What is TTP in cyber security?

The STIX TTP and Indicator components have a close and interactive relationship but each component serves its own distinct function within that relationship and within the broader STIX language.

TTPs

TTPs are “descriptive” in nature and are for characterizing the how and what of adversary behavior (what they are doing and how they are doing it). They are abstracted from specific observed instances within individual specific Incidents so that they may be more generally applicable in developing contextual understanding across Incidents, Campaign and Threat Actors.

Some simple examples of TTPs:

• characterization of a particular malware family (e.g. Poison Ivy)

• characterization of a particular malware variant instance (e.g. a specific variant of Zotob.B discovered on a web server)

• characterization of particular attack patterns (e.g. Subverting Environment Variable Values (CAPEC-13) for exploitation)

• characterization of infrastructure used by attackers (e.g. IPs used for malware C2)
• characterization of victim targeting (e.g. HR information of law firms)

Indicators

Indicators are “detective” in nature and are for specifying particular conditions that may exist to indicate the presence of a particular TTP along with relevant contextual information. Indicators are not used to characterize the particulars of any given adversary behavior, only how to detect it.

Some simple examples of Indicators:

• specification of a pattern for a particular set of static or dynamic characteristics (file hashes, network connections, registry key values, etc.) that are unique to a particular malware family or variant instance and indicate its presence

• specification of a pattern for a particular set of static or dynamic characteristics (e.g. specific activity patterns in logs) that indicate the execution of a particular attack pattern

• specification of a pattern for a particular set IP addresses used as malware C2 infrastructure

Usage guidance

Some simple examples of information you may have and guidance around which component (TTP or Indicator) you would use based on what you are looking to convey:

• a command & control (C2) IP address
  • Create a TTP/Resources/Infrastructure entry to characterize the IP as known C2 infrastructure that can be linked to Threat Actors, Campaigns, Incidents, and other TTP including kill chains
  • Create an Indicator to specify detection for the IP and associate it as indicative of the TTP characterizing its use as C2 infrastructure
• a malware file hash
  • Create a TTP entry to characterize the particular malware type and/or variant instance. This allows the particular malware to be associated with where it is observed being used (i.e. Incidents, Campaigns, Threat Actors) and what sort of vulnerabilities or weaknesses it leverages (Exploit_Target)
  • Create an Indicator to specify detection for a file with the given hash and associate it as indicative of the appropriate malware TTP entry or entries.

Bottom line

TTPs describe what and how an adversary acts and Indicators describe how to recognize what those actions might look like.

Using a non-cyber analogy, a specific approach to counterfeiting $100 dollar bills can be thought of as a TTP while the specific guidance for detecting bills (wrong color, bad watermark, etc.) using this approach can be thought of as Indicators.

Hopefully, when thought of this way it should be clear that each serves its own role and that you would never use one in place of the other.

TTPs stands for tactics, techniques, and procedures. This is the term used by cybersecurity professionals to describe the behaviors, processes, actions, and strategies used by a threat actor to develop threats and engage in cyberattacks.

Tactics, Techniques, and Procedures Definition

Understanding an attacker’s TTPs is a key component of an information security security program.

The National Institute of Standards and Technology (NIST) describes tactics as being the highest-level description of the behavior. Techniques are a more detailed description of the threat actor’s actions within the context of a tactic. Procedures are an even lower level, more detailed description of the activities within the context of a technique.

Tactics–The overall goals behind the attack and the general strategies followed by the threat actor to implement the attack. For example, the threat actor’s goal may be to infiltrate a website to steal customer credit card information.

Techniques–The method used by the threat actor to engage in the attack, such as e-skimming, magecart, javascript injection attacks, or cross-site scripting (XSS).

Procedures–The step-by-step description of the attack, including the tools and methods used to orchestrate it. Cybersecurity analysts most often use an attack’s procedures to help create a profile or fingerprint for a threat actor or threat group.

Security professionals may apply TTPs to any type of attack, from traditional server-side threats like ransomware to client-side JavaScript supply chain attacks.

What are TTPs used for?

Security professionals define and analyze the tactics, techniques, and procedures of a threat actor to help them in counterintelligence efforts. TTPs can help security researchers correlate an attack to a known hacker or threat group and better understand an attack framework. TTPs help researchers focus their investigation path, identify threat source or attack vectors, define the severity of the threat, and support incident response and threat mitigation. Security professionals also use TTPs in threat modeling activities.

TTP research also goes beyond basic forensics. By identifying threat actors and groups, security researchers can ascertain relationships that may exist with other attackers. TTPs can also aid in identifying emerging threats and in developing threat and attack countermeasures.

What is a TTP example?

What is TTP in MITRE ATT&CK?

What is a threat actor TTP?

What is TTPs and IOCs?