Ok everyone, I hope you have enjoyed this series thus far. We have been moving right through some Cyber Threat Intelligence (CTI) concepts and we have covered a lot of ground thus far. Now I think it is important to talk about one of the main components of CTI – Tactics, Techniques, and Procedures (TTP) and Indicators of Compromise (IOC). If CTI is the target, TTPs and IOCs are the breadcrumbs leading the way. They give us the little bits of information that are used to provide a holistic picture of a threat actor and their behaviors to be used in producing actionable intelligence for a preventative defense.
As we have previously discussed, the main purpose of CTI is to build a robust threat actor profile outlining their motivations, intentions, and techniques to improve the security posture of an organization and provide the means to develop a proactive defense. The TTPs and IOCs help analysts outline attacks conducted by these threat actors and identify patterns by recording the Hash Values, IPs, Domains, Network Artifacts, Tools, and most importantly TTPs. While all of this information is essential and helps provide a complete and well-established threat intelligence product, there is a distinct hierarchy of importance for this information as it relates to CTI.
David J Bianco developed what is called the Pyramid of Pain, a descriptive model that depicts the level of importance an IOC holds in regard to CTI. Each level of the pyramid represents a level of pain for the threat actor where as we ascend up the levels, the information collected becomes more reliable and efficient in causing pain to a threat actor and their attack campaigns.
Here is an image of the Pyramid of Pain I grabbed from a CISA Cybersecurity Summit presentation to give a visual representation of this concept. https://www.cisa.gov/sites/default/files/publications/Operationalizing_ATTACK_through_CISA_Alerts_508.pdf
Here you can see that the visual does a great job of showing the difference between the IOCs and the TTPs. The IOCs is the informaiton collected through the investigation of a cyber incident that is easily changeable. This includes the Hash Values of the executable malware, IP addresses used as the source of the attack or maybe the C2 server, and the Domains used within the attack. This information needs to be acted upon quickly because any decent threat actor would change these details in their plan of attack in order to avoid capture, making this information useful but not as effective in tracking a threat actor as tools or TTPs.
TTPs are an essential part of the CTI collection process and provide a great perspective on the behaviors, tactics, techniques, and procedures of a threat actor. This is the backbone of the MITRE ATT&CK Framework that helps to profile threat actors in a systematic way. We will do a deeper dive into some of the CTI frameworks and go into ATT&CK in the next few articles.
For now, let’s ascend the pyramid:
Hash Values – Provide a quick way to identify files and can be used to identify malware used within an attack. The problem with this IOC is that it is very easily changeable. If an attacker changes the contents of the file in any way the hash will change. Also, an attacker can simply use a different compiler and produce a different hash value. While this information is still important to record and document, it should not be relied upon as primary evidence.
IP Addresses – Are great IOCs that can be quickly mitigated. Firewall rules can be updated quickly to prevent IP traffic. The issue is the ease in which a threat actor can switch up these IP addresses. As stated earlier, this is not only common, but also expected. This is so the malware or threat actor can remain persistent and try to maintain optimal functionality of their malware within a network for as long as possible.
Domain Names – Are very similar to IP addresses where they can be easily blocked, and threat actors are expected to switch these up frequently. Even though they are useful to record and document, they are still not the most reliable information since they are switched around so frequently.
Network/Host Artifacts – Can be anything that is left behind from the attack. It could be a file that is left behind by the malware or threat actor, a change to the file registry, or any other type of change to the syste =m that can be identified and documented. This can include any kind of distinguishing changes that occur which can lead investigators back to the threat actor as part of a cyberattack.
Tools – Provide great evidence for CTI analysts because certain tools are easily traced back to certain threat actors. Also, some of these tools may have an interface that is written in the native language of the attackers, or it might have other information that can help analysts learn more about a threat actor including their nationality. A lot of these advanced threat actors will create their own tools, and if they are recorded and documented by CTI analysts, this provides information that is effective in identifying these attackers and associating them with reported cyberattacks.
TTPs – The bread and butter of the Pyramid of Pain. TTPs provide behavioral information and specific details on how certain attacks are conducted. For example, the time at which the threat actors operate can indicate that they only operate outside of work hours or could show in which time zone they operate, giving a clue towards their geo-location. This along with other important information is the data that is organized within the MITRE ATT&CK format to easily analyze procedures threat actors use to gain access, remain persistent, and exfiltrate data.
As you can see, the Pyramid of Pain helps to outline which type of information should be prioritized for CTI. The TTPs cause the most pain for a threat actor as they provide the most reliable and long-term evidence to properly identify and mitigate these cyberattacks.
This tees us up perfectly for the next article where I will talk more about the CTI frameworks in CTI and how the MITRE Framework efficiently uses TTPs to organize data and help to produce effective threat intelligence products.
I hope you enjoyed this article and are ready for more to come!
Lou Dell’Italia
Hackhouse.net
https://www.linkedin.com/in/lou-dell-italia-43745a82/
Suggested Resources:
Mark Lowenthal – Intelligence: From Secrets to Policy https://www.amazon.com/gp/product/B07YHZMBYB/ref=dbs_a_def_rwt_bibl_vppi_i0
John Friedman & Mark Bouchard – Definitive Guide to
Cyber threat Intelligence
Recorded Future – Threat Intelligence Handbook
Recorded Future – Threat Intelligence
https://www.recordedfuture.com/threat-intelligence/
James Dietle – Effective Threat Intelligence
Scott J. Roberts & Rebekah Brown – Intelligence Driven Incident Response