Tidal Community Edition is a freely-available threat-informed defense platform that empowers cyber defenders to quickly and easily conduct research on cyber threats, develop threat profiles, and more. We take the "community" part of Tidal Community Edition seriously; Community Edition users have access to the Tidal Community Slack and are able to share out their work via email and social media.
Until March 31, 2023, all users who share either a matrix or technique set on social media will get a Tidal swag pack! Just tag @TidalCyber and use hashtag #SharedWithTidal and we'll reach out to get your shipping address. Sharing is caring!
As Tidal’s Cyber Threat Intelligence (“CTI”) Director, I routinely work with custom content built in the Community Edition, publishing new Technique Sets and Matrices to the Community Spotlight and using them to support analysis shared via our blogs, Community Slack, and social media channels (we post regularly, so be sure to follow us on LinkedIn, Twitter, and Mastodon).
Sharing custom content is as simple as saving a Technique Set or Matrix (make sure you’ve created your Community Edition account first!), then clicking the Share option from your My Work page (or straight from the matrix title itself).
While we’ve made it extremely easy to share your work, sometimes a little inspiration is useful for jumpstarting your next threat-informed defense project. Read on for five great ideas to help you get started, each of which includes links to examples shared by members of our enthusiastic user community. We look forward to seeing what you’ll share!
How does the threat profile look for the countries where your organization (or its partners or suppliers) operates?
The Groups page enriches adversary Groups from the ATT&CK knowledge base with structured metadata, including Group Motivation and Suspected Attribution and Victim Observed Country and Industry. These are all great starting points for building a threat profile – a structured set of threats most relevant to your particular organization. Filtering on Group metadata allows you to generate inputs to your own profile with as few as two clicks (see our recent webinar for deeper profiling guidance). The Community Spotlight contains this fantastic profile from Community Edition user infosecninja, which includes 18 advanced persistent threat (“APT”) groups with observed victims in Indonesia.
How are the capabilities in your security stack distributed across the MITRE ATT&CK matrix?
Tidal Community Edition unlocks the full power of MITRE ATT&CK by unifying both adversary behaviors and a wide array of defensive (and offensive security) capabilities in one intuitive user interface. Immediately jump into defensive content by browsing Tidal’s public Product Registry for the tools used today in your organization’s security technology stack, and visualize the distribution of those capabilities across the ATT&CK matrix for a given vendor or product with one click of the pill buttons (watch a live walkthrough here). Community user HariCharan expertly took this workflow a step further with his overlay matrix depicting mappings for two popular SIEM tools and top healthcare actors’ techniques. This matrix also demonstrates how custom Technique Sets support tailored representations of your capabilities – for more on Technique Sets, keep reading!
What are the latest and emerging threats that you’re tracking, and how are their TTPs represented in ATT&CK?
This is one of my favorite Community Edition workflows. Technique Sets allow users to create collections of techniques related to any subject, a great way to visualize and unlock pivot opportunities around techniques covered in recent threat reporting from government agencies, industry groups, or threat intel vendors. As more public reporting continues to come pre-mapped to ATT&CK, building these custom objects becomes even easier (we walked through a real example around Cuba Ransomware in the recording here). Layer multiple Technique Sets and/or ATT&CK knowledge base objects into a single matrix, like our Ransomware and Data Extortion Landscape matrix, one of the Community Spotlight resources shared most often on social media that includes Technique Sets for 25 groups & families not yet included in the ATT&CK knowledge base.
Which log sources can be used to give visibility into the adversary techniques I care about?
While not typically discussed as often as ATT&CK resources like adversary Groups or Software, ATT&CK’s Data Sources (and child Data Components) are powerful elements of the knowledge base, and Community Edition offers helpful ways to make use of them. Viewing a Technique Preview from the matrix or a Technique Details page (like the one for LSASS Memory) provides an instant summary of the number of ATT&CK Data Sources that align with that technique, or users can easily visualize Data Sources of their choice from a complete, filterable list. Community Edition user Simone Kraus highlighted alignment of Data Sources (and offensive & defensive capabilities) with multiple notable crimeware threats in a single Community Edition matrix in her Medium blog here (which offers many practical tips for threat-informed workflows generally).
How do I visualize and operationalize the “top techniques” reported by various intelligence vendors? How do top techniques compare or differ from year to year?
Many security and threat intelligence vendors’ research teams now publish annual lists of the top ATT&CK techniques they have observed in their tools’ telemetry, extracted from analyzed malware samples, and/or incident investigations they’ve conducted. Pivoting to associated capabilities, Data Sources, and more in Community Edition makes it easy start operationalizing this great intelligence. My colleague Ian Davila (advemuian in Community Edition) has shared several roundups of these lists in the Community Spotlight, such as this example that compares five years’ worth of annual reports from Red Canary. Annual report season is back in full swing – why not pick one (or multiple) recent reports to use as the foundation for your #SharedWithTidal submission?