Threat Intelligence, Content, Security Program Controls/Technologies, Endpoint/Device Security

CISA’s New “Decider” Tool Helps Security Defenders Map Adversary Movements to Mitre Att&ck Database

DHS Flag painted on a wall

The Cybersecurity and Infrastructure Security Agency (CISA) has unwrapped Decider, a new, free tool to help security practitioners, security analysts and researchers map adversary tactics, techniques and procedures (TTP) to the Att&ck knowledge base.

CISA and Homeland Security Collaborate

CISA said it created Decider in collaboration with the Department of Homeland Security’s Engineering and Development Institute and the Mitre Att&ck team. Decider is a web application that must be hosted to use.

Att&ck has been adopted by CISA and network defenders worldwide because it helps cyber threat intelligence analysts understand adversary cyberattackers' strategies and movements. Using the Att&ck database, however, can present challenges in that mapping different forms of observable data asks the user to understand both the behavior itself and how to use the library, CISA said.

“Since the original publication of the best practices guide in June 2021, CISA has found that while ATT&CK is a valuable tool for enterprise cybersecurity, there are many intricacies in creating ATT&CK mappings that are important to get right and easy to get wrong,” the agency said.

Decider's Advantages

Here are some of Decider’s benefits and features:

  • Decider makes creating Att&ck mappings easier to get right by walking users through the mapping process.
  • It does so by asking a series of guided questions about adversary activity to help users arrive at the correct tactic, technique or sub-technique.
  • Decider has a powerful search-and-filter functionality that enables users to focus on the parts of Att&ck that are relevant to their analysis.
  • Decider has a cart functionality that lets users export results to commonly used formats, such as tables and Att&ck Navigator heat maps.

According to a CISA fact sheet that accompanied Decider’s release, with Mitre Att&ck mapping reports users can move on to other Att&ck activities, including:

  • Visualizing the findings in Att&ck Navigator
  • Sharing the findings with others by publishing threat intelligence reports
  • Finding sensors and analytics to detect those techniques
  • Discovering mitigations that help prevent techniques from working in the first place
  • Compiling threat emulation plans to validate defenses

CISA said it welcomes feedback from the cybersecurity community, bug reports and feature suggestions.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.