Understanding how threat actors operate is crucial to the fight against them. It’s not enough to know that they are out there and planning the next round of attacks. Security teams need to know who they are, how they do things, and what their future plans might entail. Enter TTP mapping. Its relationship to managing cyber risk is undeniable.
‘TTP’ is an acronym that stands for ‘Tactics, Techniques, and Procedures‘. As such, TTP mapping is the process of gathering all relevant information and correlating it for the purposes of gaining a better understanding of potential attacks.
3 Sources of Understanding
It’s easier to understand the value of TTP mapping if you know the basics of each element. DarkOwl, a leading open source intelligence and threat actor profiling provider, explains them:
1. Tactics – Tactics represent the underlying, broad-based goals of an attack. Sometimes those goals are understood in stages. Examples include reconnaissance, delivery, and exploitation.
2. Techniques – Techniques are the specific methods by which each tactic is achieved. For example, exploitation might be carried out by depositing malware on a targeted system.
3. Procedures – Procedures describe the specific actions a threat actor takes to carry out a technique. A threat actor might rely on phishing to gain access to an account through which he can deliver malware.
TTP’s three components work together to provide a complete picture of how a threat actor might carry out a future attack. Analysis of a threat actor’s known TTPs can help security experts anticipate what he might do in the future.
It is worth noting that threat actors tend to be repetitive in their techniques for as long as said techniques are successful. So tracking techniques is a big plus for investigators.
Moving Beyond Mere Identification
The value in TTP mapping is moving beyond merely identifying indicators of compromise (IOCs). While IOCs possess inherent value, they can become obsolete very quickly. So instead, it’s more productive to focus on consistent adversary behaviors that tend to persist even when tools and infrastructure change.
Mapping TTPs provides behavioral insights that lend themselves very well to proactive risk management. It’s all about anticipating attack methods so that defenses can be prioritized accordingly.
Mapping Through the MITRE ATT&CK Framework
Security teams have access to a variety of sources capable of facilitating TTP mapping. DarkOwl says that one of the best is the MITRE ATT&CK framework. Through this framework, organizations have the ability to translate raw threat data into standardized TTPs. The result is better risk assessment, detection engineering, threat hunting, and incident response.
Mapping via the MITRE ATT&CK framework:
- Generates informed threat intelligence pointing to the most relevant and dangerous adversarial behaviors.
- Facilitates proactive threat hunting guided by known attack methods to identify early-stage and hidden threats.
- Encourages faster incident response through easier attack pattern recognition.
- Encourages targeted containment measures based on identified attack patterns.
- Strengthens defenses by aligning them specifically with known attacker techniques.
- Anticipates future attacks by identifying repetitive TTPs across multiple attack campaigns.
DarkOwl describes TTP mapping as a bridge between tactical defense and cyber risk understanding. The primary goal of utilizing it is to transition a reactive cybersecurity posture into a proactive one. Being proactive makes it easier to stop more attacks and mitigate the damage from those that come to fruition.
If your organization is not yet utilizing TTP mapping, you’re missing out on one of the more effective tools for understanding your cyber adversaries. Its relationship to managing cyber risk is undeniable. So what is stopping you from getting on board? Are you waiting for the next successful attack?