< Back
Episode #
106

Tidal Cyber's Scott Small on Operationalizing MITRE from Intel to Validation

Tidal Cyber's Director of Cyber Threat Intelligence Scott Small reveals how his knowledge base now tracks almost 25,000 procedure-level instances across nearly 800 MITRE ATT&CK techniques and sub-techniques, capturing the command-level detail that exposes the false promise of "100% coverage" when working at technique abstraction alone. He argues that the pre-attack reconnaissance phase remains the most essential yet most ignored portion of the framework, including the recently formalized technique for purchasing and selling victim data on stealer marketplaces. 

Scott's AI workflow treats LLMs strictly as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports, refusing to use them as intelligence sources themselves. He's seeing threat intelligence and detection engineering roles merge as individuals develop hybrid skill sets. His methodology for mapping TTPs to vulnerabilities gives security teams a data-driven rationale to deprioritize patches when strong post-exploitation defenses already cover the attack vector.

Topics discussed:

  • Tracking almost 25,000 procedure-level instances across 800 MITRE ATT&CK techniques to expose the false promise of technique-level coverage alone
  • Defending pre-attack reconnaissance phases including the technique for purchasing victim data on stealer marketplaces
  • Classifying scanning activity by threat type to prioritize C2 infrastructure linked to APTs over fraud-related domains
  • Blending threat intelligence and detection engineering roles as analysts gain EDR skills 
  • Using AI as structured data processors that reference MITRE's written technique examples to parse unstructured threat reports without generating intelligence
  • Mapping TTPs to vulnerabilities to create data-driven rationale for deprioritizing patches when post-exploitation defenses cover the vector
  • Visualizing attack narratives through the MITRE ATT&CK matrix to tell leadership about defense gaps and justify resource allocation decisions

Key Takeaways: 

  • Track adversary procedures at the command and protocol level to identify real defense gaps.
  • Monitor stealer marketplace activity and automated dealer platforms for credential exposures tied to your domain, then reset credentials.
  • Prioritize threat intel alerts by focusing first on APT-linked activity over fraud campaigns.
  • Develop hybrid skill sets where CTI analysts understand EDR logging capabilities and threat hunters consistently consult adversary behavior reporting for hunt hypotheses.
  • Implement AI workflows that use LLMs to extract structured technique data from unstructured threat reports, not as intelligence output itself.
  • Map TTPs to specific vulnerabilities to build data-driven cases for deprioritizing patches when post-exploit defenses provide coverage.
  • Create visual attack narratives using the MITRE ATT&CK matrix to communicate defense gaps and resource needs.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website