TTPs From A Through Z With Levi Gundert

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and thanks for joining us for episode 25 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire. You're likely familiar with the phrase, “know your enemy.” The idea being the more you know about your adversary, their motivations, methods, and capabilities, the better advantage you'll have when it's time to defend yourself. In cybersecurity threat intelligence, we speak of threat actor tactics, techniques, and procedures, or TTPs. TTPs can come from a variety of sources including open source, darknet, scanning and crawling, and others, but in order to turn the raw data from TTPs to actionable intelligence, you need to know how to set your priorities based on your organization's needs.

Joining us once again to help make sense of all of this is Levi Gundert, vice president of intelligence and strategy at Recorded Future. Stay with us.

Levi Gundert:

TTPs stand for tactics, techniques, and procedures, and they're typically referenced when we're talking about adversary behaviors. They're very different from static indicators, indicators of attack, or indicators of compromise. TTPs are really higher-level behaviors that evolved over time and they're harder to identify and track, but they're also much more lucrative for defenders in terms of thinking through how an attacker operates, and what it means in terms of risk for the business.

Dave Bittner:

Let's dive into that some. In terms of the value of TTPs, take us through what makes them valuable.

Levi Gundert:

Well, TTPs are essentially methodologies, and oftentimes, they're tied to actors. Sometimes it's important to know background on an actor and adversary because motivations oftentimes inform methodologies, but it's not super important to necessarily understand the name and the address of an actor and adversary. It's more important to understand, generally, who they are and why they exist, and what motivates the behavior, but it's really the behaviors themselves that are most interesting from a defensive perspective, because you can track these behaviors over time and watch evolutions, and really understand how the impact affects the business and what that could mean in terms of monetary loss.

If you see actors who are, for example, using a particular type of tool for pre-exploit activity, or post exploit activity, and they're developing it themselves, that's the type of TTP that defenders watch very closely. Similarly, if you have an opportunist who is in the underground economy and they're spending time looking for the right tools for a specific type of activity, just that act itself of looking for tools instead of developing tools themselves, is again an important indicator to understand things like, how sophisticated is the act or adversary? What is the intent and purpose? What is the history of their activity? Are they targeting businesses in our industry vertical, or is it only other industry verticals? Really, what does this mean going forward?

Again, TTPs sometimes are simple to articulate, but sometimes they're less simple. Sometimes it's a little bit harder exactly to find what a TTP is. I suppose you sort of have to fall back to the supreme court definition of, “I know it when I see it.”

Dave Bittner:

You make the point that one of the important things when dealing with TTPs is identifying your sources.

Levi Gundert:

Yeah, that really is important, and I think in order to identify TTPs and to do that well, whether it be a single data point or multiple data points that are sort of chained together over time, you really want the broadest information available for the activity. It's not collecting data for the point of collecting data, but really, again, having the broadest and deepest collection available so that you can track TTPs for multiple actors over time, and so in the end, if you talk to any intelligence professional, they'll tell you that they're never going to turn down data.

Primarily because some of these actions are reactive, so when there's some sort of information security event, operational defenders are reacting to that event and they need the deepest and the broadest data available to help them, but similarly, proactively, when you're hunting for adversary TTPs, it's very beneficial to have more data than less, of course.

Dave Bittner:

In terms of identifying those sources, there are some broad classifications that you all generally use?

Levi Gundert:

Yeah, absolutely. There's really six primary buckets that we think about in terms of data, and pretty much all security data tends to fall into one of these six buckets when you're thinking about adversaries, and specifically, TTPs. The first one is the web and open source. There's a vast amount of data across the web, obviously, in multiple different languages. Everything from code repositories, to pay sites, to blogs and forums, and there's just an overwhelming amount of information, but oftentimes it's very, very useful just depending on the scenario.

On the second bucket is, really, honey pots or darknets. There's a lot of organizations that run these honey nets that are essentially servers, or even networks that are intended to be dark so there should be no traffic destined for these boxes or networks, and so they capture everything that is inbound and log it. Obviously, those logs become a potentially useful source of information when thinking about TTPs, especially precursors to attacks, new types of vulnerabilities, and exploit activity. Honey pots can be very, very advantageous if you have those resources available.

Customer telemetry is the third data bucket. Customer telemetry can be anything from your own internal log data coming off your network and host space devices, as well as telemetry provided by external third parties who have access to different types of network telemetry, or host-based telemetry and are willing to share or sell that. The fourth bucket is what we call scanning or crawling data. This is sort of proactive internet scanners, so, these are organizations like Shodan that enumerate ports and services across the entire IPB for space on the internet. That type of data can also be very, very helpful when you're correlating data points and trying to understand bigger TTPs.

The fifth bucket is malware processing. Malware processing is, essentially, taking malware samples and detonating them during runtime analysis, or even static analysis and taking those apart, and storing that metadata for long-term use and correlation. The last bucket is closed source, or what we call human relationships, where you have actual actor engagement in some covert capacity, where somebody is pretending to be someone they're not in order to actively engage with a specific actor online and elicit information from that actor. Those are, really, the six high-level buckets that we think all data falls into.

Dave Bittner:

For an organization trying to get started with this, what's the decision process for deciding to handle it internally or engaging with a vendor?

Levi Gundert:

Well, I think when you make an assessment about whether a vendor is the right decision, you really want to dig into their sources. Again, you really want to understand from those six high-level buckets, where a vendor's data originates from. Whether they originated themselves, or whether they import some of that data from other companies or partners that they work with. It's really important to drill down into the specifics on the “how” of the data, and then when you're thinking about your own requirements, it's important to think about the time and the resources that are going to be necessary to build that capability in-house.

Depending on the size of the team and the size of the resources available, and the size of the budget within the organization, those are typically the constraints that tend to dictate whether a team is going to outsource through a vendor or try and build it in-house.

Dave Bittner:

We often talk about here — particularly, since our topic is threat intelligence — we talk about the notion of transforming information into intelligence. How does that transformation apply to TTPs?

Levi Gundert:

Well, TTPs generally, almost always require that human analyst component, so to your point, it's the act of analysis that is really transforming data into intelligence. At this time, it's really human analysts that are required to do that. Identifying TTPs formally in tracking those typically requires that human analyst component, that human brain to do that work. While we've come a long way in terms of machine learning and artificial intelligence, it's really still just a tool that can better help and better inform those human analysts that are identifying TTPs and processing TTPs.

Dave Bittner:

Can you explain to me, where do TTPs fit in in the overall spectrum of information and malware fighting in an organization? Is it a big part of what a typical organization would do, is it a tool in their toolbox? Where exactly should it fit in?

Levi Gundert:

I think TTPs are really the tip of the spear in terms of threat intelligence, being able to inform risk for business and organizations. If you think about TTPs as higher level, higher-order trends and behaviors, when there's a new TTP or there's a change in TTPs, that really has to translate into impact. What does it mean in terms of impact and potential loss, what does it mean in terms of risk for the business, and what should the business be doing differently in terms of their decisions around control spending and, strategically, what types of controls do they need?

If you're not able to pull out those adversary trends at a higher level, if you're not able to translate those TTPs into risk profiles, then it's not super useful, that activity, but if you are, then it's really one of the most impactful things you can do for the business.

Dave Bittner:

Can you take us through some scenarios, some examples of using TTPs?

Levi Gundert:

Sure. For example, if you're tracking denial-of-service trends and you see very typical behaviors when it comes to denial of service, you see typical SYN floods, and you see typical botnets that are launching these types of attacks, you're keeping up with other types of reflection or amplification attacks that are happening with Internet of Things devices. You see Mirai — with Mirai there was a fundamental shift in terms of the type of DDoS that was being generated and the impact of what it could achieve. Even further, still, if you drill down into trying to identify the actors behind Mirai, you would come up with a profile in trying to understand the motivations behind it.

Even further, still, developing and understanding trends beyond Internet of Things and Mirai, looking at other types of amplification reflection that may use protocols based on UDP that haven't been seen in denial-of-service attacks yet, but that could be, theoretically, could be anticipated because you're watching the trend, you're seeing how this is evolving. Therefore, you could say that some of the protocols that are based on UDP will also be leveraged in future types of denial of service attacks.

What that means for you as a business, that has a certain type of port and service running that relies on UDP, could be used either in a denial-of-service attack, or you may be the victim of a denial-of-service attack based on your observations of other companies in your same industry vertical being targeted by a specific methodology, or by a specific actor group. That translates to the business if there's increased risk. You assess that there's increased risk because of this TTP monitoring, you would go to the business and have a conversation about whether increased spending is necessary on DDoS mitigation services, outsourcing that sort of control, whether that's something you could do in-house.

Similarly, if you look at trends around something like post exploitation tool sets, there's a lot of use right now, currently, on Window systems — PowerShell and Mimikatz are very popular tools for post-exploitation persistence and lateral movement in an organization. Again, looking at the higher-level trend and asking yourself, “what does this mean in terms of impact for the business, and what does it mean in terms of potential loss?” If you assess that there is some severity there, then you would, of course, have that conversation around PowerShell, specifically, and whether you need additional controls, whether the business should be spending.

If you think about the business decision to upgrade from, potentially, Windows 7 to Windows 10, is there a security argument to be made there, because you get logging or more granular logging around PowerShell activity on every host in the enterprise. There's obviously a business decision to be made there, but threat intelligence can inform that decision based on the trends that are being observed in post-exploitation tool sets, especially native tools that are already on Windows host.

Dave Bittner:

Once you get your TTPs program up and running, once you're collecting and analyzing your TTPs, what are your tips for reporting your findings to the rest of your organization?

Levi Gundert:

Again, I think it's really important that you have a process in place for translating well-defined TTPs into not only new operational controls or control rules that will immediately benefit the organization and impact security in a positive way, but also that you can translate those TTPs strategically in reporting form to the executive team and to the board. Again, in terms of risk and loss, making sure that you can talk in the language of risk. Oftentimes, organizations don't understand security. They don't understand technology at the highest levels of the business, but they fundamentally understand risk.

Being able to translate a trend or a specific TTP, being able to translate what that means for the business, strategically, is so important. Not only to give visibility to the threat intelligence products, but also to benefit the business, and threat intelligence is one of these disciplines that really should be informing the entire security apparatus, and oftentimes it's just an afterthought. It's a checkbox for governments and compliance, and really, it doesn't help the business. It's just sort of a waste of money. But if it's upfront and it's doing these things and actually leading the security group in terms of where the controls are going, and where the spending is happening from the business, then it's actually very impactful and very valuable for the business.

Dave Bittner:

Our thanks to Levi Gundert for once again joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

Remember to save the date for RFUN, the sixth annual threat intelligence conference coming up in October in Washington, D.C. Attendees will gain valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts. We'll have a team there from the CyberWire podcasting from the event, so we look forward to seeing you there.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda Mckeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner. Thanks for listening.