TTPs Within Cyber Threat Intelligence

• Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors.”
• Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks.
• Top threats facing an organization should be given priority for TTP maturation. Smaller organizations may benefit strategically by outsourcing research and response.

One acronym everyone working on a cybersecurity team should be familiar with is TTPs – tactics, techniques and procedures – but not everyone understands how to use them properly within a cyber threat intelligence solution. TTPs describe how threat actors (the bad guys) orchestrate, execute and manage their operations attacks. (“Tactics” is also sometimes called “tools” in the acronym.) Specifically, TTPs are defined as the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence.

Image

Analysis of TTPs aids in counterintelligence and cybersecurity operations by articulating how threat actors perform attacks. Actions related to TTP maturation include, but are not limited to:

• Rapid triage and contextualization of an event or incident by correlating it to TTPs of known actors or groups potentially related to an attack
• Supporting the investigative process by providing probable paths for research and focus, based upon former TTPs used in a campaign or attack
• Supporting identification of possible sources or vectors of attack
• Supporting the incident response and threat identification and mitigation processes by helping identify which systems are likely to be compromised
• Supporting threat modeling exercises by assisting with controls analysis and integration to defend against known threat actor TTPs

An example helps illustrate how analyzing TTPs can aid in risk management and incident response.

The target of an attempted attack receives a hostile email attachment containing a zero-day exploit and payload to install a new, unknown malware. This attack is performed by a nation-state group which has consistently targeted U.S. Department of Defense using similar TTPs.

TTPs help to establish attribution to a foreign nation-state adversary, aiding in maturation of what they’re after. For example, the goal could be to gather policy and government-based classified information of interest for cyberwarfare interests. Potential targets are also identified based upon former targets seen in the campaign as well as potential future targets (e.g. policy related staff responsible for areas of Asia).

TTPs also help to identify a common vector of attack – email with an Office attachment containing a first stage and payload, such as a downloader. This helps position for ongoing attacks from the campaign, such as reviewing and changing policy related to Windows Data Execution Prevention (DEP); use of Sandboxie as a virtualized application layer for the endpoint for opening suspect files; a review of possible endpoint protection solutions, and so forth. This hyper-focus on known and potential campaign targets helps IT and security staff proactively harden against attacks and minimize damage (should an incident occur) through threat hunting exercises and further forensics investigation.

When an incident does happen, related TTPs help establish potential attribution and an attack framework. This can sometimes aid a team in identifying valuable data such as likely vectors and payloads as well as command and control infrastructure (C2). For example, if you know the attack for a campaign commonly involves base64 encoded C2 data from a seemingly innocuous response page on a remote server, the incident response team can look specifically for that type of data, which may otherwise be missed.

Image

The example above demonstrates how TTPs can significantly aid in contextualizing threats and fueling rapid research and response. Post-incident TTPs boost strategic research and response and, as such, are essential to the cyber threat intelligence process. Lessons learned, additional research into the campaign and related attack data all help mature an understanding of TTPs, allowing implementation of more proactive measures and controls for future attacks using those TTPs. Some threat actors, for example, may use the same payload through multiple campaigns while others will drastically alter the main payload with each new operation. Understanding the TTPs of a particular threat actor helps endpoint security teams better harden against specific threats. 

TTPs extend well beyond an incident’s forensics. Threat actors conduct reconnaissance prior to executing an attack, something that’s often not reported due to a lack of visibility or overall detection capabilities. Research and development and threat actor communities also reveal additional TTPs of interest. For example, additional TTPs that can be matured over time for a campaign may include additional data, such as:

• Related threat actors who correspond with the threat actor(s) of interest in a campaign or ongoing attack (e.g. who they chat with in forums, friend online, “shout out” to on private websites, have photos of on their sites, etc.)
• Exploits and other attack tools are often shared or sold in hacking forums and in private groups on the dark web. Knowing what tools are being used and how they’re being leveraged and developed can aid in counter-actions; for example, if a hacker knows that five failed attempts to login to a server are reported, they can use a tool configured to only attempt four remote desktop brute-force logins before starting a new session, thus avoiding detection. To counter this TTP, the security team might lower the threshold for failed login attempts (e.g. three failed attempts results in an alert in the SIEM)
• TTPs can help with predictive or emergent risk, such as the sharing of a zero-day exploits on a forum being integrated into a bot for eCrime attacks; this type of dark web TTP-based information is useful in assisting action-based decisions such as patch priorities and emergency patching
• Detailed research into payloads and logs (e.g. incident forensics and reverse engineering of malware) also reveals TTPs of interest, such as steps or actions taken by actors or code in traversing a network or exfiltration of data; this information can then be used to increase visibility, logging and/or mitigation of threats.

Understanding TTPs is important for a variety of focused and specific roles or areas of research. For example, a unit that focuses on vulnerability exploitation will rely heavily upon the technical TTPs related to exploits and payloads in terms of how they contextualize and categorize attacks, as well as how the approach maps back to threat actors and campaigns. The same is true for a unit that focuses on malware research and response, forensics and so on.

In order to compare TTPs and leverage them within the cyber threat intelligence process they must be stored in an efficient, applicable manner. This often includes an inter-relational data set cross-correlated within a threat intelligence platform, making it easier for orchestration of research and response within an organization. It also should involve dedicated and experienced threat analysts who mature an understanding of actors, campaigns and associated TTPs in both reactive and strategic response following an incident. 

Optiv recommends that top threats facing an organization be given priority for such TTP maturation, such as common eCrime attacks and/or known targeted attacks threatening a business. Smaller organizations may benefit strategically by outsourcing such research and response to leverage limited internal staff for application and consumption of TTPs within a cyber threat intelligence practice.

TTPs are constantly evolving, as are the security best practices required to safeguard your organization. For more information explore our Threat Management: Attack Surface Management Services or contact us directly. 

UPDATE December 14, 2020 – The recent FireEye and SolarWinds hacks bear directly on TTPs. With this in mind, we also invite you to review the following resources.

FireEye Breach Response Resources

As part of the breach disclosure, FireEye published a list of vulnerabilities that the Mandiant team uses as well as a list of countermeasures that can be applied to other security tools for monitoring purposes. Here’s a list of several network security manufacturers and methods for importing the FireEye countermeasures.

SolarWinds/Orion Compromise – Immediate Action Recommended

This page provides a list of steps we recommend to help reduce exposure to the SolarWinds compromise.