The terms “tactics, techniques, and procedures” refer to the patterns of activities and ways related to specific threat actors or teams of threat actors. TTPs are useful in analyzing threats and identification threat actors and may more be wont to strengthen the protection infrastructure of a corporation.
The word “tactics” is outlined as a tenet that describes the approach associate assailant performs the attack from starting to the top. The word “techniques” is outlined as technical ways utilized by associate assailant to realize intermediate results throughout the attack Finally, the word “procedures” is outlined as structure approach followed by the threat actors to launch associate attack .I n order to grasp and defend the threat actors, it’s vital to know TTPs utilized by the adversaries.
Tactics is described because the means the threat actor operates throughout totally different phases of an attack. I t consists of assorted techniques wont to gather data to perform initial exploitation, perform privilege step-up and lateral movement, and deploy measures for persistence access to the system.
Generally, APT teams rely on never-changing ways, however in some cases, they adapt to completely different circumstances and alter the way they perform the attack. Therefore, the problem of detection and attributing the attack campaign depends on the ways used to perform the attack.
An organization will profile threat actor supported ways they use; this consists of the means they gather info a few target, ways they follow for initial compromise, and also the variety of entry points they use whereas trying to enter into the target network.
To launch an attack with success, threat actors use many techniques whereas execution the attack. These techniques embrace initi1al exploitation, fixing and maintaining command and management channels, accessing the target infrastructure, and canopy tracks of information ex filtration. Techniques followed by the threat actor to conduct an attack would possibly vary, however they’re largely similar and may be accustomed profile the threat actors. Therefore, the understanding of techniques utilized in totally different phases of an attack is crucial to investigate the threat teams effectively.
Techniques may also be analyzed at every stage of the threat life cycle. Therefore, techniques at an initial stage mainly describe tools used for operation and initial exploitation. The techniques employed in this stage needn’t essentially have technical side. for instance, in social engineering, sure software system tools area unit used, that aren’t technical in nature, however it’s a good method of gathering info. an attacker will use such tools to get email addresses of staff of the target organization through in public offered resources.
Techniques employed in the center stages of an attack principally rely on technical tools for escalating privileges on systems that area unit compromised at first or performing arts a lateral movement among the target organization’s network. At this stage of an attack, the attackers use varied exploits or misuse configuration vulnerabilities on the target system. Also, network style flaws will be exploited to realize access to different systems within the network. all told these cases, either exploits or a group of tools permits the wrongdoer to perform a thriving attack. during this situation, the term “technique” will be outlined because the set of tools and also the method they’re accustomed get intermediate results during an attack campaign.
The “procedures” involve a sequence of actions performed by the threat actors for execution completely different steps of an attack life cycle. the quantity of actions typically differs relying upon the target of the procedure and also the APT cluster. a complicated threat actor uses advanced procedures consisting of additional actions than a traditional procedure to attain a similar intermediate result. This can be done chiefly to extend the success rate of an attack and reduce the likelihood of detection by the safety mechanisms.
During a basic procedure of data gathering, an actor collects info concerning the target organization; determine key targets, employees; collect contact details; determine vulnerable systems and potential entry points to the target network; and document all the collected info. The any actions of an adversary rely on the ways used. These actions embody intensive analysis and continual operation to gather in-depth and up-to-date info on the target people via social networking sites.
This info will assist threat attackers ten perform spear phishing, monitor security controls ten determine zero-day exploits within the target systems, etc. for instance, a threat actor employing a additional elaborated procedure executes the malware payload. At the time of execution, the malicious code decrypts itself, evades security observance controls, deploys persistence, and establishes a command and management channel for human activity with the victim system. this sort of procedures is common for malware, wherever completely different threat actors might implement a similar feature, and thus it’s helpful in rhetorical investigations.