Today, we are pleased to announce the first release of Tidal Cyber-authored Objects in Tidal’s free Community Edition platform. Read on for an overview of this exciting feature, and the value we expect it will provide the Threat-Informed Defense community, from Tidal’s Chief Innovation Officer. A full list of the new and updated Objects is provided farther below and stay tuned for more content updates in the near future!

In the world of intelligence, there is always a pull between completeness and speed. Completeness helps drive accuracy. Speed enables actionability. While in the ideal world, we wouldn’t need to make compromises, in reality, resource and bandwidth constraints require striking some balance between the two.

MITRE ATT&CK®, a knowledge base regarded as the gold standard of cyber threat intelligence at the behavioral level, has taken a focus to completeness and utmost accuracy in their reporting. They take a heavy role in curation, to ensure the quality of every addition made to their encyclopedia of behaviors. But this does come at some expense, where the typical ATT&CK release schedule is biannual, while threat content is released on a daily basis by the community, including from government organizations, threat intel providers, vendors, and independent researchers. 

At Tidal, we seek to supplement ATT&CK’s rigor with a focus on speed to address the cadence of publicly available threat content. Led by our Director of CTI, Scott Small, Tidal Cyber has been extending ATT&CK for some time, utilizing our custom Technique Sets. Technique Sets have been used to capture Top 10 lists, to represent new groups, software and campaigns, or to provide alternate definitions to existing objects. Tidal keeps a Community Spotlight of Tidal-curated and select community content to benefit users of the platform. Users also have the ability to create their own content and share it with the community.

While useful, Technique Sets have limitations. Technique Sets are intentionally simplistic, to be optimally flexible. They are simply a collection of techniques, similar to how many have historically used ATT&CK Navigator layers. But take for instance a Technique Set that is used to represent a recent threat actor. There is no way to identify it as a peer to ATT&CK’s Groups – it is not identifiable within Group lists or in search results as a Group. Additionally, because the object is simply a list of techniques, that Technique Set lacks relationships to associated Groups, Software, Techniques, etc.   

To simplify the end-users' mental model of how threat intel is represented, starting today, Tidal will be representing Groups, Software, & Campaigns as these object types within Tidal Community Edition. Technique Sets will continue to serve a purpose, especially around concepts like Top 10 lists, but by treating most Tidal-authored threat content as the same object types that ATT&CK leverages, we anticipate  this will make the content significantly easier for users to leverage. (I also want to note that users of our recently announced Enterprise Edition can create their own threat objects, techniques, and even tactics based on closed-source content; customize their ATT&CK knowledge base; and leverage even more Tidal-curated content.)

In the past four years, we have seen a 500% growth in public threat reports that map to ATT&CK. Whereas in 2019, only 4% of reports mapped to ATT&CK, today, 24% of reports map to ATT&CK. With this broad adoption of ATT&CK within threat intel reporting, we realize that the community has this great chance to benefit from this intelligence if delivered quickly and in a format that users are already familiar with. Tidal has the platform to do just that.

Tidal will more liberally accept publicly available CTI, with the belief that giving users the as-of-today picture is essential for them to be able to quickly adapt to an ever-changing threat environment. As CTI improves, Tidal will continually refine the Tidal extensions to the knowledge base. And to the point, ATT&CK will remain our gold standard. This means, even if ATT&CK releases objects representing similar threats, we will continue to make those available to our users.

This does not mean that Tidal will accept any threat reporting, but rather that reputable threat intel will reach the hands of our users much more quickly.

Here are some examples of the content you should expect to see in the Tidal Platform:

1. New threat objects (e.g., Groups, Software, & Campaigns)
2. New technique relationships to existing threats
3. New object relationships (e.g., Software X is now used by Group Y)
4. New techniques, such as red team techniques, which have historically not made it to the ATT&CK knowledge base due to reported adversary usage constraints

And all of this will still be accompanied by the ever-growing Tidal Product Registry, analytic sources, and other community content all intended to help analysts and defenders be further empowered by ATT&CK and its extensions.

If you would like to submit content to the Tidal Platform, either as an individual, or as a vendor, please reach out to the Tidal team. We would love to talk about how to showcase your unique vantage points to benefit our users and the enthusiastic community that has formed around ATT&CK.

July 18, 2023 Content Updates:

New Objects

Campaigns

• 2023 Increased Truebot Activity

Groups

• Volt Typhoon
• BianLian Ransomware Group

Software  

• Truebot
• Raspberry Robin
• Teleport
• Earthworm
• BianLian Ransomware (Backdoor)
• PingCastle
• SharpShares
• MEGAsync
• Advanced Port Scanner
• AnyDesk
• SoftPerfect Network Scanner
• Splashtop
• TeamViewer
• RDP Recognizer
• Atera Agent
• TightVNC
• Dnscmd
• Ldifde
• Ntdsutil
• xcopy

Updated Objects

Groups

• Sandworm Team
• APT28
• Chimera
• LAPSUS$
• menuPass

Software

• FlawedGrace
• Cobalt Strike
• Impacket
• PsExec
• Rclone
• Mimikatz
• Systeminfo
• Tasklist
• Net
• Arp
• ipconfig
• netstat
• netsh
• certutil