Skip to content

Home

Jump to bottom
Alchemist edited this page Sep 26, 2017 · 7 revisions

Welcome to the Unfetter Analytic project. It is a reference implementation, inspired by The MITRE Corporation CAR and ATT&CK™ framework, and supported by The MITRE Corporation and the National Security Agency (NSA).

ATT&CK™ stands for Adversarial Tactics, Techniques and Common Knowledge. It is a model and framework that describes the actions an adversary may take while attacking an enterprise network. ATT&CK™ specifically focuses on post-exploitation of Windows host systems. Think of it as a roadmap that lays out what an attacker COULD be doing on your network.

The CAR is an effort to document and share analytic ideas and lessons learned. Each CAR analytic is framed by the ATT&CK™ behavior(s) it is trying to identify.

Unfetter is a project designed to help network defenders, cyber security professionals, and decision makers identify and analyze defensive gaps in a more scalable and repeatable way. By featuring the groups [1] and techniques[2] of the ATT&CK™ model combined with the analytics, data model, and sensors of CAR, Unfetter offers an opportunity for the community to come together and move beyond indicators toward a behavioral-based methodology.

The first release is Unfetter Analytic, a reference implementation that provides a framework for collecting events from a client machine (Windows 7), supports building and testing analytics in the CAR model, and displays the alerts as they reference the ATT&CK™ model. Unfetter Analytic is not designed to be a production intrusion detection system, but it is an educational capability for analytic developers to try, explore, and learn the concepts discussed at http://mitre.github.io/unfetter.

Getting Started

Unfetter Analytic is comprised of a Windows system as the target machine, and a set of Docker containers. Please see the Setup Instructions for more details.

The Architecture

For a deep dive of Unfetter Analytic, please see the Architecture page. To get started playing, just go our Unfetter Analytic page on GitHub

Getting Involved

For any bug or feature requests, please open an issue in GitHub.

Made by NSA Information Assurance

Clone this wiki locally