There’s no shortage of confusing terminology and acronyms in the cybersecurity field. Today, we’re looking at TTP. Unlike other acronyms, TTP security is not reserved for those who make a living defending against threats. It’s an acronym that everyone should know.
What is TTP in Security?
TTP stands for tactics, techniques, and procedures. This acronym describes the behavior of a threat actor in three levels – the “how,” the “what,” and the “why.”
What are Tactics in Cybersecurity?
Tactics are the high-level plans of what cybercriminals plan to achieve. They are the general strategies threat actors use to gain access to systems and information. It’s the “why.” Why they are trying a technique and what the attack will achieve.
Why do they want access in the first place? A few examples might be:
- To gather your personal data to sell on the Dark Web.
- To remove your access to important resources to damage your finances or reputation. To use your confidential information for fraud, espionage, blackmail, etc.
What Are Techniques in Cybersecurity?
Techniques are the intermediate methods or tools a cybercriminal uses to breach your defenses. They provide a more detailed description in the context of the tactic. It answers the “what” of their behavior.
They correspond to the major cyber threats, such as:
- Malware
- Tailgating
- Phishing
- Spear phishing
- DDoS attack
- Brute force attacks
- Man-in-the-middle attack
What Are Procedures in Cybersecurity?
Procedures are the lower-level, highly detailed steps cybercriminals follow to achieve their goals. It describes “how” they will achieve their desired result.
The steps may correspond to specific software vulnerabilities. An example of this type of exploitation is the Microsoft Exchange server elevation of privilege vulnerability. Another procedure might detail how they will take advantage of the gaps in your defenses.
MITRE is a not-for-profit organization that provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. They report collecting and filtering data based on TTPs – which is an effective method for detecting malicious activity.
“This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals post-compromise,” explains MITRE.
What is TTP Hunting?
In the world of cybersecurity being proactive is a must to stay ahead of threat actors. Traditional security solutions involve firewalls, endpoint detection, SIEMs, etc. To get ahead, proactive tactics are used.
Cyber threat hunting involves security analysts looking for potential cyber attacks by searching through networks or datasets to detect and respond to threats that avoid traditional security solutions.
Once identified, a security plan is created to protect against them. Their manual labor helps to develop auto alerts.
TTP hunting is a form of cyber threat hunting. Analysts focus on threat actor behaviors, attack patterns, and techniques. This process assists in predicting attacks by evaluating the trends of past cyber attacks to identify potential sources.
Tactics, Techniques, and Procedures (TTP) vs Indicators of Compromise (IoC)
TTPs shouldn’t be confused with Indicators of Compromise (IoC). TTPs describe what threat actors do and how they will do it. This offers the opportunity to proactively develop contextual understanding across incidents, threat actors, and campaigns.
TTPs define instances such as victim targeting (e.g., HR representatives of finance companies), attack patterns, and much more.
IoCs are reactive in nature. They are the breadcrumbs cybersecurity professionals see on a network or operating system that indicates an intrusion is occurring. They provide the opportunity for detection early in an attack sequence.
If cybercriminals were bank robbers, TTPs would be the strategies used to get inside the vault. IoCs are the things you can see that indicate they are there – such as a smashed lock or missing money.
Let’s demonstrate the difference between IoCs and TTPs during a phishing attack – where their goal is to steal login credentials.
When detected, IoCs begin incident response activities to protect valuable systems from threat actors. TTPs give the security team the information they need to protect all possible attack paths.
Should SMBs Study TTP's?
Small and medium-sized businesses (SMBs) rarely employ a cybersecurity team. That’s because they often need to be larger to dedicate resources to studying current and emerging TTPs.
Instead, TTP security methods should be outsourced to a managed security service provider (MSSP). They can provide you with threat intelligence and threat detection services.
You will profit from a partnership with an experienced MSSP if you have yet to implement beginning-to-end strategies to improve your cybersecurity defenses. Use its experience to implement cybersecurity best practices, such as:
Multi-factor authentication (MFA):
Many TTPs used by today’s cybercriminals target weak authentication and login mechanisms. MFA strengthens the authentication process by adding one or more extra layers of protection. This can block as much as 99.9 percent of identity attacks.
Cybersecurity awareness training:
People remain the weakest link in the cybersecurity chain. This is because their actions can sabotage even the most well thought out policies and controls. Cybersecurity awareness training can strengthen this link and make it less likely to break.
Endpoint protection:
The abundance of the hybrid work model led to an explosion of endpoints (laptops, tablets, smartphones, etc.). Each of which represent a possible attack path. Modern endpoint protection solutions help discover and defend these endpoints – regardless of where they’re physically located.
If your business is not considering outsourcing, you must ensure that you have the essential cybersecurity solutions in place.
Use this free guide to boost your small business’s cybersecurity resilience.
Discover 16 essential cybersecurity controls your small business needs to reduce risk and avoid costly damages associated with a cyberattack.
