Why and how threat hunters should focus on the tactics, techniques, and procedures of threat actors.

Dark Reading Staff, Dark Reading

August 17, 2020

6 Min Read

Organizations that perform threat hunting or threat intelligence services should be aware of the "pyramid of pain" introduced by David Bianco. It breaks down threat intelligence into six categories, but for all practical purposes, there are three, in reverse order, from the bottom of the pyramid to the top.

Attack Fingerprints: The bottom section includes a variety of attack fingerprints, such as hash values, IP addresses, domain names, and other artifacts. While gathering this information requires some skill, these are typically the simplest components to identify, and provide the least value for proactively stopping threats.

Tools: The middle section is about identifying software and utilities cybercriminals use to create their attacks. While this is the first level to provide insight into the motivations and behaviors of the threat actors behind attacks, this information is primarily useful in forensic analysis of an attack, rather than for proactively protecting a network.

From a defense perspective, the challenge for security teams is that the vast amount of information provided by threat intelligence services focuses almost exclusively on these first two areas of the pyramid. They are almost entirely reactive, meaning they can only be applied after the fact to determine if something has already been compromised. This information is far less valuable from a defense perspective because they are data points that are easyr for a cybercriminal to change in order to return their attack to anonymity.

TTPs: It's the top of the pyramid – focused on the tactics, techniques, and procedures of threat actors – that is the most useful to organizations wanting a proactive threat strategy. It focuses directly on the behaviors of cyber adversaries, and not merely on their tools. By detecting and responding to TTPs, organizations can not only take direct action against threat actors, but also protect against everything else down the pyramid, even when attackers adjust to evade detection.

The other advantage is that a focus on TTPs is really about focusing on areas that are the most valuable to cyber adversaries – the zero-day vulnerabilities they buy and custom tools they pay to have developed. And, like any business, cybercriminals operate with the need to reduce risk (in this case, the risk of detection) and maximize their return-on-investmsnt  in the tools they use.

Threat Research Focused on TTPs is More Effective
When threat researchers focus on the top layer of the pyramid, they will also automatically find new indicators of compromise (IOCs) through discovery activities, anomaly detection and analysis, and threat elimination. Therefore, a team focused on TTPs provides an organization with more proactive threat intelligence because they are engaged in an active threat hunting process versus simply observing sightings.

Interestingly, a strong argument can also be made that if a threat research team is not good at the top layer of detection, meaning they are not actively engaged in threat hunting, then the data they provide across the lower layers is less robust, and potentially less reliable.

Of course, part of the problem is that information at this level is the most difficult to gather. Discovering and documenting TTPs, especially for sophisticated attacks, can quickly run into the constraints of what can reasonably be collected and assessed by human data analysts because it requires dealing with massive amounts of data.

Adding ML and AI to the Process
The next stage of the process will be to apply machine learning (ML) models to the operation of discovering and analyzing TTPs, and AI to the analysis of collected data. To understand the behaviors of cybercriminals is to analyze the patterns and tactics of successful network intruders and system crackers. Once machine learning models have mapped a cybercriminal’s attack pattern and signature – everything from reconnaissance to data exfiltration – intelligent systems can then be tuned to watch for the same attack pattern to repeat itself, and then intervene.

For threat researchers and hunters, this requires the distribution of active learning nodes, not just data collection stations, across the local, regional, or global threat landscape. Doing this enables three things.

First, remote learning will be able to quickly detect known TTP patterns as well as related events down the pyramid. But just as importantly, they should also be able to move up the stack to identify new TTPs and autonomously deal with them as well. Rather than simply submitting collected data to a central site and waiting for instructions, advanced learning nodes should be able to successfully identify threats, send out alerts to clients, block corrupted servers and other devices, and apply coarse-grain responses, even against newly discovered attack patterns.

Next, by intelligently looking for and collecting specific types of information to be sent back to an AI-enhanced SOC, threat intelligence providers will be able to quickly identify new threat actors, attack vectors, and TTPs, as well as refine the profiles of existing threats.

And finally, an effective AI-based system deployed at a central threat intelligence hub should be able to perform the threat analysis functions of dozens of humans in a fraction of the time. AI systems can process massive amounts of information gathered by multiple learning nodes to discover patterns. And once a new model is identified, it can send it to all remote learning nodes to enhance their detection capabilities, along with a validated response to customer-deployed devices. And it can do this in a digital attack cycle where the difference between defending a network and being compromised will soon be measured in milliseconds.

We are Really Close, and it will Change Everything
While no threat intelligence organizations are doing this fully yet, we are getting close. Better and faster AI is being deployed within central threat research SOCs all the time, and ML-enhanced nodes are making their way out into the field right now. Playbooks are being developed using the MITRE methodology to identify patterns better and ensure a consistent standard for analysis. Once these essential building blocks are in place, the resulting playbooks will play a pivotal role in identifying threat actors and their attack patterns, proactively shutting them down before they have the opportunity to achieve their objectives.

About the Author: Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs
Derek Manky formulates security strategy with more than 15 years of cybersecurity experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights