What are tactics, techniques, and procedures (TTPs) in cyber security?
Tactics, techniques and procedures (TTPs) in cyber security describe the behaviors, strategies and methods used by attackers to develop and execute cyber attacks on enterprise networks. Essentially, TTPs provide information to security practitioners about the ‘why’ and ‘how’ of cyber attacker behavior and help them better defend themselves against different types of attacks.
Here is a more detailed description of tactics, techniques and procedures:
- Tactics describe the technical objectives (the “why”) an attacker is performing an action. For instance, the attacker’s goal might be to run malicious code on your systems or steal confidential data from your network.
- Techniques describe how an adversary achieves their objectives. They are the methods used by the attacker to engage in their attack. For example, an adversary may use brute force techniques to gain access to accounts when passwords are unknown or encrypted. Certain techniques have sub-techniques that explain how an adversary carries out a specific technique in greater detail. Going back to the brute force example, an attacker may guess passwords to gain access to an account or engage in password cracking, where they use credentials of unrelated accounts to gain access to target accounts.
- Procedures are the detailed description of the components used in an attack, including the tools and practices that attackers used to orchestrate it. It’s the specific implementation the attacker uses to accomplish the goal of a tactic. For instance, to perform the brute force techniques and sub-techniques described earlier, an attacker may use CrackMapExec, an exploitation tool that can collect information in targeted networks.
How do TTPs help organizations prevent cyber security attacks?
Tracking and analyzing TTPs can help you get insights into adversary attack behaviors and learn how specific attacks are orchestrated. This allows you to better respond to, and mitigate, current and future threats. Some attackers, for example, will frequently use the same TTPs for each attack. Understanding the TTPs used by a particular attacker can help you prepare for their repeated attacks.
There is a wealth of information that can be learned from studying adversary tactics and techniques, whether the attack was made against your organization or whether it was conducted against another organization. For example, by understanding cybercriminals’ TTPs, you can learn the types of adversary behaviors your organization is most vulnerable to and identify security gaps. With this knowledge, you are able to implement stronger threat mitigation and incident response controls to improve your resilience against cyber attacks.
TTP knowledge bases
Several research bodies and knowledge bases provide information about TTPs and best practices for remediating them including Open Web Application Security Project (OWASP) and Cyber Threat Alliance (CTA).
In addition, you can collect TTP information in the following ways:
The web/open source
The internet is filled with an immense amount of data about TTPs. You can collect and use this data for threat intelligence. For example, you can learn about the various techniques used to steal credentials like account names and passwords.
Honeypots or darknets
Honeypots and darknets can be used to track real-life exploit activity. Honeypot data is valuable for identifying vulnerabilities and security gaps so you’ll know how to improve your controls. They are also valuable for detecting ransomware and malware activity. Darknets are used by cyber criminals to post stolen data. You can use them to track information available for sale by hackers.
Telemetry
Telemetry data can be collected and analyzed from systems to understand how they are functioning. For example, you can collect and analyze telemetry data to understand the kind of traffic being generated by your systems and the kind of traffic that is being accepted by the system. This data can provide useful insights about whether your system has been compromised or attacked and the tactics and techniques that were used to do so.
Malware processing
By processing and analyzing malware, you can determine the origin and potential impact of malware. It can also expose behavior that threat hunters could use again in the future, such as accessing a particular network connection, domain or port. With this information, it’s easier for you to track adversary behavior and determine security gaps to close.
MITRE ATT&CK Framework for TTPs
Tracking adversary behavior has been a complex challenge for the cyber security industry, mainly because there wasn’t a universal classification to adhere to. In recent years, the industry has adopted the MITRE ATT&CK Framework, which aims to provide a standardized, globally-accessible knowledge base of TTPs used by attackers.
The MITRE ATT&CK Framework documents over 600 TTPs based on observations from real cyber attacks. Developed in 2013 by the MITRE Corporation, the framework is a valuable resource for organizations who wish to better understand the specific threats they may face. The framework also provides a common language across the cyber security industry, making it easier to document, report and communicate about threat groups and cybercriminals.
The MITRE ATT&CK Framework is composed of four matrices – Pre-ATT&CK, Enterprise ATT&CK, Mobile ATT&CK and ICS ATT&CK. Each matrix contains a set of tactics and techniques used by adversaries to carry out an attack in that specific environment. When viewing the matrices, such as the Enterprise ATT&CK matrix below, the tactics are presented across the top, mapping an attacker’s journey from left to right. The associated techniques and sub-techniques appear beneath each tactic.
All four MITRE ATT&CK matrices include detailed descriptions of the techniques used for each tactic, the systems that each technique targets, the detection and mitigation approach for each form of attack, and examples of real-world usage. The frameworks are constantly updated when new real-world attack methods surface.
How do you operationalize the use of TTPs?
With over 600 tactics and techniques documented in the MITRE ATT&CK framework, it’s nearly impossible to memorize every method of attack and manually record where they are being used in your environment. You need a more efficient way to analyze attacker behavior for TTPs.
To leverage TTPs within cyber security, they must be documented in an efficient and applicable manner that can easily be accessed by threat intelligence and security teams. Automation is the common answer. This often includes correlating activity in your network with a threat intelligence platform, making it easier for you to research and respond to TTPs.
You can also employ experienced threat analysts who understand attacker behaviors and associated TTPs. They can effectively respond to cyber incidents or build risk mitigation strategies against threats.
How can TTPs be used for vulnerability management?
Historically, TTPs have been used in the cyber security industry for threat intelligence. More recently, they have also been used more programmatically for vulnerability management. Effectively implementing TTPs into your vulnerability management program can be done by mapping adversary tactics and techniques to TTPs. Doing so will help your teams improve the prioritization of vulnerabilities and remediation strategies.
In 2021, MITRE Engenuity introduced a methodology for using MITRE ATT&CK to describe the potential impact of vulnerabilities. In December 2022, Balbix announced an industry-first capability to automatically map software vulnerabilities to the MITRE ATT&CK Framework.
