HomeBlogHow TTP Mapping Moves Beyond Simple Indicators of Compromise

How TTP Mapping Moves Beyond Simple Indicators of Compromise

When I first began writing about cybersecurity, corporate network defense was rooted primarily in identifying and studying Indicators of Compromise (IOCs).

Security teams injected their firewalls and endpoint detection systems with static lists of known data points: malicious file hashes, rogue domains, malicious IP addresses, etc. Keeping out bad actors with simple blocking techniques was incredibly easy and efficient.

What has changed since then? A lot, including the reality that IOC-driven cybersecurity is no longer effective.

The modern cybersecurity ecosystem moves at an unprecedented pace. Threat actors are weaponizing automation in a way that allows them to switch gears in milliseconds. So in the drive to construct lasting resilience, security teams must focus less on what an attacker uses and more on how he behaves. Enter TTP mapping.

TTP: The Blueprint of an Attack

‘TTP’ is an acronym that stands for ‘Tactics, Techniques, and Procedures’. The data intelligence experts at DarkOwl say it represents the behavioral DNA of a cyberattack. When a TTP platform analyzes an attack, it pays little attention to the specific digital weapon deployed. Instead, it looks at the operational tradecraft of the person behind the attack.

Source: microsoft.com

Doing so gives security analysts a blueprint they can follow. The complete blueprint is composed of data relating to the three layers of the TTP model:

  • Tactics – Tactics represent the high-level operational objectives of the attacker in question. It is the ‘why’, or motivation. An attacker might want to gain initial access or exfiltrate data.
  • Techniques – Techniques represent the methods threat actors use to achieve their tactical objectives. If initial access is the goal, the technique might be exploiting a corporate API.
  • Procedures – Procedures represent the specific, step-by-step technical implementation of any techniques an attacker utilizes. Procedures tend to be highly individualized at the execution level, making them quite valuable in understanding the blueprint.

By organizing data from these three layers into a standardized framework, security analysts can build a comprehensive and structured dictionary of adversary behavior. One of the most common frameworks utilized for this purpose is known as MITRE ATT&CK.

TTP Mapping Breaks the Adversary’s Blueprint

Source: beckhoff.com

In construction, altering blueprints creates big headaches. Alterations can even bring a project to a standstill. Something similar exists in the cybersecurity world. By breaking blueprints, security specialists take advantage of a principle known as the ‘pyramid of pain’.

This principle dictates that elevating the difficulty of overcoming cybersecurity defenses makes it more likely that an attacker will give up. Blocking IP addresses is at the bottom of the pain pyramid.

A threat actor can merely click a button and instantly reroute his traffic. But if a security team neutralizes the core procedure by which a threat actor gains lateral movement, they effectively break his blueprint. It takes a lot of work to fix it.

Breaking blueprints forces adversaries to completely reinvent their behavioral habits. It forces them to start over with new underlying campaign methodologies.

Breaking blueprints introduces an immense amount of friction that ultimately renders an attack nonviable. It is something an attacker no longer wishes to pursue.

Fed by Behavioral Intelligence

TTP mapping is quite effective, but only if it is fed by qualified behavioral intelligence. Therefore, success relies heavily on identifying, tracking, and updating threat actor behaviors. DarkOwl explains that this can be accomplished through open-source intelligence (OSINT) and other tactical strategies.

When fed with reliable data and combined with strategies like SOAR, TTP mapping can stop threat actors in their tracks. It can make launching an attack so painful that a threat actor simply walks away and moves on to a softer target.

Darinka Aleksic
Darinka Aleksic
I'm Darinka Aleksic, a corporate planning manager, content writer, and editor at SQM Club. With 14 years of experience, I've transitioned from traditional journalism to digital marketing, where I find great pleasure and enthusiasm. Alongside my professional career, I coach tennis and enjoy cooking for friends. Above all, I'm the proud mother of two daughters.
Must Read
Related News