Tools, Techniques, Procedures Flashcards
Known as “Tools, Techniques and Procedures”, or “Tactics, Techniques, and Procedures”.
TTPs are the actions that threat actors take when conducting cyber attacks. They’re used by defenders to track the tactics that different threat groups use, and let us gather intelligence to aid security operations teams. By understanding how malicious actors perform attacks, we can implement defenses to stop or slow them down.
MITRE’s ATT&CK Framework has over 260 different techniques mapped and split into 12 different categories:
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
We will cover TTPs in much more detail during the Incident Response Domain, but let’s take a quick look now!
Example Walkthrough
Let’s go through an example. If security analysts at Organization A discover a script that is exfiltrating data, this will be mapped to a TTP. In this case, it is T1020. Now the security analysts and incident response team can use this to work backward, identifying how the attackers gained initial access and conducted other activities such as privilege escalation and lateral movement. All of this information can be mapped as an attack path and used to fully understand cyberattacks, how successful cyber-attacks have occurred, and how to prevent a similar attack in the future.
Each TTP in the MITRE ATT&CK Framework also has mitigations and detection advice. If we look at this information for T1020, we’re provided with the following:
Over time, defenders are able to build up attack paths for different incidents, and this process can potentially provide attribution for certain groups. If security analysts at Organization A observe a threat actor following a specific TTP path, they can see if any known APTs follow the same or a similar path, and then to a reasonable degree can attribute that group to the observed attack. The organization can then start implementing defenses against other tactics and malware this group uses as a proactive measure.
Proactive Defense
Instead of waiting for attacks to happen and recording the TTPs that were used, security teams could take a proactive approach and go through different TTPs looking to see if the organization has appropriate security controls and monitoring capabilities to detect and stop attackers using these known techniques. Penetration tests could be conducted with specific attack paths to see if they are effective, or if the company’s defenses work to detect and defend against them. MITRE has a page dedicated to listing the TTPs used by certain threat groups (https://attack.mitre.org/groups/) so if an organization determined that APT30 is likely to get them, they could go through APT30’s TTPs and ensure that defenses and monitoring capabilities are put in place.
Activity) Threat Actor Research
In this activity, you will be using free intelligence sources to collect information on an advanced persistent threat (APT). This exercise is designed to develop your ability to complete research tasks and increase your understanding of APT groups and how they operate, by investigating associated tactics, techniques, and procedures (TTPs) and motives behind their cyber operations.
Challenge Scenario
You have joined a financial institution in Eastern Europe as a Junior Threat Intelligence Analyst, and to test your knowledge of APTs and your ability to manage research projects, you have been assigned to collect information on the threat group ” APT41,” which is known to target organizations operating in this industry. Below are two important resources, but you should still look to find additional sources of your own:
MITRE Groups Page
FireEye Report on APT41
Don’t forget to check multiple sources to ensure that you’re submitting the right answer!
