The role of TTPs in the
cyber environment

Le Lab Gatewatcher D

What are TTPs?


In cybersecurity, TTPs (Tactics, Techniques, and Procedures) refer to the behaviors and strategies attackers use to carry out their operations.

  • Tactics are the key steps of an attack, such as gaining initial access, establishing persistence, or exfiltrating data. These represent the “why” behind an attacker’s actions.
  • Techniques are the specific methods used to achieve those goals. Examples include phishing, exploiting software vulnerabilities, or deploying malware. They address the “how” of implementing a tactic.
  • Procedures describe the step-by-step actions attackers take to execute techniques. These vary depending on the tools and infrastructure used.

For example, an attacker attempting to move laterally within a victim’s network might employ the Lateral Movement tactic. This could involve several techniques, such as internal spear-phishing, exploiting network service vulnerabilities, or transferring tools from one compromised system to another.

These different approaches demonstrate how multiple techniques can support the same tactic.

Consider another technique: Replication Through Removable Media, which involves using removable drives to spread malware. Specific procedures for this technique include the use of malicious tools like those employed by APT28 to infect USB devices that self-replicate when connected to new systems.

TTPs are widely recognized and classified within the MITRE ATT&CK framework. This knowledge base, grounded in real-world observations, organizes attacker tactics and techniques. As cyberattacks grow more complex, MITRE ATT&CK stands out as the first platform to formalize and name these methods. While not developed by a national agency, it is a global standard.

When discussing an attacker’s TTPs, it’s almost like defining a unique signature of their offensive approach.

Why are TTPs effective in detecting attackers?


The limitations of IoCs

Indicators of Compromise (IoCs) are artifacts left behind during a cyberattack, such as file signatures, IP addresses, domain names, or other traces of intrusion.

However, their operational value is limited due to their ease of replacement. For instance:

  • A file signature becomes obsolete if a single character in the file changes.
  • Domain names and IP addresses can be modified without affecting the underlying infrastructure.

This makes IoCs transient. Security tools often flag them quickly, requiring constant database updates, which can be resource-intensive.

Moreover, IoCs represent isolated fragments of an attack and don’t provide a holistic view.

 

Why do attackers rarely change their TTPs?

While attackers can easily alter tools, code, or IP addresses, fundamentally changing their methods is much harder. Why?

  • Proven and reliable methods: Attackers prefer using methods they find stable and familiar, often based on prior success.

 

  • High development costs: Developing new TTPs is resource-intensive.

For example, in the case of the Initial Access tactic, attackers might

  1. > Exploit a publicly exposed application vulnerability,
  2. > Run phishing campaigns to deliver payloads,
  3. > Use legitimate user credentials.

Developing new techniques requires substantial time, financial resources, and infrastructure. In the cybercrime ecosystem, attackers avoid unnecessary innovation as long as their methods remain effective, stable, and exploitable (e.g., leveraging an unpatched CVE).

=> As a result, relying solely on IoCs is not an optimal solution, as they fail to identify new attacks whose artifacts have yet to be detected or classified as malicious. Conversely, monitoring TTPs allows for the identification and validation of abnormal behaviors regardless of the artifacts used.

This is the principle of the Pyramid of Pain:

Représentation De La Pyramid Of Pain 
Representation Of The Pyramid Of Pain

 

This model illustrates the “pain” inflicted on attackers based on the indicators detected. For instance, detecting a file signature causes minimal disruption since attackers can recompile the file. However, replacing a tool within an existing configuration is far more complex and resource-intensive.

From a defensive standpoint, relying solely on file signatures, IP addresses, or domain names may not suffice for detecting malicious behaviors.

How does TTP analysis benefit organizations?


For Analysts

Pendant une investigation, chaque technique MITRE permet aux analystes d’obtenir plusieurs informations.

  • Understanding alert objectives

    Single alerts often lack context. Even when a specific technique like SQL Injection is named, it may not be immediately clear how it fits into the attack. MITRE’s detailed descriptions help analysts identify the purpose of an attack.

  • Tracking attack progress

    Techniques provide insight into the attack’s stage. For example, an alert related to the Data from Local System technique under the Collection tactic signals that the attacker is gathering data. This allows analysts to infer:

  1. > Past actions: The attacker has infiltrated the network, located databases, and moved laterally
  2. > Future actions: Data exfiltration may follow

Dans ce cas, la technique apporte un éclairage essentiel à partir duquel des actions et des mécanismes de réponses peuvent et doivent être mis en place.

 

  • Prioritizing Alerts:

    Even though MITRE techniques help identify malicious behaviors, their severity are usually based on an organization’s priorities. For instance, a business focused on data security may prioritize alerts about exfiltration over service interruptions.

 

  • Streamlining investigations

    MITRE techniques include details about tools and behaviors associated with each technique, guiding analysts during investigations when initial alerts lack specifics.

 

  • Improving Decision-Making

    Understanding the technique used allows analysts to implement appropriate responses—from isolating a machine to blocking a process. MITRE also suggests mitigations to prevent recurring attacks.

n this case, the technique provides essential insight from which actions and response mechanisms can and should be implemented.

After an attack unfolds, missing steps in the scenario reveal areas for further investigation. For instance, if the initial infection method of a machine (Initial Access) is known, and malicious actions are later detected on another machine, it is highly likely that the Lateral Movement tactic—representing the attacker’s traversal within the network to access additional resources—is part of the attack’s progression. Guided by this logic, the analyst can direct their investigation accordingly, leveraging the described techniques, examples, and tools. This methodical approach deepens the analysis while targeting the critical stages of the intrusion.

LAB_ TTPS_Anticipation Des Actions Manquantes Pour Orienter L’investigation
Anticipating Missing Actions to Guide the Investigation

 

For organizations

TTP analysis is not only educational but also essential for regulatory compliance. By highlighting quantifiable threat performance indicators, organizations can address evaluated risks effectively.

Moreover, MITRE ATT&CK provides a standardized vocabulary for cybersecurity teams, enabling clear and consistent communication about threats. This is especially valuable for incident reporting in collaborative or external partnerships.

 

GATEWATCHER x MITRE ATT&CK


In this context, Gatewatcher strives to update its detection capabilities by integrating the MITRE ATT&CK framework. Its NDR detection platform features a set of specialized detection engines, each designed to identify a specific threat. Each engine is linked to the most relevant MITRE technique, enabling contextualization of the alerts generated.

In addition to these engines, the AIoniQ solution incorporates the Suricata IDS, which includes nearly 100,000 detection rules to identify suspicious or malicious network behaviors. Thanks to the efforts of our teams, we are developing methods to map these rules to MITRE techniques.

With this approach, analysts can track the complete attack scenario for each alert raised by an engine. This expanded visibility is a major asset in understanding and neutralizing threats.

The diversity of engines results in broader threat detection coverage, encompassing nearly all tactics listed in the MITRE ATT&CK matrix. This level of protection is a decisive advantage: cyberattacks, composed of multiple successive steps, can be detected even if an attacker uses an unknown tool or vulnerability. Actions earlier or later in the attack chain will still be intercepted.

This is the principle of the Swiss Cheese Model. From a defensive perspective, this model illustrates the importance of having multiple independent protection layers to prevent a single failure from leading to a breach.

Le Swiss Cheese Model Appliqué Aux Moteurs De Détection De Aioniq 
The Swiss Cheese Model Applied to AIoniQ’s Detection Engines

The complementary nature of IoCs, anomalies, and TTPs

IoCs and TTPs complement each other, as each approach provides different perspectives for detecting and analyzing threats.

  • IoCs: Rapid response to identified threats

IoCs, such as malicious IP addresses or file signatures associated with attacks, enable quick responses to already identified activities. However, they are often ephemeral because attackers regularly change these indicators to evade detection.

  • TTPs: Strategic and sustainable insights

TTPs, on the other hand, describe the methods and behaviors of attackers. These elements are more enduring and provide strategic insights into threats, allowing detection of attacks not yet associated with known IoCs.

  • Anomaly analysis: Proactive detection

Anomaly analysis complements these two approaches by identifying deviations from normal system or user behavior. For example, an unusual connection time or abnormally high data volume can indicate malicious activity, even without associated IoCs or TTPs, enhancing proactive detection.

  Precision  Reactivity Durability Blind Spot Detection
IoCs         
Anomalies         
TTPs         

The table above outlines the characteristics of each approach based on four criteria:

  1. > Precision: Does this approach highlight a tangible threat?
  2. > Reactivity: Does this approach enable the fastest possible response?
  3. > Durability: Is this approach viable over time, or does it require regular adjustments?
  4. > Detection: Can this approach alert without prior knowledge of the threat?

Thus, these three methods are complementary, each with its strengths and weaknesses, and they collectively enhance detection capabilities.

 

 

Author: Gatewatcher’s Purple Team