10 Open-Source Tools for Threat Informed defense and MITRE ATT&CK

The MITRE ATT&CK framework has revolutionized how we approach threat-informed defense, enabling defenders to align their detection, response, and adversary emulation strategies with real-world tactics, techniques, and procedures (TTPs).

Over the past months, I’ve been actively developing 10 open-source tools designed to help security teams operationalize ATT&CK, improve detection engineering, and enhance adversary emulation. These tools are:

1. PDF2ATTACK: Extracts TTPs from PDF reports and generates a MITRE ATT&CK navigation layer.

Link: https://github.com/chihebchebbi/PDF2ATTACK

2. Automated Threat-Informed Defense Assessment Tool: Enables efficient assessment of detection and hunting coverage against specific threat actors or profiles.

Link: https://github.com/Intellisec-Solutions/Automated-Threat-Informed-Defense-Assessment-Tool

Demo: https://www.youtube.com/watch?v=APRsV7jHIYY&t=1s

3. Sentinel 2 D3FEND: Retrieves Microsoft Sentinel rules mapped to MITRE ATT&CK and generates corresponding MITRE D3FEND defenses.

Link: https://github.com/Intellisec-Solutions/Sentinel2D3FEND

4. Fusion: Automates the collection and merging of multiple MITRE ATT&CK navigation layers into a unified view.

Link: https://github.com/chihebchebbi/Fusion

5. Sentinel2ATTACKv2: Automatically extracts and maps TTPs from Microsoft Sentinel alerts to relevant MITRE ATT&CK techniques.

Link: https://github.com/chihebchebbi/Sentinel2ATTACKv2/tree/main

6. Sentinel 2 ATT&CK Flow: Integrates Microsoft Sentinel detection coverage with the MITRE ATT&CK Flow project, enabling real-time updates and visualization enhancements.

Link: https://github.com/chihebchebbi/Sentinel2ATTACKFlow/tree/main

7. Microsoft Sentinel SOC Optimization TTP Aligner: Aligns Microsoft Sentinel SOC optimization recommendations with Sigma rules, Atomic Red Team tests, and ATT&CK Navigation Layers for comprehensive visualization.

Link: https://github.com/chihebchebbi/Microsoft-Sentinel-SOC-Optimization-TTP-Aligner

8. Microsoft Defender XDR and CISA KEV Mapping Tool: Automates vulnerability checks against CISA's Known Exploitable Vulnerabilities, providing detailed graph visualizations of relationships and implications using the CTID framework.

Link: https://github.com/chihebchebbi/Microsoft-Defender-XDR-KEV-Mapper

9. MITRE ATT&CK Microsoft Copilot Bot Development Guide: Provides comprehensive guidance for developing, integrating, and monitoring a MITRE ATT&CK-informed Microsoft Copilot bot within Teams and Sentinel.

Link: https://blueteams.academy/docs/microsoft%20sentinel/mitre%20attack%20microsoft%20copilot/

10. Insider Threat TTP Knowledge Base - Microsoft Sentinel Coverage: Bridges the integration between Microsoft Sentinel SIEM and the MITRE ATT&CK Insider Threat TTP Knowledge Base v2 to enhance insider threat defense.

Link: https://github.com/chihebchebbi/Insider-Threat-TTP-Knowledge-Base--Sentinel-Coverage/tree/main