Getting ahead of hackers requires insight and expertise. Here we review what TTP is, how specialists work with it and what they typically look for when detecting them.
TTP - the hacker's method
TTP is short for Tactics, Techniques, and Procedures. It is the approach of hackers, and cybercriminals in general, have to hacking and committing cyber fraud. In other words, the TTP hunt is designed to intercept techniques used by hackers and thus prevent potential hacker attacks from happening.
The experts who study TTP become aware of the latest trends, tools and technologies used by hackers, so that they can detect cyber criminals before they strike.
The hunt for TTP, and the cyber threat in general, is a proactive fight against cyber attacks that highlights the methods hackers use in cyber attacks. By doing so, IT managers, for example, become aware of where hackers can penetrate company systems, as well as the tricks they use to collect and steal sensitive information.
However, it requires timely insight for those who are chasing the TTP of hackers, since they principally need to be one step ahead of the cybercriminals to understand what methods and techniques the cybercriminals are going to use.
In addition, TTP specialists also need to be experts in software and programmes in order to understand where hackers are penetrating the systemt and what weak points in the software are being exploited for hacking. It is often more sophisticated malware that hackers infiltrate software with, so it is not always that you notice that your software has been infiltrated. That's why it's a good investment for companies to have professionals to catch possible malware downloads and other signs that hackers have gotten through to your systems.
It should be noted, however, that there is a difference between detecting cyber threats and detecting TTP. By detecting cyber threats, specialists detect how hackers get through security systems, as well as what bugs and holes there are in the software. In detecting TTP, the focus is specifically on the behaviour of hackers, attack patterns and operational techniques used by the actors.
By detecting TTP, you are proactively fighting cyber threats - often specialists find inspiration in previous attacks to see if the cyber criminals have an attack pattern they follow.
The method behind detecting TTP
The most common method used by specialists detecting TTP is to make a hypothesis and thus test methods to prevent hackers from penetrating their software. In other words, they test different methods and techniques with the knowledge and insight they have gained by analysing patterns in the hacker's behaviour.
Because they have built an expertise around TTP, they can prioritise their approach and what security measures companies should take to ensure better cyber security. Below, we go in-depth with some of the processes specialists go through when investigating possible TTPs.
Examine the landscape
As mentioned, hackers and cyber criminals are constantly using new methods to penetrate company software and steal sensitive information. In addition, new forms of malware are constantly emerging and becoming harder to detect - so specialists also need to constantly examine the changing cyber landscape to keep up to date with what hackers are doing.
Some of the questions specialists can ask themselves when examining the cyber landscape are:
- How would a potential hacker penetrate our network?
- What techniques are we aware of that previous cyber criminals have used?
- Where is it easiest to penetrate our software and security networks? What is most vulnerable?
So the landscape is the foundation for both hacker attacks and how they occur, but also the fight against them. By implementing awareness training you're a step closer to fighting the cyber threat.
An overview of the threats
Second, when tracking down the techniques and processes of cybercriminals, it is essential for TTP specialists to form an overview of the threats and the data that hackers will typically target.
Specialists tracking down hackers and their methods can use different types of security tools for the same purpose. They have tools that analyse data and then pick up anomalies if there are any.
They can then use that data and the anomalies to create several "threat models" that give an overview of the different threats that could potentially be posed to the company. This can include an overview of where a company might be attacked and the different scenarios the company might face in a cyber attack.
Some of the programs used by TTP specialists include SIEM and MDR. These are tools that monitor, check and analyse IT systems for any anomalies - and therefore also signs of hacking or holes that hackers can penetrate.
IOCs are digital traces and evidence after a data breach. Security teams can therefore use them to get an overview of possible patterns of the hacker or to detect possible threats.
Detecting anomalies requires a high level of expertise in the technology behind the systems. If you do not have this, you will not be able to detect any abnormalities with the same degree of certainty. The specialists have to fine-tune the various filters to find out what might be part of a hacker's pattern. So if you do a broad search, you won't find data that is precise enough to detect an attack pattern.
Examples of common IOCs:
- Irregular traffic on the network
- Large amounts of files are requested on the system
- Unknown IP addresses
- Numerous incorrect attempts to log in
- Atypical changes to systems or files
Once the IOC has been cleared, specialists can move on to look at IOA (Indicators of Attack). IOA indicates when a cyber attack may take place and is updated in real time - hence it is also one of the most important tools in the hunt for TTPs.
A good cyber security plan
Optimally, a company should have full-time staff to deal with TTP detection, not just specialists for a limited period. Hackers and cybercriminals are constantly changing their tactics and methods when they want to hack into software or steal personal data.
It is a good idea - and investment - for a company to make a good security plan for future procedure when it comes to cyber security. You should consider what security measures you need to take as a business to avoid ending up in a situation where your data is exploited or stolen.
Therefore, you should always consider email security and awareness training for your employees so that you can be proactive in fighting the cyber threat yourself and avoid your company being the victim of a cyber attack.
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.