What Are TTPs and How Understanding Them Can Help Prevent the Next Incident
What are tactics, techniques, and procedures (TTPs)?
TTP analysis can help security teams detect and mitigate attacks by understanding the way threat actors operate. Below we define the three elements of TTPs: tactics, techniques, and procedures.
In general, tactics are types of activity that cyber criminals use to carry out an attack. For example, gaining unauthorized access to sensitive data, performing lateral movement within a network, or compromising a website.
Skills are general methods that attackers use to achieve their goals. For example, if the goal is to compromise a website, the technique might be SQL injection. Each tactic can comprise several techniques.
A procedure is a specific series of steps that cyber criminals can use to carry out an attack. To take the example of SQL injection, the procedure might involve scanning the target website for vulnerabilities, writing a SQL query that includes malicious code, and submitting it to an unsecured form on the website to gain control of the server.
How can you use TTPs analysis to defend against cybercrime?
Understanding the various combinations of TTPs is a great way to deal with cyber crime. Just follow the detailed instructions available from several research bodies, which can help you devise a response based on automated action and human verification.
For example, the MITRE ATT&CK® Matrix, helps cybersecurity teams identify and address TTPs they encounter. It defines how security staff can continuously monitor activity in IT systems, detect abnormal behavior associated with a known TTP, and stop it before it turns into a full attack. The MITRE ATT&CK Matrix can be useful both in detecting actual intrusions, and identifying actors who are in the planning or reconnaissance stages of an attack.
There are other initiatives that can help deal with new TTPs:
- Open Web Application Security Project (OWASP)—provides open research about common vulnerabilities affecting web applications, and best practices for remediating them.
- Cyber Threat Alliance (CTA)—an agreement between a large number of companies who share their knowledge of cybersecurity to create a safer environment for all.
At the same time, technologies such as user and entity behavior analytics (UEBA) and threat intelligence can complement data from these research bodies. You can leverage behavioral analysis to identify anomalous behavior, and threat intelligence feeds provide a large number of known attack patterns and threat actors, which can be used to identify TTPs in network traffic.
TTPs are essentially ‘hacking activities’, thus UEBA, which looks at activity through the lens of normal behavior, is a natural complement.
As cybercriminals continue to update their TTPs and invent new ones, security solutions must quickly discover and adapt to the new techniques. Data about TTPs is critical for day to day activity in a Security Operations Center (SOC), helping security analysts stay one step ahead of attackers.
Detecting TTPs with behavioral analytics
TTP analysis helps analysts understand how an attack occurred. However, it can be difficult to determine if the digital evidence matching a TTP is really due to malicious activity, or is just a normal operation performed by users on the network.
For example, analysts are well aware of how attackers can use account creation, screen sharing activity, and remote desktop access maliciously. However, these are routine tasks performed by corporate IT departments every day, with legitimate intent.
The tools available to SOC analysts must be good enough to distinguish between normal account creation and malicious account creation – and raise an alert only if the activity appears to be malicious. Otherwise, the solution will create a large number of false positives and overburden security teams.
Behavioral analytics uses machine learning to monitor and understand the behavior of all users and assets. It establishes a behavioral baseline, and identifies deviations from usual activity, to accurately detect malicious TTPs.
An example of behavioral analysis used to identify TTPs
Exabeam delivers a next-generation security information and event management (SIEM) platform that includes user and entity behavior analytics (UEBA) capabilities. Exabeam’s UEBA uses the TTPs defined in the MITRE ATT&CK framework to identify activity that may indicate an attack, and is able to distinguish between normal and anomalous behaviors, making it easier for security analysts to find threats.
Consider an attacker logging into a service designed to allow remote connections, such as Telnet, SSH, and VNC. Attackers will typically use this vector to penetrate the network, then move laterally to attack high-value assets.
This method is a TTP defined in the MITRE ATT&CK framework as “Remote Services”. Existing SOC tools use static correlation rules to perform TTP detection. The static correlation rule cannot determine the normal operating conditions that may be associated with a remote connection, so any remote connections that are triggered by the rule.
As a result, this rule can generate a large number of false positives, causing analysts to ignore the alerts generated by the rule. However, combining MITRE ATT&CK information with user and behavior analysis allows analysts to focus on anomalous behaviors that arise in their environment and are more likely to represent real threats.
Integrated SIEM and UEBA solution
Identifying and defending against TTPs found on your network requires aggregating data from across the enterprise, and subjecting it to behavioral analysis, which can detect anomalies compared to normal behavior of systems and user accounts.
This can be achieved by an integrated SIEM and UEBA solution. Several systems are deployed in the field which combine the breadth of data in a SIEM with the deep analytics made possible by cutting-edge UEBA engines.
One example of an integrated system is Exabeam SOC Platform. Exabeam is a full SIEM solution based on modern data lake technology. In addition, it provides the following UEBA capabilities:
- Incident detection based on behavioral analytics – Exabeam uses advanced analytics to identify abnormal and risky activity without predefined correlation rules or threat patterns. It provides meaningful alerts without requiring heavy setup and fine tuning, and with lower false positives.
- Automatic timeline creation for security incidents – Exabeam aggregates related security events into a timeline that shows a security incident, spanning multiple users, IP addresses and IT systems.
- Dynamic peer grouping – Exabeam not only performs behavioral baselining of individual entities, it also dynamically groups similar entities (such as users from the same department, or IoT devices of the same class), to analyze normal collective behavior across the entire group and detect individuals who exhibit risky behavior.
- Lateral movement detection – Exabeam detects attackers as they move through a network using different IP addresses, credentials and machines, in search of sensitive data or key assets. It ties together data from multiple sources to connect the dots and view the attacker’s journey through the network.
Related content: Learn more about Exabeam’s SIEM-integrated UEBA capabilities.
Read more in our series of guides about SIEM platforms:
- A SIEM Security Primer: Evolution and Next-Gen Capabilities
- Threat Intelligence: Threat Feeds, Tools, and Challenges
- Battling Cyber Threats Using Next-Gen SIEM and Threat Intelligence
- Threat Intelligence Feeds: Keeping Ahead of the Attacker
- How a Threat Intelligence Platform Can Help You
- 7 Open Source SIEMs: Features vs. Limitations
- SIEM Solutions: How They Work and Why You Need Them
- Combating Cyber Attacks With SOAR