Decider a web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
Notifications
- Manual installation for Ubuntu & CentOS is much nicer.
- Scroll down to Manual Install for details!
- Will be adding information about hardware requirements soon
What is it?
Decider is a tool to help analysts map adversary behavior to the MITRE ATT&CK framework. Decider makes creating ATT&CK mappings easier to get right by walking users through the mapping process. It does so by asking a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or subtechnique. Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator™ heatmaps.
The Screenshots
Decider’s Question Tree
(you are here)[Matrix > Tactic] > Technique > SubTechnique
Decider’s Full Technique Search
Boolean expressions, prefix-matching, and stemming included.
The Notice
This project makes use of MITRE ATT&CK – ATT&CK Terms of Use
Usage
Read the User Guide
Installation
Docker
Best option for 99% of people
git clone https://github.com/cisagov/decider.git
cd decider
cp .env.docker .env
# if you want HTTPS instead of HTTP
# - edit .env
# + WEB_HTTPS_ON='yes'
# - populate cert / key files
# + /app/utils/certs/decider.key
# + /app/utils/certs/decider.crt
[sudo] docker compose up
# sudo for Linux only
It is ready when Starting uWSGI appears
Default Endpoint: http://localhost:8001/
Default Login:
- Email: admin@admin.com
- Password: admin
Endpoint Determination (.env vars):
WEB_HTTPS_ON=''
-> http://WEB_IP
:WEB_PORT
/WEB_HTTPS_ON='anything'
-> https://WEB_IP
:WEB_PORT
/
HTTPS Cert Location:
- Write these 2 files before
docker compose up
to set your SSL cert up- /app/utils/certs/decider.key
- /app/utils/certs/decider.crt
- If either file is missing, a self-signed cert is generated and used instead
DB Persistence Note: Postgres stores its data in a Docker volume to persist the database.
Linux tested on:
- Ubuntu Jammy 22.04.2 LTS
- Docker Engine
- Not Docker Desktop (couldn’t get nested-virt in my VM)
Windows tested on:
- Windows 11 Home, version 22H2, build 22621.1344
- Home doesn’t support HyperV
- Thus tested on Docker Desktop via WSL backend
macOS (M1) tested on:
- macOS Ventura 13.2.1 (22D68)
- Mac M1 Processor
- On Docker Desktop installed via .dmg
Manual Install
Ubuntu 22.04
CentOS 7
Other OSes
Read the Ubuntu & CentOS guides and recreate actions according to your platform.
Windows
open()
in Python uses the system default text encoding
- This is
utf-8
on macOS and Linux - This is
windows-1252
on Windows- This causes issues in reading the jsons for the database build process
- Adding
encoding='utf-8'
as an arg in eachopen()
may allow Windows deployment
macOS
(M1 users at least) Make sure to (1) install Postgres before (2) installing the pip requirements
brew install postgresql
pip install -r requirements.txt