Open krmaxwell opened 9 years ago
http://stixproject.github.io/data-model/1.1.1/ttp/TTPType/
TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. For instance, to give a simple example, a tactic may be to use malware to steal credit card credentials. A related technique (at a lower level of detail) may be to send targeted emails to potential victims, which have documents attached containing malicious code which executes upon opening, captures credit card information from keystrokes, and uses http to communicate with a command and control server to transfer information. A related procedure (at a lower level of detail) may be to perform open source research to identify potentially gullible individuals, craft a convincing socially engineered email and document, create malware/exploit that will bypass current antivirus detection, establish a command and control server by registering a domain called mychasebank.org, and send mail to victims from a Gmail account called accounts-mychasebank@gmail.com.
TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.
VERY IMPORTANT - neither of the "T"s in "TTP" stand for "tools". I'm'a smack somebody silly the next time they do that.
And IOCs are not soft TTPs.
Tactics, Techniques, and Protocols or Procedures... either way.
Yeah, I'm just frustrated about the "tools" bit.
That's a solid resource.
Oops, didn't mean to close this.
:raising_hand: I KNOW I KNOW I KNOW I KNOW!