TTP, short for “tactics, techniques, and procedures,” is a pattern found among the activities or methods that a particular group of threat actors uses in a specific attack. Analyzing TTPs helps in counterintelligence and security operations in that it describes how threat actors perform attacks.
Think of TTPs as the modus operandi of a particular criminal gang. The TTPs, in such a case, translate to the way they carry out all of their crimes—their trademark, so to speak.
Read More about a “TTP”
TTPs are part of the threat intelligence that cybersecurity researchers and analysts collect when an organization they’re working for succumbs to an attack. The data includes what tools or tactics the threat actors used. Those could include the malware the attackers employed to get into the target network, the steps they took to perform the attack, where they are from, and a lot more.
What Does Each TTP Component Look Like?
The following definitions describe each TTP component:
- Tactics: Tactics are the end-to-end strategies attackers use to access vulnerable systems and the information they contain. They answer the question: How did the cyber attack occur?
- Techniques: Techniques are the tools and methods threat actors use to get their hands on the information. Phishing emails are the most common examples of techniques.
- Procedures: Procedures are detailed descriptions of how attackers execute an attack to achieve their goal.
Organizations often obtain attack TTPs to prevent the same threat actor group from victimizing them or similar strategies and tools from affecting them again in the future. Each time security policies and solutions see the same TTPs, they can block potential threat vectors at once.
What Are the Benefits of Identifying TTPs?
TTP identification presents these benefits:
- When organizations identify a potential attack, they can determine how severe the risks it poses are and if it looks like other incidents their teams already know how to handle.
- The knowledge that the companies’ cybersecurity teams obtain allows them to prioritize threats. They can focus on the one that poses the most significant risk first.
- The information on the potential attack then helps organizations’ identify possible attack vectors.
- Knowing the entry points that attackers may take lets cybersecurity teams identify which of the companies’ systems are most likely to get attacked.
- After all that, the organizations can defend against the threat by implementing their specially crafted monitoring, mitigation, and neutralization procedures.
Are TTPs Different from IoCs?
While TTPs are related to indicators of compromise (IoCs), they are not the same. TTPs are more descriptive than IoCs. IoCs are said to be more detective in nature. Simply put, TTPs tell users how threat actors behave and how attacks ensue while IoCs give them the exact names of the malware, exploit, and other identifiable file characteristics.
To illustrate, let’s use a specific example, such as the WannaCry attack way back in May 2017.
|– Uses the Eternal Blue exploit|
– Targets unpatched Windows operating systems (OSs)
– Uses phishing emails with an embedded malicious link or a malware-laced attachment
|– Malware hash: 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9|
– IP address: 91[.]219[.]237[.]229
– Domain: ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf[.]com
Both TTPs and IoCs are helpful in cybersecurity investigations. Knowledge of them can help organizations stay safe from WannaCry infections in our example.
The TTPs tell cybersecurity teams to patch all systems so they won’t remain vulnerable to Eternal Blue. They also advise them to warn users against the dangers of phishing.
The teams can block all access going to and coming from the IoCs, meanwhile, to keep WannaCry out of the network.
Where Can Users Get TTPs?
Organizations can obtain TTPs via these methods:
- Gathering open-source intelligence (OSINT): They can do that by collecting threat data from publicly accessible repositories on the Internet. Examples of data sources include sites like VirusTotal and AbuseIPDB.
- Analyzing malware: Cybersecurity organizations typically do this. They test malicious code programs to update their anti-malware solutions. The good thing is that they almost always publish their findings, which organizations can use to beef up their network security.
- Using telemetry: Telemetry refers to all data and measurements that flow throughout a network. Scanning results, uploads, downloads, traffic flow, and more are examples of such. Unusual spikes or changes to this information could indicate an ongoing attack, allowing security teams to act immediately.
TTPs, as you’ve seen here, are necessary when coming up with security policies. They offer great insights into attacks and their perpetrators, allowing users to avoid becoming victims.