10-23, 16:15–17:45 (Europe/Luxembourg), Hollenfels
With OpenTIDE the Threat-Informed Detection Engineering framework, Cyber Threat Intelligence and Detection Engineering teams can work together to model the threat vectors (aka attack scenarios) in a structured, actionable and automation-ready object which become at the centre of a knowledge graph. With that framework, Cyber Threat Intelligence teams can prioritise to expand the threat detection coverage while the Detection Engineering teams can measure and report on the current threat coverage
This workshop will introduce the opensource Threat-Informed Detection Engineering framework OpenTIDE and how it can support collaborative work between the Cyber Threat Intelligence and Detection Engineering teams.
The workshop will use a repository on gitlab.com and participants will have the opportunity to develop some models using Visual Studio code.
From some example of CTI reports and research, we will showcase how to develop the chained Threat Vector Models (TVMs) that capture the key points of the procedure followed by an attacker to conduct the attack with the granularity required below the kill chain stage and the ATTACK (sub-)techniques to steer the work of the Detection Engineering team in defining the detection objectives resulting from that knowledge gain on the attacker.
The workshop should allow to see in practice the benefit of having structured and machine-ready models to automatically build the knowledge graph to maintain over time the detection coverage (and also the threat coverage).
In particular, we will demonstrate how to deduplicate the information received from the TI PDF reports, often in PDF, or blog
I work in Cyber Security for 25 years . At the European Commission I lead the Threat Hunting and Detection Engineering team. Anytime I apply "Sharing is caring" principle and I support and participate to several open source projects. OpenTIDE is the framework developed by the team to support our work and has been opensourced in March 2024
I am a contractor dedicated to developing advanced Detection and Response Systems, Detection Engineering, Threat Intelligence and Hunting, SIEM/SOAR/EDR/CDR/XDR Systems Engineering and generally everything SOC Automation related. Currently maintaining the OpenTIDE project which condenses years of lessons learned on the floor of SOCs (Internal and Managed) into a streamlined Detection Engineering ecosystem for technical teams. My latest interest lie in the junction between Detection and Response Engineering, especially developing large scale signal and entity aggregation systems.