‘Decider’ an open-source tool that helps to generate MITRE ATT&CK mapping reports

Decider is a new, free tool that was launched today by CISA. It is designed to assist the cybersecurity community in mapping the behavior of threat actors to the MITRE ATT&CK framework. Through the use of guided questions, a powerful search and filter function, and a cart functionality that allows users to export results to commonly used formats, Decider helps make mapping both quick and accurate. It was developed in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE.

To get started with Decider, network defenders, analysts, and researchers may get started by viewing the video, information sheet, and blog posted by CISA. CISA strongly recommends that users of the community make use of the tool in tandem with the newly revised Best Practices for MITRE ATT&CK Mapping guidance. The MITRE ATT&CK framework is a lens that network defenders can use to analyze the behavior of adversaries, and it directly supports “robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data,” as CISA Executive Assistant Director Eric Goldstein noted in his June 2021 blog post on the framework. Since it offers a standardized vocabulary for the evaluation of threat actors, the CISA strongly recommends that the cybersecurity community make use of the framework.

This revision of the best practices was made in collaboration with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), which is a research and development facility owned by the Department of Homeland Security and run by MITRE. Since CISA first released the best practices in June 2021, the update addresses the modifications that the MITRE ATT&CK team has made to the framework as a result of those improvements. Moreover, frequent analytical biases, mapping problems, and particular ATT&CK mapping guidelines for industrial control systems are included in this version (ICS).

This tool leads users through a mapping process by asking them a series of guided questions concerning enemy behavior. The purpose of these questions is to assist users in determining the appropriate strategy, technique, or sub-technique. In addition to the application itself, users are given access to a data sheet and a short film that will acquaint them with the most important capabilities and features that Decider offers.

Key features include guided questions about adversary activity posed in plain language to assist users in confirming that they are correctly mapping, as well as a powerful search and filter functionality that enables users to concentrate on what is most pertinent to their analysis. Both of these features are essential.

Why was Decider created in the first place?

A significant number of stakeholders said that they either did not understand how to begin mapping to ATT&CK or that they were confused as to whether or not they were properly mapping adversary activity. CISA collaborated with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), which collaborated with the MITRE ATT&CK team, to develop a tool that was simple to comprehend, contained a minimal amount of technical language, and was able to assist users in moving through the framework steps in a timely and accurate manner.