Tactics, techniques and procedures (TTPs)

Tools

The next level is labeled "Tools" and is yellow

At this level, we are taking away the adversary's ability to use one or more of the specific arrows in their quiver

  • This typically occurs when we've effectively detected the artifacts of their tool in so many ways that the attacker gave up and had to either find or create a new tool for the same purpose

  • This is a big win for us, because now attackers must invest time researching (finding an existing tool that the same capabilities), developing (create a new tool if they are able) and training (figure out how to use the tool and become proficient with it)

  • You cost them dedicated time, especially if you can do this across several of the attacker's tools

  • Examples of indicators of tools might include AV or Yara signatures, if they are able to find variations of the same files even with moderate changes

  • Network-aware tools with a distinctive communication protocol may also fit this level, where changing the protocol would require substantial rewrites to the original tool

  • Fuzzy hashes are likely in this level as well

TTPs

The last indicator at the apex is TTPs (Tools, Techniques and Procedures)

  • When you detect and respond at this level, you are operating directly on adversarial behaviors, not against their tools

  • For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks

  • From a pure effectiveness standpoint, this level is ideal. If you can respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors

  • If you carry this to the logical extreme, what happens when you are able to do this across a wide variety of the adversary's different TTPs? You give them one of two options:

    • Give up

    • Reinvent

Attack life cycle - Cyber Kill Chain

The Cyber Kill Chain was developed by Lockheed Martin and breaks down the different phases of a cyberattack. A threat hunter needs to understand these phases to hunt for TTPs applicable to the individual phases

Reconnaissance

Focused on gathering intelligence about the target

  • Email addresses

  • Network architecture

  • Patch state

Enables discovery of potentially exploitable vulnerabilities

Indicators:

  • Scanning traffic

  • Social engineering attempts

Weaponization

Development and testing of a potential attack

  • Exploit

  • Payload

Enables an attacker to turn a vulnerability into access

No indicators, since this occurs on the attacker's side

Delivery

Launch of exploit against the organization

Success depends on how strong the target's defenses are

Indicators

  • Alerts

  • Increased blocked traffic levels

Exploitation

Use of vulnerability to enable malware to run on the victim machine

Success depends on how well the exploit was designed and tested

Indicators

  • Antivirus alerts

  • Process launches

Installation

Installs the malware on the computer

May include download of second-stage malware

Indicators

  • Registry modifications

  • File writes

  • Suspicious data downloads

Command and Control

Establishment of a way for the attacker to talk to the malware

Often uses legitimate protocols (DNS, HTTP, etc.) for concealment

Indicators

  • Unusual domain lookups

  • Connections to unusual IPs

  • Non-standard traffic types

Actions on Objectives

Attacker finally starts working on actual objectives of the attack

  • Stealing credentials

  • Data exfiltration

  • Pivoting to more sensitive devices

Indicators depend on the purpose of the intrusion

  • Search for unusual/anomalous activity

MITRE ATT&CK framework

Once a threat hunter has an idea of the overall life cycle an attacker must go through, it's time to understand TTPs for each phases

  • The MITRE ATT&CK Framework provides detailed descriptions of methods by which and adversary can achieve goals for each phases

  • The Enterprise ATT&CK Matrix lists the Tactics and Techniques in a tabular form for ease of understanding

  • Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access

  • Techniques represent "how" and adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access

  • A threat hunter needs to understand the tactical goals of an attacker first and then determine the techniques leveraged by the attacker to carry out the tactical goals

  • At this stage, a threat hunter can leverage the apex of the Pyramid to hunt and obtain the most value

PreviousIndicators of compromiseNextAggregation of data sources

Last updated