Unparalleled TTP Intelligence

The second post in the TTP intelligence series is now live here and articulates the value of aligning defensive controls with relevant threats, with the aim of prioritizing which controls to validate next. See the third post on intelligence-led security validation here!

My worst fears have come true, and I’ve committed myself to (micro)blogging. Circle back soon for the first in a series on TTP intelligence - quick dives into the trending adversary TTPs (tactics, techniques, and procedures) that Recorded Future has observed across key source segments, and the security controls that can mitigate them.

Recorded Future provides an unparalleled source of TTP intelligence: TTPs are recognized through expert analyst tagging, automatic text recognition, and technical identification across open, closed (privileged access), and technical sources, all at the speed and scale of the Internet. This observation is informed by my interactions with Recorded Future’s clients as a technical consultant (read another way: I’m not a marketer!).

For this series, “TTPs” will usually refer to TTPs that align with the MITRE ATT&CK Framework. Again, based largely on interactions with numerous commercial, enterprise, and public sector security intelligence programs, I see the ATT&CK Framework (“ATT&CK”) providing a unique blend of:

• A higher-level outline of the most typical phases of cyber attacks; and
• Granular attack technique details, which allow defenders to align security controls with those techniques.

When approached with this perspective in mind, ATT&CK provides immense value for threat intelligence, hunting, and for informing Risk programs (by helping identify security control gaps and prioritizing controls for iterative testing & strengthening, aka control validation). Future posts will dive deeper into operationalizing the Framework from these angles.

Important notes - despite the focus on ATT&CK here, keep in mind that:

• Frameworks are just that - guides for thought-processes - and adherence to/compliance with a framework should not be a security program end-goal in itself.
• Frameworks focused on compliance are not updated at the speed & pace of contemporary adversaries. More on all this later!

I aim to outline the techniques and controls in clear terms, with a less-technical (like me) audience in mind. Informal study of ATT&CK techniques has greatly improved my technical understanding of cyber threats, and - full disclosure - my main goal here is to further this, hopefully providing a little context and defensive value along the way.

The posts also present an opportunity - in a small way - to start filling an important intelligence gap around timely TTP intelligence. In drafting the first few posts, I noticed a clear trend: perform a web search for a few ATT&CK techniques (e.g. “T1562.001”), and you will typically find a) the technique’s MITRE ATT&CK overview page (a fantastic starting point), b) a few public vendor reports on past point-in-time incidents “mapping” to the technique, and c) maybe some public sandboxing reports for malware utilizing the technique. Virtually nowhere are there current summaries incorporating all of these (near-equally important) sourcing segments (especially for emerging/real-time adversary technique use) and at Internet-scale.

The ATT&CK Framework has grown since its release in 2015 to now include a total of more than 500 techniques and sub-techniques…how many will I cover before running out of steam? Only one way to find out!

p.s. Interested in a broader trend analysis and guidance around TTP intelligence? Check out my talk at Recorded Future’s upcoming annual intelligence summit, Predict, by registering here!

#TTP #intelligence #RecordedFuture #MITRE #attack #security #ttps #cyber #cybersecurity