Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors.” TTPs help analyzes and profile threat actors. It can further be used to strengthen the security infrastructure of an organization.
TACTICS
Tactics are defined as a guideline describing how an attacker performs their attack from beginning to end and why an attacker is performing the attack. It consists of the various tactics used to gather information for the initial exploitation, perform privilege escalation, and deploy measures for resistance access to the system.
Threat actors can be profiled by an organisation based on the tactics they
use; for instance:
- The way they Gather Information.
- Some adversaries depend solely on the information on the Internet, whereas others might perform social engineering or use connections in the organizations.
- Information like email addresses of employees of the target organization is gathered, and the adversaries then choose to approach the target.
- The adversaries' designed payload can be persistent in the system or may change based on the target. Thus, to understand the adversaries better, tactics used in the early stages of an attack must be analyzed properly.
- Methods they follow for initial compromise.
- Several entry points they use while attempting to enter the target network.
- Analyzing the APT groups by inspecting the infrastructure and tools used to perform their attacks.
- A Sophisticated adversary may exploit many zero-day vulnerabilities. However, less-sophisticated adversaries generally depend on publicly known vulnerabilities and open-source tools.
- Identifying this type of tactic helps in profiling the APT groups and building defensive measures in advance.
- Understanding the tactics used in the last stage of the attack aid in identifying the threat actor.
- The methods used to cover the tracks help the target organization understand the attack campaign.
By analyzing the tactics, the target organization can create an initial
profile of the adversary. This profile helps in performing further analysis
of the techniques and procedures used by the attackers.
TECHNIQUES
Techniques are defined as the technical methods used by an attacker to
achieve intermediate results during their attack. The techniques followed by
the threat actor to conduct an attack might vary, but they are mostly
similar and can be used for profiling. Techniques can include initial
exploitation, settings up and maintaining command and control channels,
accessing the target infrastructure, and covering the tracks of data
exfiltration. Techniques can be divided into three stages and can analyze at
each stage of the threat life cycle.
Initial Stage
Techniques used in this stage need not necessarily have a technical aspect.
For example, social engineering with certain non-technical tools can be an
effective way of gathering information like the email address of the target
organization's employees through publicly available resources. Secondly,
purely human-based social engineering can be used. For example, a victim can
be tricked via a phone call to reveal their login credentials for accessing
the target organization's internal network. Thus, this kind of technique can
be used by attackers to gather information about the target and can help
them break the first line of defence.
Middle Stage
Techniques used in this stage mostly depend on technical tools for initially
escalating privileges on systems within the target organization's network.
The attackers use exploits, or vulnerabilities, or may exploit network
design flaws to gain access to other systems in the network. This allows an
attacker to perform a successful attack.
In this scenario, the term, "technique" is the set of tools and the
way they are used to obtain intermediate results during an attack
campaign.
Last Stage
Techniques used in this stage can have both technical and non-technical
aspects. For example, an attacker might steal data from the network by
encrypting it and transferring them through the command and control channel
and copying it to their own system. Once the attack is successfully
executed, the attacker might use certain purely technical techniques to
cover their tracks by clearing the log files to evade detection.
Therefore, understanding the techniques used in different stages of an
attack is essential for analyzing and creating a profile of the threat
groups effectively.
PROCEDURES
Procedures are detailed descriptions of the components used in an attack,
including the tools and practices that attackers used to orchestrate it.
This involves a sequence of actions performed by the threat actors to
execute different steps of an attack life cycle.
In a basic procedure of reconnaissance, an attacker collects information
about the target organization; identifies key targets such as collecting
contact details, identifies vulnerable systems and potential entry points to
the target network, and documents all the collected information. This
information can assist threat actors in performing spear phishing,
monitoring security controls to identify zero-day exploits in the target
systems, and other tasks.
In an extensive procedure, an attacker may execute a detailed malware
payload, which at the time of execution decrypts itself, evades security
monitoring controls, deploys persistence, and establishes a command and
control channel between the victim's and the attacker's system. This is a
common procedure, where different threat actors may implement the same
feature, and hence it is useful in forensic investigations.
In the initial stage of an attack, such as information gathering, observing
the procedure of an APT group is difficult. However, the later stages of an
attack can leave trails that may be used to understand the procedures the
attacker followed. An understanding and proper analysis of the procedures
followed by certain threat actors helps organizations profile threat
actors.
TTPs |
To understand and defend against the threat actors, it is essential to
understand the TTPs used by APTs. Click here to read,
We hope this helps. If any suggestions or doubts you can add a comment and
we will reply as soon as possible.
No comments:
Post a Comment