Cybercrime has always used a wide variety of strategies to get what it wants. And, for their part, the defenders of corporate cybersecurity have adapted to these methods in an effort to stop their activity, following a strategy of cyber-resilience that, these days, is indispensable.
However, some operational patterns and structures have become standard over time. One of these are the famous Tactics, Techniques and Procedures (TTPs), which have led the way for cybercriminals, and have shown cybersecurity professionals what to look out for.
What are TTPs?_
TTPs cover three essential concepts:
1.- Tactics. Generally speaking, tactics are the vectors used by cybercriminals to carry out their activities, that is, the strategy in the most general terms. For example, accessing and using confidential information, gaining access to a website, or making lateral movements.
2.- Techniques. Techniques are the methods (not necessarily specific) that will be used by the attacker to help achieve their goal. For example, if the goal is to steal confidential information, the technique could be phishing, although each tactic can be made up of several techniques.
3.- Procedures. With procedures, we move out of the abstract and into the specific. These are the specific, preconfigured steps to be used by a cybercriminal in their efforts to ensure that they achieve their aims. Continuing with the example of information theft and phishing, the procedures could include developing a plan, installing a malware file, sending this file, and so on.
TTPs in action_
The combination of tactics, techniques and procedures can be very varied. The examples are, therefore, numerous. The following are two cases in which different TTPs were used.
1.- Attack on an online gaming platform (2018)
- Tactic: bringing down IT systems of platforms such as Steam, EA, Riot Games or the infrastructure of Microsoft Xbox.
- A distributed denial of service (DDoS) attack.
- Procedures: organizing the attack, spreading it via Twitter, recruiting new users on social networks and forums, etc.
2.- Cyberattack on Iran by the United States (2019)
- Tactic: bring down Iran’s missile and rocket launch systems in response to an American drone being brought down.
- Technique: phishing, as most media outlets that have researched the case have reported.
- Procedure: identify the Iranian weapon launch systems, develop the malware, infect computers via phishing, etc.
How can you use TTPs to defend against cybercrime?_
Knowing the different combinations of TTPs is a good way to fight cybercrime. It is enough to follow a series of properly developed guidelines that combine automatic actions with manual verification.
The ATT&CK Matrix, established by MITRE, for example, is a good procedure for advanced cybersecurity teams to be able to identify TTPs and deal with them. Firstly because this method allows them to continuously monitor activity within a company’s IT system. This way they can discover anomalous behaviors and stop them before they can go any further. In fact, thanks to this matrix, cybersecurity professionals can detect suspicious procedures, enabling them to pinpoint them before the cybercriminals’ tactics can have an effect. ATT&CK Matrix is essential in the sense that its action procedures will help us both to detect possible intrusions and to analyze the behavior of those who are trying to intrude.
There are most initiatives that can help in the fight against new TTPs. This is the case of OPSWAT or CTA: the first of these contributes to improving companies’ IT security by analyzing their defense methods, auditing them, improving them and publishing conclusions that are useful for any sector. The second of these is a treaty among a growing number of companies that share cybersecurity knowledge in order to create a more secure environment for everyone. These two organizations are reference points for companies that share cyberintelligence in order to tackle the most innovative TTPs.
On the other hand, technologies such as artificial intelligence and machine learning can also complement these cyberintelligence efforts. This way, a procedure or technique previously marked as dangerous will once against set off alarms the next time it shows up. In the same way, if cybercriminals employ new techniques, they will end up being identified and it will be possible to respond to them.
All of these ways to act have something in common: cyber-resilience. This attitude assumes that cybercrime is constantly renewing its tactics, techniques and procedures, which means that cybersecurity solutions must also adapt to the new cyberattack methods. It is of great help to Security Operations Centers (SOCs).
In this context, Cytomic Orion, our threat hunting and incident response solution, combines these two kinds of tasks to identify TTPs and stop potential cyberattacks. On the one hand, its console monitors all of the processes on the system in real time in order to detect anomalous activity and stop it as quickly as possible, thus protecting endpoints with advanced cyberdefense. On the other hand, our team of hunters goes one step further and provides added value by getting where automated processes cannot, thanks to the work of our cybersecurity professionals.
If cybercriminals are increasingly working in more diverse, organized and structured ways, the key is for institutions to do the same when it comes to protecting their corporate cybersecurity. This is the only way to ensure that they stay one step ahead of their adversaries.