Target Audience: Target audience is Defense and Industrial Cybersecurity

Short Abstract:
Detect Tactics, Techniques & Combat Threats for ICS environment

DeTT&CT for ICS is based on MITRE's ATT&CK for ICS framework and DeTT&CT framework. It aims to assist ICS blue teams using "ATT&CK for ICS" to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.

The DeTT&CT for ICS framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.

DeTT&CT for ICS provides the following functionality:
- Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints.
- Map your detection coverage.
- Map threat actor behaviours.
- Compare visibility, detections and threat actor behaviours to uncover possible improvements in detection and visibility.
This can help you to prioritise your blue teaming efforts.

Detailed Explanation of Tool:
The DeTT&CT for ICS framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.
YAML files are used for administrating scores and relevant metadata. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and metadata can also be written to Excel).
As an output, it gives a graph of mapping your data sources to ATT&CK for ICS, which gives you a rough overview of your visibility coverage.

MITRE's ATT&CK for ICS contains loads of valuable information on:
-TTPs (Tactics, Techniques and Procedures)
-Groups (threat actors)
-Software (software used by threat actors)
-Data sources (visibility required for detection)

You can map the information you have within your organisation on the entities available in ATT&CK for ICS. DeTT&CT for ICS delivers a framework which does exactly that, and it will help you to administrate your blue team's data sources (including data quality), visibility and detection. It will also provide you with means to administrate threat intelligence that you get from your intelligence team or a third-party provider. This can then also be compared to your current detection or visibility coverage.

DeTT&CT for ICS administrates all this information within different YAML files, and a scoring table is provided to have a standardised way of scoring your data quality, visibility and detection. A Python tool is used (dettect.py) to generate all kind of output:
- ATT&CK Navigator layer files
- Excel files
- Graphs

For example, DeTT&CT for ICS can generate a layer file for the ATT&CK Navigator, which shows you your visibility and detection coverage, or techniques and software used by certain threat actors. (ATT&CK Navigator for ICS is not ready and not published yet by MITRE. Since MITRE's ATTACK navigator is missing ICS matrix, I am also developing a ICS domain (matrix) and aiming to merge with MITRE's ATTACK navigator project in order to use ATTACK for ICS layers in navigator. I work on it and will send a merge request MITRE's original project once I complete.)

Work of others:
DeTT&CT for ICS was inspired by the work of others: Original DeTT&CT project is developed and maintained by Marcus Bakker (Twitter: @bakk3rm) and Ruben Bouman (Twitter: @rubenb_2)
Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK techniques (How Hot Is Your Hunt Team?, Ready to hunt? First, Show me your data!).
The MITRE ATT&CK Mapping project on GitHub: https://github.com/siriussecurity/mitre-attack-mapping.

License: GPL-3.0 - https://github.com/can/DETTeCT-for-I...master/LICENSE

Short Developer Bio:
Can Kurnaz (Twitter: @0x43414e) works at Nixu Cybersecurity (CDC Benelux) as Technical Security Consultant. He has over five years of professional experience in cybersecurity field focused on penetration testing/red teaming, ICS/SCADA security assessments, incident response and OT monitoring. Can has presented several times at leading cybersecurity conferences such as Black Hat and DEF CON and he holds GICSP, OSCP, OSWP and CEH certificates. Can is currently developing an open source side project "DeTT&CT for ICS" based on MITRE's ATT&CK for ICS knowledge base and DeTT&CT framework aiming to assist ICS blue teams in order to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviour.