Tactics, Techniques, and Procedures (TTPs) - Organization Edition

Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors.” TTPs help analyzes and profile threat actors. It can further be used to strengthen the security infrastructure of an organization.


Several bodies have provided information about TTPs and best practices for remediating them including Open Web Application Security Project (OWASP) and Cyber Threat Alliance (CTA). In addition to it, you can read our blog APT Edition on TTPs.

Tracking adversary behaviour has been a complex challenge for the cyber security industry, mainly because there wasn’t a universal classification to adhere to. In recent years, the industry has adopted the MITRE ATT&CK Framework, which aims to provide a standardized, globally-accessible knowledge base of TTPs used by attackers. It has documented over 600 TTPs based on observations from real cyber attacks. 

Additionally, TTP information can be collected from the following areas:

  • From Web or Open Source Platform: There is a tonne of information about TTPs on the internet. This information can be gathered and utilised for threat intelligence. For instance, you can discover the various methods for stealing login information, such as account names and passwords.
  • Telemetry Data: Systems' telemetry data can be gathered and analysed to learn how they are operating. For instance, you can gather and analyse telemetry data to understand the type of traffic produced by your systems and the type of traffic that the system is accepting. Using this information, you can learn whether your system has been compromised or attacked as well as the methods and strategies that were used.
  • Honeypots: Honeypot data is useful for locating security holes and vulnerabilities so you can know how to strengthen your controls. They are useful for spotting malware and ransomware activity as well.
  • Malware Analysis: You can determine the source and potential effects of malware by analysing it. Additionally, it can reveal actions that threat actors might repeat in the future, like accessing a specific network connection, domain, or port. You can more easily track adversary behaviour and identify security gaps with the help of this information.
  • Darknet: Darknets are used by cyber criminals to post stolen data. You can use them to track information available for sale by hackers

How do TTPs help organizations?

You can gain insights into adversary attack behaviours and discover how particular attacks are planned by monitoring and analysing TTPs. This enables you to respond to and mitigate present and potential threats. For instance, some attackers frequently use the same TTPs throughout their attacks. You can better defend yourself against a specific attacker's recurrent attacks by being aware of their TTPs.

Whether the attack was launched against your organisation or one against another, there is a lot of knowledge to be gained from studying adversary tactics and techniques. You can learn the types of adversary behaviours your organisation is most susceptible to by understanding the TTPs of cyber criminals, and you can spot security flaws. With this knowledge, you can strengthen your threat mitigation and incident response controls, which will increase your ability to withstand cyberattacks.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment