Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
TTPs Within Cyber Threat Intelligence
One acronym everyone working on a cybersecurity team should be familiar with is TTPs – tactics, techniques and procedures – but not everyone understands how to use them properly within a cyber threat intelligence solution. TTPs describe how threat actors (the bad guys) orchestrate, execute and manage their operations attacks. (“Tactics” is also sometimes called “tools” in the acronym.) Specifically, TTPs are defined as the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence.
Analysis of TTPs aids in counterintelligence and cybersecurity operations by articulating how threat actors perform attacks. Actions related to TTP maturation include, but are not limited to:
An example helps illustrate how analyzing TTPs can aid in risk management and incident response.
The target of an attempted attack receives a hostile email attachment containing a zero-day exploit and payload to install a new, unknown malware. This attack is performed by a nation-state group which has consistently targeted U.S. Department of Defense using similar TTPs.
TTPs help to establish attribution to a foreign nation-state adversary, aiding in maturation of what they’re after. For example, the goal could be to gather policy and government-based classified information of interest for cyberwarfare interests. Potential targets are also identified based upon former targets seen in the campaign as well as potential future targets (e.g. policy related staff responsible for areas of Asia).
TTPs also help to identify a common vector of attack – email with an Office attachment containing a first stage and payload, such as a downloader. This helps position for ongoing attacks from the campaign, such as reviewing and changing policy related to Windows Data Execution Prevention (DEP); use of Sandboxie as a virtualized application layer for the endpoint for opening suspect files; a review of possible endpoint protection solutions, and so forth. This hyper-focus on known and potential campaign targets helps IT and security staff proactively harden against attacks and minimize damage (should an incident occur) through threat hunting exercises and further forensics investigation.
When an incident does happen, related TTPs help establish potential attribution and an attack framework. This can sometimes aid a team in identifying valuable data such as likely vectors and payloads as well as command and control infrastructure (C2). For example, if you know the attack for a campaign commonly involves base64 encoded C2 data from a seemingly innocuous response page on a remote server, the incident response team can look specifically for that type of data, which may otherwise be missed.
The example above demonstrates how TTPs can significantly aid in contextualizing threats and fueling rapid research and response. Post-incident TTPs boost strategic research and response and, as such, are essential to the cyber threat intelligence process. Lessons learned, additional research into the campaign and related attack data all help mature an understanding of TTPs, allowing implementation of more proactive measures and controls for future attacks using those TTPs. Some threat actors, for example, may use the same payload through multiple campaigns while others will drastically alter the main payload with each new operation. Understanding the TTPs of a particular threat actor helps endpoint security teams better harden against specific threats.
TTPs extend well beyond an incident’s forensics. Threat actors conduct reconnaissance prior to executing an attack, something that’s often not reported due to a lack of visibility or overall detection capabilities. Research and development and threat actor communities also reveal additional TTPs of interest. For example, additional TTPs that can be matured over time for a campaign may include additional data, such as:
Understanding TTPs is important for a variety of focused and specific roles or areas of research. For example, a unit that focuses on vulnerability exploitation will rely heavily upon the technical TTPs related to exploits and payloads in terms of how they contextualize and categorize attacks, as well as how the approach maps back to threat actors and campaigns. The same is true for a unit that focuses on malware research and response, forensics and so on.
In order to compare TTPs and leverage them within the cyber threat intelligence process they must be stored in an efficient, applicable manner. This often includes an inter-relational data set cross-correlated within a threat intelligence platform, making it easier for orchestration of research and response within an organization. It also should involve dedicated and experienced threat analysts who mature an understanding of actors, campaigns and associated TTPs in both reactive and strategic response following an incident.
Optiv recommends that top threats facing an organization be given priority for such TTP maturation, such as common eCrime attacks and/or known targeted attacks threatening a business. Smaller organizations may benefit strategically by outsourcing such research and response to leverage limited internal staff for application and consumption of TTPs within a cyber threat intelligence practice.
TTPs are constantly evolving, as are the security best practices required to safeguard your organization. For more information explore our Threat Management: Attack Surface Management Services or contact us directly.
UPDATE December 14, 2020 – The recent FireEye and SolarWinds hacks bear directly on TTPs. With this in mind, we also invite you to review the following resources.
FireEye Breach Response Resources
As part of the breach disclosure, FireEye published a list of vulnerabilities that the Mandiant team uses as well as a list of countermeasures that can be applied to other security tools for monitoring purposes. Here’s a list of several network security manufacturers and methods for importing the FireEye countermeasures.
SolarWinds/Orion Compromise – Immediate Action Recommended
This page provides a list of steps we recommend to help reduce exposure to the SolarWinds compromise.
December 21, 2020
Our efficient, tailored threat intelligence gathering process provides actionable information to drive an improved security posture.
August 07, 2020
Our Attack Surface Management program continuously identifies and tests your new or changing attack surface.
August 12, 2020
This Cyber Threat Intelligence Estimate summarizes key threat activities, threat actors and topics crucial to data breach prevention. It also provides...
Let us know what you need, and we will have an Optiv professional contact you shortly.