Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), released Decider, a tool for mapping adversary behavior to the MITRE ATT&CK® framework.
A companion to the recently updated Best Practices for MITRE ATT&CK® Mapping Guide, Decider helps network defenders, analysts, and researchers quickly and accurately map adversary tactics, techniques, and procedures (TTPs) to the ATT&CK framework. According to CISA, Decider makes ATT&CK mapping more accessible by walking users through a series of guided questions about adversary activity. The new tool walks users through a mapping process, asking them a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or sub-technique, which then informs a range of important activities such as sharing the findings, discovering mitigations, and detecting further techniques. Along with the tool, users are also provided with a fact sheet and brief video that will familiarize them with key features and capabilities of Decider. When correctly applied, the ATT&CK framework allows users to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, and validate mitigation controls. Read more about Decider at CISA and access the new tool here.