This work is licensed under a Creative Commons Attribution 4.0 International License.

This project makes use of MITRE ATT&CK® - ATT&CK Terms of Use.

v13 was back-burnered a bit due to other developments underway. However, we intend to align with the every-6-month cadence of ATT&CK releases.

Update instructions are included in Appendix A - please reach out if you have any difficulties with them. Regardless of environment, the goal is to copy/pull in the new co-occurrence/tree/attack jsons and then run the app.utils.db.actions.add_version module script.

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® Framework.

Decider is a tool to help analysts map adversary behavior to the MITRE ATT&CK Framework. Decider makes creating ATT&CK mappings easier to get right by walking users through the mapping process. It does so by asking a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or subtechnique. Decider has a powerful search and filter functionality that enables users to focus on the parts of ATT&CK that are relevant to their analysis. Decider also has a cart functionality that lets users export results to commonly used formats, such as tables and ATT&CK Navigator heatmaps.

Over Here

Decider ultimately tries to make mapping to ATT&CK easier.

It offers:

• A question tree with pagination of results (structures your progress)
• Technique search + filtering options
• Suggestions of other techniques that may have occurred

Decider does not intend to replace the ATT&CK site - but rather, it acts as a complementary tool that leads you there in the end. Only information assisting mapping is included.

(you are here)[Matrix > Tactic] > Technique > SubTechnique

Boolean expressions, prefix-matching, and stemming included.

Best option for 99% of people

git clone https://github.com/cisagov/decider.git
cd decider
cp .env.docker .env

# if you want HTTPS instead of HTTP
# - edit .env
#   + WEB_HTTPS_ON='yes'
# - populate cert / key files
#   + /app/utils/certs/decider.key
#   + /app/utils/certs/decider.crt

sudo docker compose up
# sudo for Linux only

It is ready when Starting uWSGI appears

Default Endpoint: http://localhost:8001/

Default Login:

• Email: [email protected]
• Password: admin

Endpoint Determination (.env vars):

• WEB_HTTPS_ON='' -> http://WEB_IP:WEB_PORT/
• WEB_HTTPS_ON='anything' -> https://WEB_IP:WEB_PORT/

HTTPS Cert Location:

• Write these 2 files before docker compose up to set your SSL cert up
  • /app/utils/certs/decider.key
  • /app/utils/certs/decider.crt
• If either file is missing, a self-signed cert is generated and used instead

DB Persistence Note: Postgres stores its data in a Docker volume to persist the database.

Ubuntu Install Guide

CentOS Install Guide

pip install -r requirements-pre.txt
pip install -r requirements.txt

pip install -r requirements-dev.txt
pre-commit install

Read the Ubuntu & CentOS guides and recreate actions according to your platform.

open() in Python uses the system's default text encoding

• This is utf-8 on macOS and Linux
• This is windows-1252 on Windows
  • This causes issues in reading the jsons for the database build process
  • Adding encoding='utf-8' as an arg in each open() may allow Windows deployment

(M1 users at least) Make sure to (1) install Postgres before (2, 3) installing the pip requirements

1. brew install postgresql
2. pip install -r requirements-pre.txt
3. pip install -r requirements.txt

as of April 24th, 2023

Exact required version(s) unspecified.

• An up-to-date version of Docker and Docker Compose should be used.
• docker compose should work, whereas docker-compose is outdated.

• Operating System
  • CentOS 7+
  • Ubuntu 22.04.2+
  • Fedora 37+ works fine (earlier versions should work too)
• Python 3.8.16
• PostgreSQL 12+

Decider has not yet been tested against many concurrent users. This is a rough suggestion.

• 2-4 Cores
• 4-8 GB Memory
• 20 GB Disk Space

Requirements for a single user are quite minimal. Scale according to need. Adjust up or down as desired.

Determined using sudo docker system df -v

Note: This does not account for space used in installing Docker itself

Build Cache Space: 77.62 MB

Determined using sudo docker stats

Note:

• uWSGI is only running 1 process in Docker by default
• Memory usage increases with connected users and uWSGI processes

Note:

• This does not account for space used in installing Postgres itself
• This does not include the space used in installing / building Python

Fresh repo clone: 92 MB

• du -h .

Postgres Database Usage: 30 MB

• SELECT pg_size_pretty( pg_database_size('decider') );

Python Virtual Environment + Packages: 132 MB

• du -h ./venv/

Note:

• uWSGI is running 5 processes in manual deployment by default
• Memory usage increases with connected users and uWSGI processes

JSONs under app/utils/jsons/source/enterprise-attack are pulled from https://github.com/mitre-attack/attack-stix-data/tree/master/enterprise-attack

# (in repo root)

# pull v13 content
git pull

# remove containers (DB data is safe)
sudo docker compose down

# rebuild images (v13 files copy-over)
sudo docker compose up --build

# add version
sudo docker exec decider-web python -m app.utils.db.actions.add_version --config DefaultConfig --version v13.0

# (install root, same as repo root, contains app/ folder)
cd /opt/decider/1.0.0

# use decider app-user, with app venv, for add_version script
sudo -u decider -g decider /opt/decider/python3.8.10/bin/python3.8 -m app.utils.db.actions.add_version --config DefaultConfig --version v13.0