TTP; "Tactics, Techniques, and Procedures"

TTP; "Tactics, Techniques, and Procedures"

We offer the following diagram which explains how we see the placement of TTPs in the larger context of other elements.?We think it's not only important for us to draw these distinctions, but also provide a clear understanding of what each of them mean individually and how they relate to one another.?Doing so provides us with additional opportunities to evaluate our detection tradecraft in different ways. Furthermore, the ways and means in which we perform our Intelligence, Detection, and Response missions can be evaluated through another set of lenses while respecting and retaining the existing models we may currently use.?Finally, drawing these separate distinctions during analysis causes additional observations to surface that might not have previously been evident.

Goals?are the true intentions behind the adversary's acts. They are nearly impossible to detect (directly) in an environment, but most certainly can be collected via an intelligence operation.

Strategy?is where the adversary actually begins to establish one or more viable means of obtaining those goals.?As a side note, some military models may account for the concept of "Campaigns" that exist in between Goals & Strategy.?However, in the context of cyber, we submit that not?all?cyber attacks are organised into campaigns, and would offer that the majority of them (by sheer volume) are?not?campaign driven. Therefore, we place campaigns as merely a sub-component of strategy.?If an adversary must organise multiple cyber campaigns, they are doing so as part of their broader strategy.

When combined, Goals & Strategy constitute the bulk of?what the adversary wants.

Tactics?refer to?the art or skill of employing available means to accomplish an end.?Tactics are most often observed in high level narratives like "we see the adversary compromise the victim by performing SQL injection against their public facing web server".?The tactic in that statement is?"SQL injection against public facing web server".?It is specific, and tactical, yet does not prescribe the specific Technique, Procedure, or Tool used by the adversary, nor does it mention the resulting Artifacts or IOCs from employing the tactic.?Tactics should be thought of as?what?the adversary is doing, often at a specific stage of an attack, without getting into the hows, why's, and binary bits. Because of this, Tactics are where many people naturally lump "everything else" that doesn't fit into machine readable columns and rows.?Many threat reports evidence this common mistake of two-dimensional thinking between strictly Tactics and Atomic Indicators.

Techniques?are the most rarely discussed, and most misunderstood of these elements.?To clarify the distinctions, we must draw from Merriam-Webster and JP 1-02's literal definitions.?Techniques are?the way that a?person?performs basic physical movements or skills?but most importantly they are?non-prescriptive,?meaning there is no procedural sequencing with techniques.?They simply describe the unique?ways or methods?used to perform missions, functions, or tasks?specific to the actual person performing the work.?For example, a given actor may have a habit of repeating a specific typo, or use a specific keyboard pattern sequence when passing a password into a command line argument.?These are all techniques that are unique to this person.?This person may be performing the exact same procedure as the operator sitting next to them, yet their background, skills, habits, and personal tendencies will mold their unique techniques.?This may not seem immediately relevant to some, but it can mean everything to an Intelligence Analyst performing campaign analysis over a set of multiple incidents, attempting to draw out the most subtle of distinguishing factors.?The key thing to remember here is that techniques apply to the individual?person.

Procedures?are exactly as Merriam-Webster defines,?a series of actions that are?done in a certain way or order, and JP 1-02 clarifies further as?standard, detailed steps that?prescribe how?to perform specific tasks.?Procedures are not observations of individual atomic indicators but the sequential observation of two or more indicators that establish a trend indicative of a procedure being performed. An example would be an adversary running?net time, followed by the?AT.exe?command to schedule a job to kick off just one minute after the current local time of the victim system.?Another example would be the adversary who consistently performs a single?ping -n 1?to the target system prior to authenticating via stolen credentials over SMB via?net use.?Individually, these are each indicators, but when chained together they become a procedure.??Combined, Tactics, Techniques, and Procedures make up what is described cumulatively as a "TTP".

Tools?are exactly what you would expect.?Any tool, malicious or benign, that the adversary uses to complete his or her objective falls in this element.?This is not exclusive to malware, because adversaries can and do use any tool to get the job done. Tools, when combined with TTPs, constitutes how the adversary plans to obtain what they want.?These are the ways and means in which they will accomplish their goals and are by far the most important area for us to focus our attention and priorities on as Intelligence, Detection, and Response professionals.

What's left are the the Host & Network Artifacts and Atomic Indicators which constitute the?evidence left during or after the act?of attempting (successfully or not) to fulfill any part of their goals.?The key distinguishing factor in these elements is that they are indicators that are left behind as a result of the higher level TTPs taking place.?They're the breadcrumbs on which most all detection technology is based, so it's important to not underestimate the significant contribution of these next two levels.?It's through the data collected at these next two levels that the above levels can be observed.?Unfortunately, too much focus gets placed on these levels and we hyper-focus on just Artifacts and IOCs.?We often fail to retain necessary relationships and surrounding context that facilitates our understanding of the higher elements.

Host & Network Artifacts?are an extremely large element that encompasses any artifact left behind at the host, network, or event data level which are indicative of a tool being used or an identified TTP.?Host & Network Artifacts also contain context such as where and how they were observed, and usually include one or more atomic indicators.?Examples of these could be anything from registry entries, to prefetch entries, to mutex found in memory, to a specially crafted HTTP POST transaction for an outbound stage-1 backdoor check-in seen in network traffic.?This area is huge and dominates the majority of present day focus when it comes to digital forensics and incident response.?We gather this stuff and analyze it by the truckloads, but often fail to draw correlations to the Tactics, Techniques, and Procedures that are sitting in plain sight.

Atomic Indicators?are the lowest possible denominator of information.?They represent the lowest decomposable level of information and metadata related to tool usage or an identified TTP.?These are often organised by indicator-type, tuck nicely into tables and rows, and get passed around the community as "threat intelligence" though in reality it's largely contextless strings of data.?Examples of these include?IPs, domains, email addresses, file hashes, or even regular expression patterns that match atomic indicators.