Elastic + Tidal making MITRE ATT&CK easier


Security vendors seem to have a complicated relationship with the MITRE ATT&CK(™) matrix. With one hand, they hold it high as a powerful resource, and with the other, they criticize some aspect of it. But regardless of your viewpoint on any given day, ATT&CK is one of the most important resources for improving your understanding of threat capabilities and aligning those to technical controls, countermeasures, or mitigations.

We at Elastic know a bit about ATT&CK — not only as a tool for detection engineering, but also from our experience in the MITRE Engenuity ATT&CK evaluations — having participated since the very beginning. Our most recent MITRE evaluation results were strong.

Comprehension is, unfortunately, expensive — in terms of both time and other limited resources. ATT&CK improves comprehension in a uniquely inexpensive way, aligning objectives (tactics) to capabilities (techniques and procedures) with:

  • Descriptions that explain each capability with examples
  • References describing how techniques were used in the wild
  • Links to resources like the Cyber Analytics Repository (CAR)

Elastic’s core mission and philosophy is based on the principles of openness and transparency. It is in this spirit that we’re excited to announce our partnership with Tidal Cyber to improve transparency even further, and help Tidal and Elastic users understand the capabilities we’re providing in the language of ATT&CK. Using Tidal’s free Community Edition, users can access the registry of detections provided by different vendors and products, collection of Campaigns, Groups, and more from MITRE — then map them to the MITRE ATT&CK Matrix, analyzing both coverage and gaps.

Elastic embraces free and open software, and shares our detection logic for well over 1,000 rules and signatures mapped to ATT&CK. Many organizations rely on several security technologies to prepare a defense-in-depth strategy, and comparing Elastic capabilities side-by-side with other vendors helps indicate where that strategy has gaps.

Where most vendors maintain their logic in closed sources, ours at Elastic is fully transparent. Because Elastic champions community-facing development, that also means you have a role to play. We invite you to share in our development processes and ensure our technology is something you can expect for yourself:

  • Request we close a gap by opening an issue in one of our public repositories
  • Submit a rule of your own that benefits the community
  • Tell us about noisy rules and help us improve them

The edge of your enterprise is more than just your user workstations and servers. It extends to essential technologies you may not have direct control over. Elastic has been working to address this kind of complexity since the creation of the Elastic Security solution, which is why we began sharing logic for enterprise applications like Okta and cloud service providers like AWS as early as 7.9 version. We support Tidal’s effort to make it easier for users to assess Enterprise ATT&CK coverage, and seize control of their environments.

What we see is that threats are moving faster, they’re hitting harder, and organizations are at a distinct disadvantage when they can’t answer basic questions about coverage. You don’t know what you don’t know (or what your vendor keeps locked away as intellectual property), and we’re teaming up with Tidal to ensure we’re part of the solution and not the problem.

We enjoyed our fireside chat with Tidal, during which we shared our thoughts on rule development in and with the community and the importance of free and open security solutions. We’d love to hear from you about how we’re doing.

Join our Slack community to share your thoughts about putting MITRE ATT&CK to good use in your enterprise, maintaining and optimizing coverage.