
- (or) the 'Base' Technique may apply instead of one of its SubTechniques
- (or) a different Technique may apply
- (or) a different Tactic may apply even
- A. if it matches the observed behavior, then add it to your cart
The mapping steps below follow those identified in CISA's ATT&CK Mapping Guide. Analysts may choose their own starting point based on their familiarity with ATT&CK and the technical details / context available in the report.
-
Identify Tactics – Comb through the report to identify the adversary’s tactics and the flow of the attack. To identify the tactics (the adversary’s goals), focus on what the adversary was trying to accomplish and why. Review the tactic definitions to determine how the identified behaviors might translate into a specific tactic. Each tactic includes a finite number of actions an adversary can take to implement their goal. Understanding the flow of the attack can help identify the techniques or sub-techniques that an adversary may have employed.
-
Identify Techniques – After identifying the tactics, review the technical details associated with how the adversary tried to achieve their goals. Note: if you have insufficient detail to identify an applicable technique, you will be limited to mapping to the tactic level, which alone is not actionable information for detection purposes. Compare the behavior in the report with the description of the ATT&CK techniques listed under the identified tactic. If one of them matches, then it may be an appropriate technique. Be aware that multiple techniques may apply concurrently to the same behavior.
-
Identify Sub-Techniques – Review sub-technique descriptions to see if they match the information in the report. A match here may be an appropriate sub-technique. Read sub-technique descriptions carefully to understand the differences between them. In cases where the parent of a sub-technique aligns to multiple tactics, make sure to choose the appropriate tactic. Note: map solely to the parent technique only if there is not enough context to identify a sub-technique.
Consider techniques and sub-techniques as elements of an adversary’s playbook, rather than as isolated activities. Adversaries often use information they obtain from each activity in an operation to determine what additional techniques they will use next in the attack cycle. Because of this, techniques and sub-techniques are often linked in the attack chain.
The Question Tree allows you to locate which Technique occurred by answering questions that narrow from Tactic to Technique, and optionally, SubTechnique.
The Navbar allows you to quickly access key parts of the app: the start of the question tree, the full search page, the CTI shopping cart, and app documentation.
\
Answer the Question (8) by clicking one of the Answer Cards (11).
Optionally reduce the amount of cards to sift through by settings Filters (9).
Optionally order the answer cards by keyword relevance using Search Answers (10).
- CISA Logo - Links to CISA.gov
- Decider Tree Home - Takes you to this page (the question tree home)
- Version Picker - Lets you to change what version of ATT&CK data you're viewing
- Mini Technique Search - Lets you quickly jump to a Technique's page by its name or ID
- Docs - Opens this user guide
- Full Technique Search - Opens the Full Technique Search page, which supports searching/filtering all Techniques at once
- CTI Shopping Cart - Opens the CTI Shopping Cart, where your mappings can be viewed, edited, saved, or exported
- Question - You select the Answer Card (11) that best answers this prompt
- Filters - These allows hiding Answer Cards (11) that do not match the specified criteria
- Filter Types
- Platforms are the system types that the behavior occurred on/against
- Data Sources are means by which behavior could have been detected
- Filtering Advice
- Ignore on the homepage, there are only 14 Tactics to pick from, no need to filter here
- Also, Tactics have all Platforms / Data Sources of the Techniques under them. Setting a Platform filter + a Data Source filter may show a Tactic that has no Techniques under it fulfilling that filter combo
- Be generous, an answer card is shown if it matches any of the filters (of a given type)
- Accidentally hiding the correct answer card by mis-selecting would be detrimental
- The goal of filters is to generally narrow how many answer card you need to look at (Defense Evasion has 42 'Base' Techniques as of v13)
- Ignore on the homepage, there are only 14 Tactics to pick from, no need to filter here
- Filter Types
- Search Answers - This re-orders the Answer Cards (11) by relevance to the keywords you've entered
- Search Functionality
- On Matrix → Tactics Homepage
- There are only 14 Tactics, this is a basic keyword search
- On Deeper Pages
- Advanced search functionality is supported here
- Typed words are OR'd together by default
- & (ampersand) requires both terms to be present
- | (pipe) requires either term to be present
- ~ (tilde) requires a term to be absent
- () (parentheses) can be used to order AND/OR/NOT operators
- * (asterisk) is used for prefix matching (proc* → proc, process, procedure)
- "" (double quotes) specify that each word in a phrase must be present (non a-z0-9 characters are stripped)
- On Matrix → Tactics Homepage
- Search Functionality
- Answer Cards - You pick the answer that best answers the Question (8).
- These represent Tactics, the Techniques, and finally SubTechniques as you progress through the ATT&CK hierarchy structure.
- Clicking the card progresses you through the tree (same as clicking 'Select Card').
- Clicking 'ATT&CK Page' opens the ATT&CK page for the given Tactic/Technique
The version picker allows you to change what ATT&CK version the app is showing content for. Currently, only the Enterprise domain is supported.
\
- Current Version - This shows the current ATT&CK version the app is showing content for. Clicking this reveals Other Versions (2)
- Other Versions - This shows as a dropdown of available versions, each prefaced with '(change to)'
The mini search allows you to quickly reach a Technique's Success Page by its name or ID.
\
Use to quickly jump to a Technique's Success Page.
Or to start a Full Technique Search.
- Searching - Techniques can be searched by Name or ID here
- Keyboard Navigation is supported as well (in addition to mouse, touchscreen, etc)
- [up] and [down] to select options
- [enter] to open the selected entry
- If a selection has not yet been made, a Full Technique Search is performed by default
A Tactic card was clicked to reach this page. This page allows picking which Technique under the current Tactic applies.
\
- Breadcrumb Bar - This shows your progress through the question tree
- You can click crumbs to navigate back up the tree
- Page Select - These buttons allow you to flip through the available answer card pages
- 5 answer cards are shows per page
A Tactic card and then a Technique card were clicked to reach this page. This page allows picking which SubTechnique under the current Technique applies (to view its Success Page). Or, if no SubTechnique applies, allows picking the base Technique to view its Success Page.
\
- Base Technique Card - Notice that this answer card has the same ID as the question page we're on. This is because the 'Base' Technique still applies even if we did not find behavior specific to any of the SubTechniques. (This card's heading matches the current page breadcrumb that is above the question).
This Technique page is reachable through either the Question Tree, Full Search, Mini Search, or CTI Shopping Cart. It provides information about the Technique.
\
- Technique Name / ID - The ID is also a link to the Technique's ATT&CK page
- Technique Description - This is the same description as on the Technique's ATT&CK page
- Map Technique Under Tactic + Add to Cart
- 'Technique Success Pages' can be reached through the Question Tree or through the Full Technique Search
- The Question Tree already gives you the Tactic context you're working with (dropdown is pre-selected)
- Whereas getting to a Success Page via Search will require you to select a Tactic before the Add-to-Cart button works
- Clicking Add-to-Cart places an entry for the selected Technique+Tactic combo in your mapping cart
- 'Technique Success Pages' can be reached through the Question Tree or through the Full Technique Search
- Tactics - Goals this behavior can achieve
- Platforms - Systems this Technique can be leveraged against/on
- Tech and Subs - Success Page links for the Base Technique and its Sub Techniques
- Mismappings - Techniques listed here may have occurred instead of the Technique on this page
- That is, this table records knowledge of previously incorrectly mapped Techniques (user editable)
- Decider does not provide any mismappings out of the box
- Mismappings can be added via JSON during the build process
- (or) a Decider 2.x.y instance can be pointed at the same database used by Kiosk (Decider 3.x.y) in order to edit these
- (This section is hidden if the Technique has no mismappings)
- Frequently Appears With - Techniques here are likely to have occurred with the current Technique being viewed
- Skim the Technique descriptions to see if any match the observed adversary behaviors
- The table shows a slightly randomized subset of suggested Techniques - this is to help prevent availability bias in mapping
- Checking Show All will list all suggestions
- This dataset comes from Andy Applebaum's work - Medium Article
- In short: Techniques that frequently appear together in CTI reports, may appear together in future adversary behavior too
- (This section is hidden if the Technique has no cooccurrences)
- Usage Examples - These are examples of the Technique being used by Campaigns, Groups, Software, and Tools.
- Reports covering / mapping the observation are linked too
- (This section is hidden if the Technique has no usage examples)
The cart allows you to record Techniques for observed behaviors, along with rationales for mapping them. Carts can be saved, loaded, and exported to Word Docs or ATT&CK Navigator sheets.
\
- Close Cart Panel - Closes the cart panel
- Edit Name - Allows naming the cart (changes name of exported files + saved / loaded cart)
- Save to .json File - Saves the contents of the cart as a JSON file
- Load from .json File - Loads a prior-saved JSON cart file
- Export to Docx Table - Creates a Microsoft Word DOCX file containing a table of the Tactics / Techniques mapped and their mapping rationales
- Export to ATT&CK Navigator Layer - Creates a MITRE ATT&CK® Navigator layer with cart entries highlighted. The mapping rationales are also added to the Navigator layer in the form of comments
- View Suggested Techniques - A cart-wide variant of the Technique Success Page > Frequently Appears With listing
- Empty Cart (has confirmation screen) - Deletes the cart. Make sure you saved to a JSON before clicking this - otherwise the cart is irrecoverable
- Cart Entry - A mapped Technique + Tactic combo
- App Success Page - Takes you to the Technique Success Page for this entry
- Delete - Removes this entry from your cart
- Mapping Rationale - An area for you to record context / rationale / evidence as to why this entry was mapped. A good place for notes too
This page suggests other Techniques that may have occurred, based upon the contents of your cart.
\
- A cart-wide variant of Technique Success Page > Frequently Appears With
- Suggests Techniques that may have occurred based upon the contents of your cart
Skim the Technique descriptions to see if any match the observed adversary behaviors.
Read the full description to confirm a mapping before adding it to your cart.
The full search page allows you to locate Techniques by searching their names, IDs, and descriptions and by filtering on the Tactics, Platforms, and Data Sources that apply to them.
\
- Filters - Only Techniques that match at least 1 filter (per each type) are shown. (a filter is ignored if 0 are set)
- Filter Types
- Tactics: goals of the adversary's behaviors
- Platforms: systems that the Technique was performed on/against
- Data Sources: sources that can be used to detect the behavior
- Filtering Advice
- Be generous, it's better to accidentally include slightly more results than to miss the correct Technique by over-constraining
- Filter Types
- Search Techniques - Your search goes here
- Searched Fields
- IDs
- Names
- Descriptions
- Usage
- Basic Search
- By default, terms are AND'd together here
- So, typing more terms will constrain further
- You can use | (pipe) between terms to OR them together for a simple keyword search
- Advanced Search
- Advanced search functionality is supported here
- Typed words are AND'd together by default
- & (ampersand) requires both terms to be present
- | (pipe) requires either term to be present
- ~ (tilde) requires a term to be absent
- () (parentheses) can be used to order AND/OR/NOT operators
- * (asterisk) is used for prefix matching (proc* → proc, process, procedure)
- "" (double quotes) specify that each word in a phrase must be present (non a-z0-9 characters are stripped)
- Basic Search
- Searched Fields
- Search Status - Provides feedback on your search
- Warns if the search query is malformed / invalid
- (otherwise) Indicates how the search query was interpreted
- Technique Cards - The Technique results from your search
- Clicking a card opens its Technique Success Page (same as clicking 'Select Card')
- Clicking 'ATT&CK Page' opens the Technique's ATT&CK Page