Claus Cramon HoumannNov 30, 2023
hey @infosystir did you see what @armengar did? https://www.youtube.com/watch?v=5b0_41WhHNY&list=PLBAUUhONOrO9N0asZ-XF1ilKfdGgeSmyr&index=36
Show threadarmengarNov 30, 2023
@claushoumann @infosystir Let me know if you have questions, it's very much a POC but we ripped through around 350 procedures thus far for our DE team to use
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir for Moloch, now rebranded to TIDeMEC it’s going a bit slower than that, the learning curve got restarted a bit when we dug a bit deeper in TVM granularity to integrate attack path modeling by chaining TVMs. But the results are superb for IR contextualization and high quality detections. TVM granularity is now variable, you can basically expand/unfold any TVM into parts whenever you need to. Like inserting extra rows into a lattice
Show threadarmengar
@claushoumann @infosystir nice! I think the attack path modeling is really key, I was also really interested in this idea of "chokepoint mapping" where you align the procedures in order and overlay them across groups or campaigns to identify the most impactful procedure to detect or mitigate to stop the most attacks
Nov 30, 2023 at 8:24pmWeb
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir yes that’s definitely part of it but also to be able to build complex detection objectives from same chain elements
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir other changes: deep/full understanding of the APIs of Splunk, Sentinel, CBC, full modularity for others to contribute same for other platforms, and turn off visual representation of what you don’t use. And so much more :). But really need a community here soon
Show threadarmengarNov 30, 2023
@claushoumann @infosystir can’t wait to see it! Watched the video from hack.lu - open source end of this year or early next right?
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir yup! Will email you both something asap to look at
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir but so much still not done. No server sync between different entities yet, no ingestion of fired triaged detections for OODA loops, no testing, no emulation integration yet, no community feedback module (this vertical or this this size company found this detection objective useful, but this other vertical had too much noise with it etc), no Software and Software submodules models yet (Mimikatz as sw as example, mimikatz LSASS dumper as a
Show threadClaus Cramon HoumannNov 30, 2023
@armengar @infosystir submodule example. Still to do. And so much more! But what works: integration between your CTI, DE, Red team is spectacular. The automation is beautiful. The sharing progress between companies/entities in a knowledge sharing community is … great!
Show threadClaus Cramon HoumannDec 4, 2023
@armengar @infosystir oh and btw Amine and @anton_chuvakin are writing a blog series, correlation to #Moloch (now #TIDeMEC) is pretty high https://medium.com/anton-on-security/cooking-intelligent-detections-from-threat-intelligence-part-6-ad3a234c101f latest part
Show threadarmengarDec 4, 2023
@claushoumann @infosystir @anton_chuvakin been following this - love the series thus far!
Show threadinfosystirDec 4, 2023
@claushoumann @armengar @anton_chuvakin so great!!