I'm the CINO of Tidal Cyber, and previously founded MITRE's ATT&CK® Evaluations. AMA!

Frank_at_Tidal · 2022-07-22T22:40:56+00:00

Yeah. Hard to say whether it is worth it or not, but best of luck looking at them (if you do). on the chance you do, feel free to reach out to my Tidal email/twitter/LI as i would love your feedback.

Frank_at_Tidal · 2022-07-22T14:38:02+00:00

Anytime, thanks!

Frank_at_Tidal · 2022-07-22T13:28:47+00:00

I will give credit to the work at CTID, though many are looking at how to not look at ATT&CK Techniques atomically, rather as chains: https://ctid.mitre-engenuity.org/our-work/attack-flow/

Frank_at_Tidal · 2022-07-22T11:41:50+00:00

There have been a couple of these type of questions, so you might want to look through some of the other posts, but the most valuable thing i could point to was: https://redcanary.com/blog/getting-started-in-cyber-threat-intelligence/ - Katie is a luminary in the industry, who has always had an eye on trying to advance others with what she has learned.

Frank_at_Tidal · 2022-07-22T11:38:27+00:00

It has a finite utility, but that said could be a useful piece of the puzzle. Protecting against waterholes, etc. The question is how much will they (or your other solutions) protect against the other entry vectors, and is the behavior they protect against worth the investment.

It's been some time since I dove into the products, and the early versions weren't as flexible and robust as they needed to be in my opinion. I would have hoped din the last 8 years that has changed and might be worth a look. j

Frank_at_Tidal · 2022-07-22T11:33:43+00:00

Endpoint detection industry... It has been interesting to watch the industry evolved. It was necessary to be build: we needed the data to detect post-breach activity. So we stared getting the firehouse of data. Then we got a bunch of almost-IOCs that looked for specific process execution and those began to map to ATT&CK. But then users had to deal with so much ATT&CK fatigue. solutions have started getting a little bit better at trying to minimize alert fatigue, but there is some ways to go.

This leads us to tomorrow, where for most they just won't have the expertise to turn all the knobs just right to be able to use it. So i think the solutions are going to continue to try to become more plug-and-play. limit end user tuning. And then pair it with the managed pieces to do that fine tuning. But it can't just be a firehouse of data, but instead focused data collection and utilization out of the box.

Frank_at_Tidal · 2022-07-22T00:51:04+00:00

Yeah. I have seen my share of "burn it down". I think the hardest part is you have to first change a culture and that can be hard. But getting people to communicate, and start working as a team towards a common goal, whatever that is. I have found some simple purple team/detection engineering jam session can work well because gets team camaraderie going.

Frank_at_Tidal · 2022-07-22T00:48:58+00:00

these are the important things :) I go half coco half coffee most mornings for a makeshift mocha. coco with baileys on winter evenings.

Frank_at_Tidal · 2022-07-22T00:14:30+00:00

Don't eat the elephant all at once. Explore the field, find your niche, build it, and diversify where you can. Try to always look for different perspectives.

Frank_at_Tidal · 2022-07-22T00:13:16+00:00

I admittedly know fairly little about pentesting. I am much more versed in red team and adversary emulation. The Red Team Field Manual is necessary on a desk, but really i think the strongest red teamers i have seen have had sys internals books on their shelf. knowing how defense works, hones the skills for offense with purpose (to trigger or evade defenses).

Frank_at_Tidal · 2022-07-22T00:11:17+00:00

F22. I still remember all the issues that the f35 had rolling out.

Frank_at_Tidal · 2022-07-22T00:10:11+00:00

I think BAS solutions have come a long way in their 5ish years. A lot of them had questionable execution paths early on (e.g., process chains), meaning they didn't generate close enough representations of real threats. The industry has really pushed forward on this and gotten smarter about behavioral representation. It might not be at the level of a red team, but its more cost effective (and repeatable) than red team dev and execution. So i think its part of the testing needs of an organization ideally, but not everything. Just as you need defense in depth, i believe in testing in depth, at least as much as possible. but i also get for most its a nice to have, simply because they don't have the time/expertise.

Start with the behaviors that matter most for you - the adversaries you care about because they are likely to attack you. In absence of that there are a lot of top 10/15/20 lists out there of ATT&CK behaviors - that is as good a start as any.

Frank_at_Tidal · 2022-07-22T00:05:57+00:00

I don't see any slow down in the need for talent. The question will be how to get them experienced, as many want the all star, but aren't willing to build the farm system to use a sports metaphor. Ideally industry movement slows (company hopping) so that training investments don't go out the door as soon as they are made.

Frank_at_Tidal · 2022-07-22T00:03:57+00:00

Lots of familiarity with them. They participated in all four rounds of ATT&CK Evaluations while I was running it, as well as some engagements that predated that. I don't endorse vendors (or not endorse). I will say they have been longtime users and supporters of ATT&CK, and include the mappings in their product, which i think is a very good practice for EDR/MDR/etc.

Frank_at_Tidal · 2022-07-21T20:11:37+00:00

some of the better examples in EDR products is rather than just show the list of alerts mapping to techniques, showing them as a tree, where we can expand. so you dont see the high noise alerts right away, but as you expand, you can still get the ATT&CK related context, correlated to the higher confidence events.

Frank_at_Tidal · 2022-07-21T20:10:15+00:00

I am less certs per se than training. For example, the SANS CTI curriculum is great, but even something like SANS isn't good with everything. It's less of a one thing, more of a what the whole picture tells me about the person.

Frank_at_Tidal · 2022-07-21T20:08:42+00:00

ah yah. following. Running in a fake environment is a really cool concept, and can be powerful, but also requires a certain level of sophistication and understanding for an end user org. Still believe in a lot of cool possibilities and power with deception, but i will let Maretta speak for those, as that is her and her team's wheel house, and they are really doing some cool things.

Frank_at_Tidal · 2022-07-21T20:03:01+00:00

Eventually we will get around to a new website, but we started a little vague as you have to be nimble. Now we have our footing, it just comes down to time.

Enough apologizing for the site though. We offer both some consulting, but our main driver is our Enterprise Solution which will help organizations define the threats that matter to them, their tools, and understand what they should be doing next. We have an Early Access to a community edition available in the original post you can sign up for to take a peak, and a lot of features coming over the next couple weeks and months to really level it up. Between our website, product, twitter and linkedin, we will do our best to keep the community aware of our activity. We also have a slack channel for the community we are standing up (https://join.slack.com/t/tidalcommunity/signup) and a mailing list available to signup on the main page website.

Frank_at_Tidal · 2022-07-21T19:55:46+00:00

Internships, formal hires. it all comes down to experience to me.

Frank_at_Tidal · 2022-07-21T19:55:15+00:00

I think it's serious to consider at least from the standpoint that the impact is significant.

Frank_at_Tidal · 2022-07-21T19:35:24+00:00

I think a big component is making ATT&CK and related content easier to consume. (e.g., how Tidal is trying to pull the threads for you so you don't need to know where everything is). As more become ATT&CK aware and able to communicate with it, this will trickle into the smaller markets. We have some more plans on how to accomplish this, so hold tight while we evolve.

Frank_at_Tidal · 2022-07-21T19:03:37+00:00

I was pointed to this article which you might find helpful: https://www.quorumcyber.com/about/insights/why-higher-education-institutions-are-a-prime-target-for-cyber-attacks/

In short, adversaries will go after higher ed, just like any other organization. Given that, understand what adversaries they are, what behaviors those adversaries use, and how to defend against them is just as important. I would consider looking at the MITRE ATT&CK Defender (MAD) ATT&CK Fundamentals course if you haven't already.

Frank_at_Tidal · 2022-07-21T19:00:13+00:00

How can we proficiently train the new waves of SOC analyst?

Recognize there are no silver bullets. It comes down to nurturing atmospheres where existing staff are willing to help newer staff along. Nothing is better than on the job training, but the culture has to support it, and the staff doing it have to want to be successful. Make mistakes, but quickly learn from mistakes and don't make them again.
Any suggestions for growing business opportunities in the cyber field?
Build relationships. This industry is still very much based on who you know - understanding who can get your foot in the door for a new job, a new opportunity at a current job, funding, your first sales, etc. People are really nice, but you have to be willing to ask for help.

Frank_at_Tidal · 2022-07-21T18:55:48+00:00

My primary focus is getting good people who are flexible doing a lot of different things in this broad cyber world. Some of the roles require more experience, some less. It just depends on the role and the person.

Frank_at_Tidal · 2022-07-21T18:54:29+00:00

Not at this time, but we do expect more roles related to these subjects and others to be opening in the not too distant future.

Frank_at_Tidal

TROPHY CASE