Word Notes 11.17.20
Ep 24 | 11.17.20

tactics, techniques and procedures (TTPs) (noun)


Rick Howard: The word is: TTPs.

Rick Howard: Spelled: T as in tactics, T as in techniques, and P as in procedures.

Rick Howard: Definition: A set of behaviors that precisely describes a cyber adversary attack campaign.

Rick Howard: Example sentence: In order to understand and fight the enemy, one has to understand the TTPs the attacker uses.

Rick Howard: Context: From the original Lockheed Martin intrusion kill chain paper, the authors, Eric Hutchins, Michael Cloppert and Rohan Amin said this, "The principal goal of campaign analysis is to determine the patterns and behaviors of the intruders, their tactics, techniques and procedures." This allows network defenders to be more strategic than simply trying to block technical strikes from the latest malware, zero day exploits or spearphishing instance. With adversary campaign analysis, network defenders can deploy defensive campaigns designed to specifically defeat the adversaries ultimate goal.

Rick Howard: The Mitre ATT&CK framework uses TTPs to describe the most complete public collection of adversary campaign behavior across the intrusion kill chain. From that viewpoint, a tactic is the "what?" What is the adversary trying to accomplish? From the Mitre ATT&CK framework perspective, the "what" is negotiating phase of the intrusion kill chain.

Rick Howard: A technique is how the adversary tries to accomplish each task. For example, for the "initial access" phase from the intrusion kill chain, the Mitre ATT&CK framework lists nine different techniques that various adversaries have tried to use to fulfill that tactic; everything from drive-by-compromise to phishing. At the time of this report, the Mitre ATT&CK framework list just under 200 known techniques in total for all thirteen tactics. In other words, just under 200 known techniques for every phase of the intrusion kill chain. 

Rick Howard: Procedures are the specific steps that the adversary executed to accomplish the technique. For example, the Mitre ATT&CK framework shows how APT19, by orchestrating a drive-by-compromise technique, performed a watering hole attack on Forbes.com in 2014.

Rick Howard: Nerd reference: During the first Gulf War in 1991, the Iraqi SCUD missile system gave the United States Air Force and Navy all kinds of trouble. The SCUDs fired from a mobile platform. They were never in the same spot twice. The Iraqi soldiers were able to fire at will long before the U.S. planes could find them and destroy them. After the war, Air Force General John Jumper changed air combat doctrine by formalizing the techniques necessary to reduce the time it takes to find and kill the enemy on the battlefield. He called it "compressing the kill chain." Instead of hours or days to find the enemy, he wanted to do it in under 10 minutes. Fast forward to 2010, researchers at Lockheed Martin revolutionized the network defender community by adopting the military kill chain model for network defense. They called it the Cyber Intrusion Kill Chain.