Claus Cramon Houmann@timb_machine I kind of like your post about how you threat model for customers in Cisco, it would be cool if you then extended the service to provide #OpenTide mapped threat graphs mapped to detections for them, as (some unnamed consulting houses) are doing.
@timb_machine One day when we read links like https://br0k3nlab.com/resources/axioms-of-security-and-rule-based-capabilities/ people will have read the #OpenTide white paper and realized how it changes the conversation about #detectioncoverage but this day was not today.
Axioms of Security and Rule-Based Capabilities
Security efficacy has diminishing value, at some point, as rule quantity grows Rule count is not an absolute measure of successful coverage Coverage is not an absolute measure of security Alert count has an inverse relationship with their manageability Threats are not static Security posture is temporal and so only instantaneously representative
Despite the promising title of this blog post by John Vester 'Why the MITRE ATT&CK Framework Actually Works', its a load of crock.
You can't and shouldn't use MITRE #ATT&CK to prove any sort of detection coverage or 'strong points'. At best, you can prove total absence in certain subtechniques.
If you want to do any sort of data driven #detectioncoverage you need #OpenTide -> there's no way around it.
https://levelup.gitconnected.com/why-the-mitre-att-ck-framework-actually-works-29ac26d2d20c
ATT&CK is still ♥️ 😍 tho.
@merill drop a few links too please. Did you (they) consider releasing the work also in #OpenTide format to increase actionability? OpenTide recently released the OpenTide version of the ATRM -> threat vectors only for now. Having this alongside would be huge.
Also have been praising your newsletter to regional MS folks, don’t know if any of that filtered back to you. If not, thank you!
This #detection #SOC post #detectfyi is very good, and I agree fully up to a point. Where my opinion, and #OpenTIDE starts to diverge is for the final paragraph on coverage discussions and documentation. Its possible to do better than this now. And detection depth as a number of detection points along an attack path is....not bad, actually innovative compared to most who don't even use a graph view, it may just not be the optimal type of detections to deploy in this case https://detect.fyi/critical-asset-analysis-for-detection-engineering-72b8051df149
Don't you wish we could also collaborate defensively, become force multipliers for each other?
We can. Check out #OpenTIDE
#DetectionEngineering #OpenTIDE
So #Cloudot will help you empirically map attack telemetry, create it and allow you to try to test your detections also
So #Cloudot will help you empirically map attack telemetry, create it and allow you to try to test your detections also
Now Itay Gabbay releases Cloudot, a tool to help you with #DetectionEngineering in cloud.
The tool looks like a serious chunk out of the #OpenTIDE backlog! #Cloudot
