While the science of threat detection and mitigation is dynamic, there are still specific tactics, techniques and procedures (TTPs) that attackers commonly employ. Understanding what they are can help you to mount an effective defense against them.
As the name implies, there are three components to be found in the TPS category:
- Tactics. These are the general, beginning-to-end strategies that threat actors use to gain access to valuable systems and information. In other words, this is the “how” of cyber attacks. Hackers might choose to tap into confidential information or intrude into a website to accomplish their aims.
- Techniques. These are the non-specific, intermediate methods or tools that a criminal will use to compromise your information. Phishing via email attachments is just one commonly employed example.
- Procedures. These are the step-by-step descriptions of how the attacker plans to go about achieving their purpose. In other words, how will the general techniques be carried out in detail?
If your cybersecurity team has a good grasp on these three elements, attacks can be hunted down, identified and neutralized. Knowing a criminal’s tactics can help you to detect attacks at their initial stages and assist you in predicting future ones.
Knowing an adversary’s techniques can show you what your organization’s vulnerabilities are in time to put countermeasures in place. Finally, an analysis of the threat actor’s procedures can give you a glimpse into what the criminal’s ultimate goal may be.
TTP CYBER SECURITY METHODS
Conducting an analysis of TTPs can help your organization’s security team to learn specifically how criminals are going about planning and executing their operations. As a TTP goes through its life cycle, your cyber team can take the following actions:
- Upon identifying a potential attack, you can prioritize its risk level and determine if it seems similar to other incidents that your intelligence specialists already know about.
- Using this knowledge, your team can determine where to focus your investigative energies.
- You can then identify possible attack vectors.
- Armed with this intelligence, you can specify which of your systems is most likely to be the focus of the attack.
- Finally, you can defend against the threats via monitoring, mitigation and neutralization procedures.
In addition to ferreting out attacks as they are taking place, a good TTP cyber security strategy provides a rich source of intelligence, hints and facts that can be used later. These can include the following:
- Information about who criminals communicate with in chat rooms, by email and via social media. This can provide insights about other potential hackers that you should keep on your radar.
- Stories and hacker forums that contain details about the success or failure of specific infiltration techniques. Such an information can be an invaluable tool as you work to review and tweak your own TTP threat intelligence security policy.
- Understanding TTPs enables you to assess immediate risk. For instance, information on a forum about a potential zero-day exploitation plan can enable you to enhance your systems and cyber tactics, thereby avoiding disaster.
- Examining log data after an incident occurred can allow you to reverse-engineer a TTP security breach, thereby furnishing you with valuable intelligence that you can use to avoid or mitigate future issues.
Now that you have gained a better understanding as to what is TTPs, you may be wondering just where you and your security team can find them. Identifying TTPs involves an investment of time and resources, but it definitely can be done. Some common places to search for them are the following:
- Open Source Intelligence (OSINT) refers to data to be found throughout the internet using low-cost, sharable platforms. Ideally, you should opt for one that will help you to prioritize the massive quantities of data it provides.
- Use your company’s darknets to lure attackers. These are parts of your network that have no traffic and that you are not using. For that very reason, they become attractive to criminals looking for ways to breach your defenses. Implement procedures to monitor these segments of your network for sudden changes that could signal an infiltration in progress.
- Telemetry. This is the collective name for all of the data and measurements that flow throughout your network into a receiving device. It usually consists of scanning results, uploads, downloads, traffic flow and more. Verifiable and easy to interpret by skilled security personnel, this data can help with immediate incident detection.
- Scanning for threats and crawling around the internet to catalog information that can be analyzed and categorized. This low-cost, information-rich strategy is a slow but effective and proactive threat intelligence tool.
- Malware analysis and processing. Usually conducted by large security organizations, this involves testing out the most recent iterations of malicious code programs. By utilizing this procedure, anti-virus software and other security developers can react quickly to the newest iterations in cyber crime.
- Human intelligence or closed source relations. This method involves under-cover “spying” techniques that security operatives use to gain access to closed forums, servers and communities.
In today’s era of sophisticated technology and lucrative data that can easily lead to hauls in the six figures for computer hackers. In TrustNet we believe that it is vital that companies of all sizes constantly perform a complex set of automated and human-driven actions to protect their resources.
Mounting a cyber security defense that considers TTPs can help your company to gain the upper hand against a wide array of threats.