TTPs In Cyber Security
We all know that cybercriminals uses variety of strategies to get into target’s network for whatever they want. The cyber security threat landscape continues to grow as the attacks of cybercriminals makes the task of detecting and tracking more challenging. Nowadays, cybercriminals rarely uses single attack vector. They are combining different tactics and multiple techniques to achieve their objectives. Understanding them helps as effective defense for cyber professionals.
TTP stands for Tactics, Techniques and Procedures
TTPs represent the methods or signature of the cybercriminals. It basically describes the behaviour pattern of cybercriminals.
TTPs are three essential concept mentioned below:
Tactics:- Tactics refers to beginning to end strategies or vector used by cybercriminals. Basically ‘ why ’ and ‘ what ’ regarding the attack strategy. For example, accessing and using confidential information, gaining access to a website, or making lateral movements.
Techniques:- Techniques are the methods or tools used by cybercriminals to achieve a goal. Basically ‘ how ’ regarding the attack strategy. For example, if the goal is to steal confidential information, the technique could be phishing or email-attachments.
Procedures:- Procedures are the step-by-step descriptions of how the cybercriminal plans to go about achieving the purpose. In other words, how will the general techniques be carried out in detail? Continuing with the example of information theft and phishing, the procedures could include developing a plan, installing a malware file, sending this file, and so on.
For example, if we talk about service unavailability, if service availability is degraded, users will be impacted, resulting in reputation damage and loss of business. Full availability and maximized performance are the cornerstones of digital engagement, and cybercriminals are continually developing ways to degrade, disrupt, or outright destroy data in transit or at rest.
Tactics:- Tactics that disrupt availability or compromise integrity by manipulating business and operational processes. Some of these tactics include data destruction, data encryption, defacement, resource hijacking and data manipulation, but can also include network and application denial-of-service attacks. The purpose of a denial-of-service attack is to cause an ‘impact’ on the network or application resource of their target for various reasons.
Techniques:- In general, there are two different techniques for denial-of-service attacks: network-based floods and application-level attacks. Network denial-of-service attacks are designed to degrade or disrupt resources by flooding the available capacity of the network and denying access to legitimate users by blocking their internet access. Application denial-of-service attacks are designed to exhaust or remove service resources of applications, servers or network devices and impact the availability of the service.
Procedures:- The procedure for a denial-of-service attack are the steps taken by the attacker to target a victim and cause a desired impact on the network or application. In the case of a botnet-based, distributed denial-of-service network flood, this could include actions such as network reconnaissance, spreading malware in the form of IoT bots, renting an off-the-shelf attack platform such as a booter/stresser service, and more.
TTPs Real Case Scenario:- Cyberattack on Iran by the United States in 2019
Tactic: bring down Iran’s missile and rocket launch systems in response to an American drone being brought down.
Technique: phishing, as most media outlets that have researched the case have reported.
Procedure: identify the Iranian weapon launch systems, develop the malware, infect computers via phishing, etc.
You may be wondering just where you and your security team can find them. There are some common places to search for them are the following:
1. Open Source Intelligence (OSINT)
2. Scanning for threats and crawling around the internet
3. Malware analysis and processing
4. Human intelligence or closed source relations