loader image

How the Analysis of TTPs Informs Cybersecurity

When an unknown threat is observed in the wild, researchers quickly get to work observing its behavior in real or virtual environments. They deploy event listeners, read event logs, analyze source code, and attempt various other methods of testing, observation, and post-attack inspection to produce a description of a threat’s TTPs – the tactics, techniques, and procedures used by the threat actor to complete their objectives. So in what ways do TTPs inform cybersecurity? Due to the extreme diversity in tactics and techniques, describing a threat methodology by tracing its TTPs down to the most specific details can reveal a surprising amount of information to cybersecurity analysts. Consider the range of techniques present in this list of the 10 most common types of cyber attacks:

  1. DoS and DDoS attacks – a threat actor makes a server unavailable by disruptively flooding it with inauthentic requests for service.
  2. Man-in-the-middle attacks – a threat actor intercepts and modifies communication between a client and server to suit their needs, pretending to be the client when talking to the server, and pretending to be the server when talking to the client.
  3. Phishing and spear phishing – a threat actor pretends to be a harmless entity, or even someone known personally to the victim, in order to trick them into taking actions that aid the threat actor.
  4. Drive-by attacks – a threat actor plants downloadable malware on a server where many people will unknowingly download it merely by visiting a website.
  5. Password attacks – a threat actor discovers a target’s account password by brute force, by trying a dictionary of the most frequently used passwords, or by reverse engineering it from a stolen password hash.
  6. SQL injection attacks – a threat actor smuggles code into a system through database queries, which the system executes.
  7. Cross-site scripting (XSS) attacks – a threat actor plants malicious code in a compromised script library, which is executed by targets’ own web browsers when they visit an infected site.
  8. Eavesdropping attacks – a threat actor intercepts communications and extracts information about a target.
  9. Birthday attacks – with knowledge of a system’s hash function, a threat actor fools a system into accepting new data by exactly matching the new data’s hash to a valid entry, which the new data replaces.
  10. Malware attacks – a threat actor uses malicious software to accomplish their goals.

At this high level of abstraction, a great amount of variety is observed. Consider the last item on the list by itself – malware. The diversity in malware alone is enormous.

Once equipped with a detailed description of the methodology and TTPs of a threat actor, cybersecurity researchers can compare a new threat to similar known threats to establish possible identities of the actors, make more accurate hypotheses about the motives, skill, size, and complexity of a group of actors, propose routes of investigation that are more likely to produce fruitful results, and recommend strategies for defense.

Most importantly, recording the methodology of threat actors by abstracting the specific actions they take allows researchers to create a highly structured knowledge base that assists them in future analysis and defense. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is one such knowledge base, not exclusive to a single organization or enterprise, but accessible to almost anyone in the world with an Internet connection, at no cost to the reader. By accepting contributions from the public to expand the knowledge base, ATT&CK has become the most complete and comprehensive TTP guide available today, even relied upon by several government agencies.

In combination with MITRE’s other models for organizing information about threats, such as their models of attack lifecycle and malware lifecycle, cybersecurity professionals and analysts have a uniform platform and common language for communicating ideas. This makes it possible to collaborate on threat hunting – the practice of pursuing and investigating new unknown threats – with greater efficiency and ease of understanding. When leaders in IT and Cybersecurity can report findings in a way they all understand, the ATT&CK knowledge base grows quickly, and results in faster response and more effective defense. With each successful investigation of a new threat, the knowledge base grows larger and more valuable.

With a common platform well established, leaders in IT and Cybersecurity using MITRE ATT&CK can identify the threats that matter to them most; those which pose the greatest threat to organizations in their specific industry or domain. Translating these threats into simulation packages with breach and attack simulation, security professionals can optimize their security controls to prioritize defense against threats that pose the greatest risk to organizational security and asset integrity. The rThreat platform is one such BAS service you can use to optimize security controls to protect against specific threats. rThreat also researches new unknown threats to keep you one step ahead of zero-day attacks. If you’re interested in how rThreat can help safeguard your company from cyber threats, contact us to request a demo today.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.