home.social

#opentide — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #opentide, aggregated by home.social.

  1. @timb_machine I kind of like your post about how you threat model for customers in Cisco, it would be cool if you then extended the service to provide #OpenTide mapped threat graphs mapped to detections for them, as (some unnamed consulting houses) are doing.

  2. @timb_machine One day when we read links like br0k3nlab.com/resources/axioms people will have read the #OpenTide white paper and realized how it changes the conversation about #detectioncoverage but this day was not today.

  3. Despite the promising title of this blog post by John Vester 'Why the MITRE ATT&CK Framework Actually Works', its a load of crock.

    You can't and shouldn't use MITRE #ATT&CK to prove any sort of detection coverage or 'strong points'. At best, you can prove total absence in certain subtechniques.

    If you want to do any sort of data driven #detectioncoverage you need #OpenTide -> there's no way around it.

    levelup.gitconnected.com/why-t

    ATT&CK is still ♥️ 😍 tho.

    #SOC #blueteam #detectionEngineering

  4. @merill drop a few links too please. Did you (they) consider releasing the work also in #OpenTide format to increase actionability? OpenTide recently released the OpenTide version of the ATRM -> threat vectors only for now. Having this alongside would be huge.

    Also have been praising your newsletter to regional MS folks, don’t know if any of that filtered back to you. If not, thank you!

  5. This #detection #SOC post #detectfyi is very good, and I agree fully up to a point. Where my opinion, and #OpenTIDE starts to diverge is for the final paragraph on coverage discussions and documentation. Its possible to do better than this now. And detection depth as a number of detection points along an attack path is....not bad, actually innovative compared to most who don't even use a graph view, it may just not be the optimal type of detections to deploy in this case detect.fyi/critical-asset-anal

  6. @lojikil @circl Can I be honest?

    I hope I can and will presume it. This framework is not bad at all, but its inferior to #OpenTIDE by a lot :).

  7. RE: infosec.exchange/@cR0w/1152311

    Don't you wish we could also collaborate defensively, become force multipliers for each other?

    We can. Check out #OpenTIDE

  8. #DetectionEngineering #OpenTIDE
    So #Cloudot will help you empirically map attack telemetry, create it and allow you to try to test your detections also

  9. Now Itay Gabbay releases Cloudot, a tool to help you with #DetectionEngineering in cloud.

    The tool looks like a serious chunk out of the #OpenTIDE backlog! #Cloudot

  10. @joshbressers you run the opensourcesecurity podcast then? Nice! Did you consider doing an episode on #OpenTIDE ?

  11. @nopatience Sounds great. Now, for detection logic, if this gets shared as #OpenTIDE format, then some extra benefits accrue.

  12. If you’re #purpleteam ’ing without #OpenTIDE, why don’t you want your work to be actionable for your #SOC #DetectionEngineering :P

  13. From @BSidesLV 2024 -> Ezz uses ML to cluster events without any performance impact on the SIEM and using Attack Flows to help identify the right elements to try to cluster:

    youtube.com/watch?v=7KOoLo7oyn

    This will work excellently for #OpenTIDE TVMs also

    #DetectionEngineering

  14. Please everyone interested in #SOC or #DetectionEngineering read this by @letswastetime its a fantastic post: dispatch.thorcollective.com/p/

    I can only think of one thing missing - which is the actual enumeration of threat vectors and how they chain together to allow you to proceed with a data-driven approach to building your detection in depth.

    There's only one #opensource framework that allows us to do the chaining as a community - and you know its #OpenTIDE

  15. @Regit @circl @suricata imagine how much better that export would be if it was in #OpenTIDE format as MISP OpenTIDE objects.

  16. This post by Jamie Williams on the THOR Dispatch collective dispatch.thorcollective.com/p/ See Evil, Thrunt Evil – Modelling Behaviors is a Critical Thrunting Prerequisite is very correct in that it says you need to not look at threat actor activities in isolation. Which is why #OpenTIDE allows you to chain threat vector models together, creating attack paths.

    Shame its on #substack Jamie/ThorCollective.

  17. According to new data, we’re really reaping the benefits of #OpenTIDE now in terms of exclusively release speed (#detectionengineering) and release quality. Not even talking about all the other advantages, but those 2 numbers alone are stunning now.

  18. @timb_machine My idea for the backlog #OpenTIDE implementation of this is a per-detection community feedback module where you can rate TVMs, CDMs and detection rule proposals on the fit with your vertical, company size, region, etc

  19. @cybersecdiva While that's definitely not a bad project, if you tried it, then please try #OpenTIDE after and let me know how you think they compare?

  20. My former team published the whitepaper for OpenTIDE (Open Threat Informed Detection Engineering), a next-generation Detection Engineering framework aimed at powering and interconnecting SOCs with common best practices and way of working. #OpenTIDE was incubated 2 years at the European Commission, where it was used as a catalyst to create a new Detection Engineering capacity.

    1/2

  21. Very proud to see Amine on the Google Cloud Security podcast with @Timothypeacock and @anton_chuvakin

    Go listen to episode 202 on SOCs, #DetectionEngineering and #OpenTIDE

  22. AND we have a John Lambert name drop for the famous blog post, which we of course also quote in the #OpenTIDE white paper github.com/JohnLaTwC/Shared/bl

    Nice to couple the #kubehound graph attack view with Lambert’s famous blog.

    Now now now-> how to detect this? Graph it out! In #OpenTIDE!

  23. At @hack_lu #hacklu2024 Jeroen Pinoy concludes that the #MITRE #ATTA&K framework doesn’t have sufficient granularity to enable researchers and defenders to tell cloaking from other events/threat vectors.

    Hint: You can model this in #OpenTIDE :)

  24. @magoo making CTI 'actionable' after all of which they still produce outputs that are decidedly not actionable for DE teams, leaving DE teams again stuck in duplication of effort, this time duplicating the efforts of CTI, or DFIR, or the RT to understand wtaf happened for a specific threat vector at the level of granularity that DE works at and needs to work at.

    And then you get tired. And if you're really smart, and follow me, then you find #OpenTIDE
    ♥️

  25. @cgoncalves oho-ho that sounds brilliant. You’re gonna love #OpenTIDE. Check out the slides and release blog and after that ping me for a private demo if you want, it honestly needs that.

  26. We submitted #OpenTIDE to the @defcon main conference. It’s, as some of you know, a defensive tool & the talk will therefore also be defensive, should the unlikely happen. Please, Wish us luck!! #DetectionEngineering #DetectionOps

  27. Hey if you’re one of the countless awesome folks spending your free time to understand and document threat actors or their TTPs - if you want to maximize making your work actionable for blue teams and repeatable/consistent over time, consider cloning #OpenTIDE and using it to publish your research as standardized objects! #BuildOnce

    #DetectionOps

  28. @inliniac I just asked the dev of our #DetectionOps platform #OpenTIDE to consider submitting, he built Suricata integration already a while back, iirc.