Do you ever wonder how cybersecurity teams can narrow down and identify the origin of a specific attack on an organization? To be clear, it is not as straightforward as a physical investigation of a live physical attack where law enforcement can search for a biological fingerprint and find a matching profile. But the idea is the similar. Cybersecurity teams use what is known as Tactics, Techniques, and Procedures (TTP) as a method of fingerprinting behaviors and start-to-end strategies that adversaries utilize to launch a cyber-attack, resulting in the compromise of an organization’s confidentiality, integrity, and/or availability of their assets. With the evolving threat landscape as adversaries deploy various attacks vectors, it is imperative to understand their unique TTP to enhance an organization’s identification and mitigation efforts against such attacks.
The Three Components of TTP
Tactics are the start-to-end blueprint of how adversaries gain unauthorized access into an organization, whether it be their network or the physical perimeter of a building. One can refer to the MITRE ATTACK Matrix for Enterprise columns to view common tactics used by an adversary during the life cycle of an attack, from reconnaissance, privilege escalation, lateral movement, command and control, to impact.
Techniques are the nonspecific methods and tools used by a threat actor to compromise the confidentiality, integrity, or availability of a system or information. The MITRE ATTACK Matrix for Enterprise rows illustrates the specific actions taken to achieve their tactical objective. For instance, techniques may include active scanning, phishing, brute force, internal spearphishing, service stop, etc.
Procedures are the detailed step-by-step description of how an adversary would orchestrate and execute a technique. You might not be aware of this, but beyond the tactics and techniques listed on the MITRE ATTACK Matrix for Enterprise are individualized examples of procedures based on prior known attacks. Having a database of known attacks is helpful to any incident response or blue team in configuring their tools to detect previous attack behaviors and alert on them before a successful execution of those tactics and techniques.
Why are TTPs so important?
Relying on existing cybersecurity detection and response tools or firewalls is no longer enough to detect and respond against motivated threat actors like Advanced Persistent Threats (APT). While many adversarial behaviors may be derived from extorting money, a growing percentage of nation-state-sponsored attacks are emerging. As we enter an era of digital transformation, the landscape of warfare is transitioning towards cyberwar instead of physical combat. Thus, understanding how an adversary is associated with a specific nation and their respective TTP behavior will help narrow down and pinpoint the origin of an attack. For instance, specific adversary groups may leave behind artifacts such as native spoken language within malicious code, pointing to a particular region of origin. Of course, there is no clear-cut answer to defining where a specific attack originates from; understanding an adversary’s TTP patterns will significantly diminish the probability of a successful attack. Lastly, integrating TTP patterns into behavior-based detection within a security team will enable both blue and red teams to refine and refresh their existing security measures to combat motivated APT attacks.
TTP Sources
Now that we have established the importance of TTPs, you might ask how a cybersecurity team can identify and implement these tactics, techniques, and procedures. A few places to search for these TTPs include:
Telemetry is the aggregated data from endpoint devices across one’s network that may include but is not limited to connection attempts, traffic, and downloads. Security teams may use internal telemetry collected from within an organization’s network to discover trends and malicious foreign behavior. Additionally, security teams may leverage vendor aggregated telemetry data to identify malicious behavior on networks outside your organization. This form of intelligence may be especially useful to finetune your security measures before the identified malicious activity found in other organizations reaches yours’.
Open-Source Intelligence (OSINT) is the collected information on a threat actor found on the internet. This form of intelligence is practical as it is available in large quantities and accessible as long as one has access to the internet. Additionally, open-source intelligence is typically reliable as an active cybersecurity community countlessly validates it.
Honeypots are security mechanisms used as decoy systems to mimic normal computer systems and ultimately deceive threat actors. By setting up honeypots within one’s environment, an organization can understand existing threats and TTP patterns through forensic investigation. Additionally, patterns discovered on the honeypots can then be added into the blue team’s Security Information and Event Management (SIEM) solution for further threat detection and incident response on the organization’s production network.
