Tactics, Techniques and Procedures (TTPs) Within Cyber Threat Intelligence
January 19, 2017
TTPs is a great acronym that many are starting to hear about within cybersecurity teams but few know and understand how to use it properly within a cyber threat intelligence solution. Tactics, techniques and procedures (TTPs) get at how threat agents (the bad guys) orchestrate and manage attacks. “Tactics” is also sometimes called “tools” in the acronym. Specifically, TTPs are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence.
Analysis of TTPs aids in counter intelligence and security operations by answering how threat agents perform attacks. Actions that are related to TTP maturation include, but are not limited to the following:
- Rapid triage and contextualization of an event or incident by correlating it to TTPs of known actors or groups potentially related to an attack.
- Supporting the investigative process by providing probable paths for research and focus, based upon former TTPs used in a campaign or attack.
- Supporting identification of possible sources or vectors of attack.
- Supporting the incident response and threat identification and mitigation processes by helping identify which systems are likely to be compromised.
- Supports threat modeling exercises by assisting with controls analysis and integration to defend against known threat agent TTPs.
Considering the above statements, the following example helps to illustrate how analyzing TTPs can aid in risk management and incident response:
The target of an attempted attack receives a hostile email attachment containing a zero-day exploit and payload to install new unknown malware. This attack was performed by a nation-state group which has consistently targeted U.S. Department of Defense targets using similar TTPs to date.
TTPs help to establish attribution to a foreign nation-state adversary. This also aids in maturation of what they are after—policy and government-based classified information of interest for cyberwarfare interests. Potential targets are also identified based upon former targets seen in the campaign as well as potential future targets (e.g. policy related staff responsible for areas of Asia).
Technically, TTPs also help to identify a common vector of attack—email with a hostile zero-day exploit and payload. This aids in proactively positioning for ongoing attacks from this campaign, such as review and changing policy related to Windows Data Execution Prevention (DEP), use of Sandboxie as a virtualized application layer for the endpoint for opening suspect files, a review of possible endpoint protection solutions, and so forth. This hyper-focus for known and potential targets of such a campaign aids IT and security staff in proactively hardening against attacks as well as minimizing damage should an incident take place through threat hunting exercises and further investigation.
When an incident does take place, TTPs related to that incident help to establish potential attribution and an attack framework thereof. This can sometimes help a team identify likely vectors and payloads and other information of great value in a very short period of time. For example, if you know that the attack for a campaign commonly involves base64 encoded C&C data from a seemingly innocuous response page on a remote server, the incident response team can look specifically for that type of data that may have otherwise been missed.
The example above reveals how TTPs can significantly aid in contextualization of threats as well as driving rapid research and response. Post-incident TTPs continue to be an essential element of the cyber threat intelligence process by aiding research and response in a strategic fashion. Lessons learned, additional research into the campaign and related attack data, etc., all help to mature an understanding of TTPs and allow for more proactive measures and controls to be implemented for future attacks that utilize those TTPs.
TTPs go beyond what is seen forensically in an incident. Prior to an incident is reconnaissance by threat agents, a phase often not reported due to a lack of visibility or overall detection capabilities and reporting. Additionally, research and development and threat agent communities also reveal additional TTPs of interest. For example, additional TTPs that can be matured over time for a campaign may include additional data such as the following:
- Related threat agents who correspond with the threat agent(s) of interest in a campaign or ongoing attack (e.g. who do they chat with in forums, friend online, ‘shout’ out too on private websites, have photos of on their sites, etc.?).
- TTPs such as tools are often shared or sold in hacking forums and in private groups on the DarkWeb. Knowing what tools are being used and how they are being leveraged and developed can aid in counter-actions. For example, if a hacker knows that five failed attempts to login to a server is reported, they can use a tool configured to only attempt four remote desktop brute force logins before starting a new session, and thus avoid detection. A counteraction to this TTP is to lower the threshold for logging failed login attempts (e.g. three failed attempts results in a log and alert in the SIEM).
- TTPs can help with predictive or emergent risk, such as the sharing of a zero-day exploit on a forum being integrated into a bot for eCrime attacks. This type of DarkWeb TTP-based information is useful in assisting action-based decisions such as patch priorities and emergency patching.
- Detailed research into payloads and logs (e.g. incident forensics and reverse engineering of malware) also reveals TTPs of interest, such as steps or actions taken by actors or code in traversing a network or exfiltration of data. This information can then be used to increase visibility, logging and/or mitigation of threats.
TTPs are huge in a variety of ways, often focused upon specific roles or areas of research. For example, a unit that focuses on vulnerability exploitation will rely heavily upon the technical TTPs related to exploits and payloads in terms of how they contextualize and categorize attacks, as well as how it maps back to threat agents and campaigns. The same is true for a unit that focuses on malware research and response, forensics, and so on.
In order to compare TTPs and leverage them within the cyber threat intelligence process they must be stored in an efficient, applicable manner. This often includes an inter-relational data set cross-correlated within a threat intelligence platform, making it easier for orchestration of research and response within an organization. It also should involve dedicated and experienced threat analysts who mature an understanding of actors, campaigns, and associated TTPs in both reactive and strategic response following an incident. Optiv recommends that top threats facing an organization be given priority for such TTP maturation, such as common eCrime attacks and/or known targeted attacks threatening a business. Smaller organizations may benefit strategically by outsourcing such research and response to leverage limited internal staff for application and consumption of TTPs within a cyber threat intelligence practice.