TTPs is an acronym for Tactics, Techniques, and Procedures (TTPs). In cybersecurity, they provide a clear picture of what attackers are trying to achieve and how they accomplish it. 

Tracking and analyzing TTPs gives you insights into adversary behaviors and the methods used to orchestrate specific attacks. This knowledge helps you to respond to current threats and prepare for future ones. 

You can learn a lot from studying adversary tactics and techniques, even if the attack wasn't directed at you. Some attackers tend to reuse the same TTPs for different attacks. Recognizing these patterns enables you to fortify your defenses against repeated assaults.

What are tactics in cyber security?

In cybersecurity, tactics explain the "why" behind an attacker's actions. These are known as offensive tactics. They help you understand the technical objectives an attacker aims to achieve. 

For example, an attacker might want to run malicious code on your systems. This could be to disrupt operations or steal confidential data. Tactics give you insight into the end goals of these malicious activities.

Consider an instance where an attacker’s main goal is to steal sensitive information. The tactic here is data exfiltration, which might involve siphoning off customer data, intellectual property, or financial records. Understanding the tactic is like seeing the big picture of what the attacker truly wants from you.

Another example of a tactic is persistence. Sometimes, attackers aim to maintain their foothold in your network for as long as possible. 

They may insert backdoors or manipulate system settings to ensure they can return even after you have tried to remove them. Knowing this helps you realize that simply removing malware might not be enough; you need to dig deeper to cleanse your systems fully.

Therefore, understanding attackers’ tactics helps you prepare better. This knowledge allows you to build stronger defenses tailored to thwarting these specific objectives.

Other tactics used by cyber attackers

Offensive tactics

An effective tactic is exploiting unpatched vulnerabilities. Attackers scan systems for outdated software with known security flaws. Once they find a weakness, they exploit it before it is patched. This insight underscores the importance of timely updates and rigorous patch management.

A follow-on tactic attackers will then use is privilege escalation. Once inside a network, attackers aim to increase their access by exploiting weaknesses in user permissions. 

For instance, they might use a technique like token impersonation to gain administrative rights. This allows them to control more of the network, just like finding a master key that unlocks all doors. 

From a defender's viewpoint, understanding this tactic helps in implementing least privilege principles and regularly auditing permissions.

Credential dumping is another tactic they might employ. Using tools like Mimikatz, attackers extract passwords and authentication tokens from compromised machines. With these credentials, they can move laterally within the network, increasing their foothold. 

Knowing this, you can implement stronger encryption for stored credentials and use monitoring tools to detect unusual access patterns.

Don’t forget the tactic of lateral movement. After gaining initial access, attackers move within the network to locate high-value targets. Tools like PsExec or Remote Desktop Protocol (RDP) facilitate this movement. You can counter this tactic by segmenting your network and using strict access controls to limit an attacker's mobility.

Persistence is key for any attacker. They want to maintain access to the compromised network for as long as possible. Techniques like creating scheduled tasks or modifying startup scripts ensure you can re-enter even if detected. For defenders, knowing this tactic emphasizes the need for regular scans and reviews of system configurations.

Defensive tactics

Defensive tactics are how you defend your network against cyber attacks, which is by understanding their TTPs. Knowing what attackers aim to achieve and the methods they use helps you anticipate and disrupt their plans effectively.

For example, if you know attackers often employ phishing to gain initial access, you can ramp up your email security measures. Implementing advanced email filters and training employees to recognize phishing attempts can drastically reduce the risk.

Let's consider brute force attacks. If attackers are trying to crack passwords, enabling multi-factor authentication (MFA) acts as a powerful deterrent. Even if they manage to guess a password, the additional authentication step makes their lives difficult.

When it comes to the tactic of data exfiltration, you can employ several defensive measures. Data Loss Prevention (DLP) tools can monitor and control the data leaving your network. 

Like putting a guard at every exit point, and checking packages for stolen goods, DLP solutions can detect and block unauthorized data transfers, ensuring your sensitive information stays secure.

Adversaries often aim for persistence, trying to maintain access to your systems for extended periods. To counter this, you must regularly update and patch your software. 

Additionally, employing endpoint detection and response (EDR) solutions can help you identify and remove backdoors or other persistence mechanisms. These tools act like internal security patrols, constantly scanning for suspicious activities and neutralizing threats before they cause harm.

Understanding the tactic of lateral movement, where attackers move within the network to find valuable targets, allows you to implement network segmentation and strong access controls. 

By dividing your network into isolated segments, you can prevent an intruder from freely roaming around. Implementing strict access controls also helps by ensuring that only authorized personnel can access specific segments, further limiting an attacker’s movement.

To detect unusual activities that might indicate compromise, you can rely on telemetry and behavioral analytics. By monitoring traffic patterns and user behaviors, you can spot anomalies that deviate from the norm. 

For instance, if you observe a user account accessing sensitive data at odd hours, it could be a sign of malicious activity. Think of it as installing motion sensors in your network; any unexpected movement triggers an alert, enabling you to respond swiftly.

Leveraging frameworks like MITRE ATT&CK helps to align your defensive tactics with the specific techniques used by adversaries. For example, by studying the MITRE ATT&CK matrix, you can identify common techniques for privilege escalation and implement measures such as privilege management and regular audits.

Another defensive tactic is integrating threat intelligence from sources like honeypots and darknets to gain real-time insights into emerging threats. Honeypots, which are traps set to attract attackers, can reveal new tactics being tested by cyber criminals. 

Monitoring darknets can alert you to compromised data being traded, offering a chance to intervene before damage is done. It's comparable to having spies in the enemy camp, providing crucial intelligence to fortify your defenses.

What are techniques in cybersecurity?

Techniques in cybersecurity explain the "how" behind an attacker's actions. They illustrate the specific methods used to accomplish their goals. 

For instance, let's say an adversary wants to gain unauthorized access to your network. One common technique is spear-phishing, where attackers send targeted emails to trick specific individuals into revealing their credentials.

Another technique is brute force attacks. Here, attackers use software to guess passwords continuously. If your systems don't have strong password policies or lockout mechanisms, it's only a matter of time before they get in.

Credential dumping is another alarming technique. Attackers use tools like Mimikatz to extract usernames and passwords from a compromised machine. Once they have these credentials, they can move laterally within your network. Knowing this, you can implement endpoint detection and response (EDR) solutions to identify and mitigate such actions.

Techniques can also involve exploiting vulnerabilities. Attackers scan your systems for outdated software with known security flaws. If they find a vulnerability, they exploit it to gain entry. Think of it as entering through an unlocked window. Regularly updating and patching your systems is like ensuring all windows are securely locked.

Privilege escalation is another common technique. Once inside, attackers aim to gain higher-level access. They might use methods like token impersonation to achieve administrative rights. By understanding this technique, you can focus on implementing the least privilege principle and auditing user permissions regularly.

Malware installation is a technique used to maintain control over compromised systems. Attackers might use techniques like remote access Trojans (RATs) to keep a persistent presence within your network. 

RATs are like planting a bug that allows them to monitor and manipulate your systems continuously. Recognizing this, you can deploy advanced malware detection tools to identify and remove such threats.

How techniques differ from tactics

Tactics explain the "why" behind an attacker's actions. They give you a broad understanding of the adversary's objectives. Techniques, on the other hand, delve into the "how." They describe the specific methods used to achieve those objectives.

Let's take the tactic of data exfiltration as an example. The goal here is to steal sensitive information. This explains the "why" behind the attack. Now, how does the attacker accomplish this? That's where techniques come in. 

One technique might be using encrypted tunnels to transfer data out of the network. Another could be leveraging cloud storage services to store the stolen data. These techniques detail the exact steps taken to achieve the tactic's goal.

Consider another tactic: gaining initial access. An attacker might want to infiltrate your network. This is the tactic, explaining the "why." But how do they get in? One common technique is spear-phishing. 

By sending personalized emails that trick specific individuals into revealing their credentials, the attacker gains access. Another technique might be exploiting unpatched vulnerabilities in your software. Each technique provides a different path to achieving the tactic.

Privilege escalation is another tactic. The goal is to gain higher-level access within the network. This is the "why." Techniques for this could involve token impersonation or exploiting configuration weaknesses. These methods explain the "how." 

For instance, an attacker might use a technique like token impersonation to achieve administrative rights, turning a low-level access point into a powerful control hub.

Think about the tactic of maintaining persistence. Here, the attacker aims to stay within the network for as long as possible. They could use techniques like creating scheduled tasks or modifying startup scripts. These specific actions help them maintain access. Each technique offers a detailed step toward achieving the broader tactic.

In essence, while tactics give us the broader picture of an attacker's goals, techniques provide the granular details of how those goals are achieved. Understanding both helps you build stronger defenses, tailored not just to what attackers want to do, but exactly how they plan to do it.

Mitigation techniques

Knowing the tactics and techniques attackers use allows you to put specific measures in place to thwart their efforts. Let's look at spear-phishing. Attackers send targeted emails to trick employees. 

To counter this, you can deploy advanced email filters. These filters can detect and block phishing attempts before they reach your inboxes. It's like having a personal assistant who screens your mail and discards anything suspicious. 

You should also train your staff to recognize phishing attempts. Regular awareness sessions and simulated phishing attacks can prepare your team to spot a phishing email from a mile away.

Next, brute force attacks. Attackers try thousands of password combinations to break in. You can mitigate this with multi-factor authentication (MFA). Even if they guess a password, they won't get in without the second form of verification. 

You should also enforce strong password policies. Encouraging the use of complex passwords and regular password changes makes brute-force attacks less effective.

Credential dumping is another technique attackers use. They extract usernames and passwords from a compromised machine. To combat this, you should employ endpoint detection and response (EDR) solutions. EDR tools monitor and protect your endpoints by catching suspicious activities like credential dumping.

Now, let's talk about exploiting vulnerabilities. Attackers scan for outdated software with known security flaws. The answer here is regular patch management. Using automated tools to manage patches can ensure you never miss an update, reducing the risk of exploitation.

Privilege escalation allows attackers to gain higher-level access. Implementing the least privilege principle can prevent this. By ensuring users only have access to what they need, you minimize the impact if an account is compromised. Regularly auditing user permissions helps you keep track of who has access to what, making it harder for attackers to escalate their privileges.

Malware installation is another favorite technique. Attackers might install remote access Trojans (RATs) to maintain their presence. You can deploy advanced malware detection tools to identify and remove such threats. 

These tools act like a vigilant pest control service, ensuring your systems remain malware-free. Regular scans and updates to your antivirus software keep us ahead of new malware threats.

What are procedures in cybersecurity?

Procedures in cybersecurity detail the specific steps you take to implement the defensive tactics and techniques we've discussed. Think of them as the actionable tasks or protocols that guide how you carry out your defensive strategies on a day-to-day basis.

Most companies have standard operating procedures (SOPs), which are the activities necessary for the completion of specific tasks, usually by industry regulations or state laws. Think of SOPs as your go-to manual for securing your network and data.

For instance, let's say you have identified spear-phishing as a major threat. The procedure could involve a few key steps:

1. Deploy advanced email filters configured to identify and block phishing attempts. 
2. Conduct regular training sessions where employees learn to spot suspicious emails. 
3. Implement a protocol for reporting suspected phishing attempts, creating a clear communication channel for quick action. 

Each step is precise, and clear, and ensures everyone knows their role in thwarting phishing attacks.

Now, consider brute force attacks. You know enabling multi-factor authentication (MFA) is crucial. The procedure here involves configuring MFA settings across all user accounts. Here’s what it may look like: 

1. Select an MFA tool that suits your needs. 
2. Roll out the MFA tool in phases, beginning with high-risk accounts. 
3. Provide step-by-step guides and support to help users set up their MFA. 
4. Continuously monitor the system to ensure compliance and address any issues.

When it comes to patch management, the procedure is all about consistency and thoroughness. It may look like this:

1. Conduct a thorough inventory of all the software and systems in use. 
2. Schedule regular scans to identify any outdated software. 
3. Apply patches promptly, following a predefined schedule.
4. Maintain detailed logs of all updates and patches applied to ensure nothing slips through the cracks. 

This is a systematic approach that leaves no room for errors.

For combating credential dumping, the procedure often involves deploying endpoint detection and response (EDR) solutions. You begin by selecting the right EDR tool, ensuring it meets your security requirements. 

Next, you install it across all endpoints and configure it to monitor for suspicious activities like credential dumping attempts. To keep your defenses sharp, you regularly update the EDR software and review its logs for signs of unusual behavior. It's a routine that becomes second nature but makes a big difference in your security posture.