2024-10-23 –, Hollenfels
With OpenTIDE the Threat-Informed Detection Engineering framework, Cyber Threat Intelligence and Detection Engineering teams can work together to model the threat vectors (aka attack scenarios) in a structured, actionable and automation-ready object which become at the centre of a knowledge graph. With that framework, Cyber Threat Intelligence teams can prioritise to expand the threat detection coverage while the Detection Engineering teams can measure and report on the current threat coverage
Workshop objectives
This workshop will introduce the opensource Threat-Informed Detection Engineering framework OpenTIDE and how it can support collaborative work between the Cyber Threat Intelligence and Detection Engineering teams.
The workshop will use a repository on gitlab.com and participants will have the opportunity to develop some models using Visual Studio code.
From some example of CTI reports and research, we will showcase how to develop the chained Threat Vector Models (TVMs) that capture the key points of the procedure followed by an attacker to conduct the attack with the granularity required below the kill chain stage and the ATTACK (sub-)techniques to steer the work of the Detection Engineering team in defining the detection objectives resulting from that knowledge gain on the attacker.
The workshop should allow to see in practice the benefit of having structured and machine-ready models to automatically build the knowledge graph to maintain over time the detection coverage (and also the threat coverage).
In particular, we will demonstrate how to deduplicate the information received from the TI PDF reports, often in PDF, or blog
Agenda
- Introduction to DetectionOps with OpenTIDE with Q&A
- Setup – see below
- From Intelligence to OpenTIDE – Drafting & Reviewing Threat Vector Models
- From TVMs to detection - Building and Deploying detections
- Wrap-Up
Preparation if you plan to attend the workshop
You are more than welcome to join this workhop. For a good experience, please read below:
- We provide a private project on Gitlab.com Hack.lu OpenTIDE Workshop
- Create/Prepare a free account on gitlab.com that we will add to the project. Please mention the handle on this pad it is public.
-
Visual Studio Code is the main editor we will refer to and use during the workshop; any other IDE you are familiar with should work provided you can easily git clone, commit and push to the gitlab project.
-
Interest in making CTI actionable / in Detection Engineering
- We will propose some CTI reports to turn into Threat Vector Models
- You are more than welcome to come with some reports you would like to integrate into OpenTIDE framework.
Resources
- Main OpenTIDE repository including presentations and other supporting documentation
- Github repository for active development on CoreTIDE including raising issues and proposing pull requests.
I work in Cyber Security for 25 years . At the European Commission I lead the Threat Hunting and Detection Engineering team. Anytime I apply "Sharing is caring" principle and I support and participate to several open source projects. OpenTIDE is the framework developed by the team to support our work and has been opensourced in March 2024
I am a contractor dedicated to developing advanced Detection and Response Systems, Detection Engineering, Threat Intelligence and Hunting, SIEM/SOAR/EDR/CDR/XDR Systems Engineering and generally everything SOC Automation related. Currently maintaining the OpenTIDE project which condenses years of lessons learned on the floor of SOCs (Internal and Managed) into a streamlined Detection Engineering ecosystem for technical teams. My latest interest lie in the junction between Detection and Response Engineering, especially developing large scale signal and entity aggregation systems.