# Tactics, techniques and procedures (TTPs)

## Tools

#### The next level is labeled "Tools" and is yellow

At this level, we are **taking away the adversary's ability to use one or more of the specific arrows** in their quiver

* This typically occurs **when we've effectively detected the artifacts of their tool** in so many ways that the attacker gave up and had to either find or create a new tool for the same purpose
* This is a big win for us, because now attackers must invest time researching (finding an existing tool that the same capabilities), developing (create a new tool **if they are able**) and training (figure out how to use the tool and become proficient with it)
* **You cost them dedicated time**, especially if you can do this across several of the attacker's tools
* Examples of **indicators** of tools might **include AV or Yara signatures**, if they are able to find variations of the same files even with moderate changes
* **Network-aware tools** with a distinctive communication protocol may also fit this level, where changing the protocol would require substantial rewrites to the original tool
* **Fuzzy hashes** are likely in this level as well

## TTPs

#### The last indicator at the apex is TTPs (Tools, Techniques and Procedures)

* When you detect and respond at this level, you are **operating directly on adversarial behaviors**, not against their tools
* For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks
* **From a pure effectiveness standpoint, this level is ideal.** If you can respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: **learn new behaviors**
* If you carry this to the logical extreme, what happens when you are able to do this across a wide variety of the adversary's different TTPs? You give them one of two options:
  * Give up
  * Reinvent

## Attack life cycle - Cyber Kill Chain

<figure><img src="/files/4az0L0YE0sfy8EcrXhmm" alt=""><figcaption></figcaption></figure>

The Cyber Kill Chain was developed by Lockheed Martin and breaks down the different phases of a cyberattack. A threat hunter needs to understand these phases to hunt for TTPs applicable to the individual phases

### Reconnaissance

Focused on gathering intelligence about the target

* Email addresses
* Network architecture
* Patch state

Enables discovery of potentially exploitable vulnerabilities

Indicators:

* Scanning traffic
* Social engineering attempts

### Weaponization

Development and testing of a potential attack

* Exploit
* Payload

Enables an attacker to turn a vulnerability into access

**No indicators**, since this occurs on the attacker's side

### Delivery

Launch of exploit against the organization

Success depends on how strong the target's defenses are

Indicators

* Alerts
* Increased blocked traffic levels

### Exploitation

Use of vulnerability to enable malware to run on the victim machine

Success depends on how well the exploit was designed and tested

Indicators

* Antivirus alerts
* Process launches

### Installation

Installs the malware on the computer

May include download of second-stage malware

Indicators

* Registry modifications
* File writes
* Suspicious data downloads

### Command and Control

Establishment of a way for the attacker to talk to the malware

Often uses legitimate protocols (DNS, HTTP, etc.) for concealment

Indicators

* Unusual domain lookups
* Connections to unusual IPs
* Non-standard traffic types

### Actions on Objectives

Attacker finally starts working on actual objectives of the attack

* Stealing credentials
* Data exfiltration
* Pivoting to more sensitive devices

Indicators depend on the purpose of the intrusion

* Search for unusual/anomalous activity

## MITRE ATT\&CK framework

Once a threat hunter has an idea of the overall life cycle an attacker must go through, it's time to understand TTPs for each phases

* The MITRE ATT\&CK Framework provides detailed descriptions of methods by which and adversary can achieve goals for each phases
* The Enterprise ATT\&CK Matrix lists the Tactics and Techniques in a tabular form for ease of understanding
* Tactics represent the "why" of an ATT\&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access
* Techniques represent "how" and adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access
* A threat hunter needs to understand the tactical goals of an attacker first and then determine the techniques leveraged by the attacker to carry out the tactical goals
* At this stage, a threat hunter can leverage the apex of the Pyramid to hunt and obtain the most value


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/online-courses/cyber-threat-hunting/threat-hunting-artifacts-and-types/tactics-techniques-and-procedures-ttps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.