How Analyzing Threat Actor TTPs Can Bolster Your Information Security Program

Posted: 5th July 2016
By: Pete Hugh

Key Takeaways

  • Compliance doesn’t equal security. Keep your organization’s data safe with a proactive security mindset.
  • Make better cyber security decisions by understanding threat actor TTPs.
  • Help your red team prioritize targets for internal hunting and penetration testing by sharing TTP intelligence.
  • Use TTP intelligence to inform internal security awareness training and user access controls.
When it comes to keeping their data safe, many organizations fall back on compliance.

Whether that’s the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), some organizations focus on compliance as a baseline. However, compliance alone is a minimal step toward actual information security.

Why? Because compliance and security aren’t the same thing.

The headlines have been full of high-profile breaches in recent years, and I’m sure most of the victims at least thought they were in full compliance with their statutory obligations. In fact, many of them probably were compliant ... they just hadn’t taken their security to the next level.

The reality is that if you want your data to remain secure, you need to move toward a proactive security mindset. Sure, you still have to be compliant, but if you’re engaging in rigorous and proactive security measures your compliance audits will be little more than a box-ticking exercise.

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent.

By analyzing and understanding these TTPs, you can dramatically enhance the quality of your information security program.

Make Better Cyber Decisions

Perhaps the most obvious use for threat intelligence relating to threat actor TTPs is in decision making. But how specifically can you use this knowledge to inform better business decisions?

Firstly, if you know which TTPs you’re most likely to face, you’ll be in a much stronger position to invest in systems, processes, and personnel to keep your organization safe. No matter how large your organization is, you only have so much budget to go around, and you want to make sure you’re making the best use of it.

Whether that means investing in a more advanced vulnerability scanner or expanding your information security team, it’s going to be much easier to justify (not to mention more effective) if you have the data points to backup your decision.

But it doesn’t stop there.

Let’s imagine your intelligence points to DDoS (distributed denial of service) as a heavily favored attack vector in your industry. Being an organization that takes cyber security seriously, you’d like to bolster your defenses against this type of attack.

But should you outsource DDoS mitigation services, or take the time and resources to develop an in-house proprietary capability?

It’s easy to perform an analysis of available solutions in the marketplace, but unless you truly understand the probability and severity of your DDoS threat it will be impossible to make an informed decision. By reviewing verified data relating to recent attacks in your industry, you’ll have a much deeper understanding of your needs, and will be in a far better position to make this type of decision.

To take this a step further, as well as comparing available solutions, you can even use your knowledge of threat actor TTPs to help vet potential partners.

It’s not unheard of for small organizations to be breached purely for the purposes of gaining access to their larger partners. Whether that access comes through shared systems or intelligence for targeted spear phishing campaigns, it’s extremely bad news for everybody involved.

If you’re in an industry where this is common, such as healthcare, you’ll want to be cautious when choosing your partners.

Find Your Weak Spots

If you want your security measures to be truly effective, you’ll need to be proactive.

A talented and experienced red team is essential to building a world-class cyber security capability. And what better way to enable their full potential than providing in-depth analysis of attacker TTPs in your industry?

One of a red team’s most important activities is internal hunting. Literally, that’s searching for bugs, vulnerabilities, and security holes that might be exploited by threat actors.

Understanding attacker TTPs in your industry is a fantastic opportunity to rig the game by enabling your red team to target their search efforts toward the most likely exploits first.

Sure, in the end they’ll want to cover all the bases by identifying potential exploits in other areas, but there’s no better starting point than this.

And it’s not just about how attackers like to operate, it’s also about what they like to attack.

By identifying the most common targets in both successful and unsuccessful attacks, your red team will be able to prioritize these same areas within your organization for penetration testing.

If threat actors are consistently going after payment systems in your industry, it’s only sensible for your red team to perform a series of penetration tests focusing on your payment systems.

After all, if the payoff is high enough, attackers are far more likely to utilize a range of TTPs in order to breach a specific area of your organization.

So while you’re taking care of how you’re likely to be attacked, it only makes sense to consider where those attacks are likely to be.

Get Your House in Order

It’s not all about your security systems and personnel. Knowing where and how you’re likely to be attacked provides you with an excellent opportunity to enhance internal training, policies, and processes.

If, for instance, phishing has become very popular in your industry, gaining a deep understanding of the most common delivery mechanisms, content, and social engineering tactics puts you in a powerful position. Not only can you prevent a higher proportion of phishing emails from ever reaching their intended recipients within your organization, you’ll have vital information and real examples to inform internal security awareness training programs.

Alternatively, if like many organizations, your user access controls (UACs) have gradually spiraled out of control over a period of years, this could be the impetus you need.

By demonstrating to your executive team the dangers posed by poor UACs, as well as the corresponding TTP data points, you may well be able to secure the necessary resource to fix the problem.

A strong knowledge of threat actor TTPs in your industry can inform a whole range of internal systems and policies, from account usage restrictions to incident response tactics. Once you’ve produced the intelligence, you simply need to ensure it’s made available to the right people within your organization.

Understand Your Attacker

Let’s be clear. Understanding threat actor TTPs is not an easy or fast process.

You’ll need access to reliable, up to the minute threat intelligence, exceptional analysis, and an infrastructure and culture that supports sharing of sensitive data between teams and departments.

Most importantly, you’ll need skilled security personnel who are able to identify and understand intelligence relating to threat actor TTPs. To help we’ve put together a new white paper titled, “Understand Your Attacker: A Practical Guide to Identifying TTPs With Threat Intelligence."

This free resource, written by industry expert Levi Gundert, is designed to help you identify and respond to the latest attacker TTPs in your industry. Download the white paper now.

If the role of threat intelligence is to aid in reducing operational cyber risk (and it certainly should be) then understanding threat actor TTPs is a huge part of that.

Ignore it at your own risk.

Introducing Our New Threat Actor Cards

We’re excited to announce our new Threat Actor Cards — designed to help you quickly assess a threat actor's preferred targets, tools, and any specific risk to your enterprise.

The addition of this new Intelligence Card™ for threat actor groups will not only give you a ready summary of a group's targeting history and attack patterns, but will also allow you to quickly pivot into relevant IOCs (indicators of compromise) or exploited vulnerabilities.

You can learn more about this new feature in our recent blog post.