1.3 TTP Based Detection - MAD20 Threat Hunting & Detection Engineering Course
Summary
TLDRThis lesson introduces the concept of TTP-based detection in threat hunting, comparing it with traditional approaches like signature-based detection. It explores the Pyramid of Pain, a model showing the difficulty for attackers to change various indicators of compromise (IOCs) such as hashes, IP addresses, and domain names. The focus is on TTPs (tactics, techniques, and procedures), which are harder for adversaries to modify and thus more effective for defenders. The lesson emphasizes that while multiple detection methods are valuable, applying TTP-based approaches provides long-term benefits in identifying and mitigating malicious activities.
Takeaways
- 😀 Signature-based detection focuses on indicators like hashes, IPs, and domain names but is easy for attackers to bypass by modifying these indicators.
- 😀 TTP-based detection focuses on the adversarial behavior using Tactics, Techniques, and Procedures (TTPs), which are harder for attackers to alter or evade.
- 😀 The Pyramid of Pain illustrates how difficult it is for attackers to change different types of indicators, with TTPs being the most difficult to modify.
- 😀 At the bottom of the Pyramid, low-level indicators (hash values, IP addresses, domain names) are easier for adversaries to change, resulting in lower detection reliability.
- 😀 As we move up the Pyramid, network or host artifacts become more difficult for attackers to change, requiring a deeper understanding of their tools and procedures.
- 😀 The tool level of the Pyramid represents a major challenge for attackers, as creating new tools requires extensive development and testing, increasing the risk of attribution.
- 😀 Tactics, Techniques, and Procedures (TTPs) at the top of the Pyramid are the hardest to change and provide the most valuable long-term defense against adversaries.
- 😀 TTP-based detection gives defenders a higher return on investment because it focuses on more stable, long-term adversarial behaviors rather than transient indicators.
- 😀 Defenders can gain greater effectiveness by focusing on detecting malicious activities at the TTP level rather than relying solely on signature-based or lower-level detection methods.
- 😀 All detection approaches (signature-based, profile-based, anomaly-based, and TTP-based) have their strengths and weaknesses and should complement each other for the best defense strategy.
Q & A
What are precision and recall, and why are they important in threat hunting?
-Precision and recall are key performance metrics in threat detection. Precision refers to how many of the detected threats are actually malicious, while recall measures how many actual threats were detected. They are important in threat hunting to balance the detection of real threats while minimizing false positives and negatives.
What are the traditional detection approaches mentioned in the script?
-The traditional detection approaches discussed are signature-based, profile-based, and anomaly-based detection. Each approach has its strengths and limitations in identifying malicious activities.
How does the TTP-based approach differ from signature-based detection?
-The TTP-based approach focuses on detecting malicious activity based on adversaries' tactics, techniques, and procedures (TTPs), which describe the methods adversaries use, while signature-based detection focuses on identifying specific indicators of compromise (IOCs), such as unique malware signatures.
What is the Pyramid of Pain, and who created it?
-The Pyramid of Pain, created by David Bianco in 2013, visualizes the difficulty adversaries face in changing various observables of their campaign. The pyramid represents different levels, from hash values at the bottom to tactics, techniques, and procedures (TTPs) at the top.
Why is it difficult for adversaries to change their TTPs, as mentioned in the Pyramid of Pain?
-Adversaries find it difficult to change their TTPs because creating new techniques requires deep expertise in target systems or protocols and often requires significant research. Additionally, TTPs must interact with existing system functionalities, making them harder to alter without breaking the adversary's operations.
How does the difficulty of changing hash values compare to changing TTPs in the Pyramid of Pain?
-Hash values are the easiest to change in the Pyramid of Pain, as modifying a small part of the input data (e.g., adding a single bit) can generate a completely different hash value. In contrast, changing TTPs requires much more effort and expertise, making them harder for adversaries to modify.
What role do domain names and IP addresses play in the adversary's ability to evade detection?
-Domain names and IP addresses are relatively easy for adversaries to change. They can use redirection services or register new domains to alter these indicators of compromise. While it requires more effort than changing hash values, it remains an accessible method for attackers to evade detection.
Why is detecting TTPs considered a more effective defense strategy than detecting IOCs?
-Detecting TTPs is considered more effective because TTPs are harder for adversaries to modify compared to IOCs. By focusing on TTPs, defenders can mitigate or detect malicious activity that would be harder for adversaries to evade, potentially increasing the longevity and effectiveness of the defense.
What are the challenges associated with adversaries developing new tools to evade detection?
-Developing new tools is a costly and time-consuming process for adversaries. It requires deep knowledge, programming skills, and extensive testing across target systems. Additionally, using unique tools increases the risk of attribution and detection, as these tools can be traced back to specific actors.
How can defenders use the ATT&CK framework in threat hunting?
-Defenders can use the ATT&CK framework to better understand and detect adversarial TTPs. The framework provides a comprehensive list of tactics, techniques, and procedures used by adversaries, allowing defenders to focus on behaviors rather than specific indicators, thus enhancing detection and response strategies.
Outlines

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.
قم بالترقية الآنMindmap

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.
قم بالترقية الآنKeywords

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.
قم بالترقية الآنHighlights

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.
قم بالترقية الآنTranscripts

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.
قم بالترقية الآنتصفح المزيد من مقاطع الفيديو ذات الصلة

1.2 Detection Approaches - MAD20 Threat Hunting & Detection Engineering Course

IDS vs IPS Device | Explained by Cyber security Professional

AI In Cybersecurity | Using AI In Cybersecurity | How AI Can Be Used in Cyber Security | Simplilearn

2.1 Developing Hypotheses - MAD20 Threat Hunting & Detection Engineering Course

Lightning Talk: AI for SOC Teams - Enhancing Incident Response and Vulnerability Management

Three Category Of Techniques for NLP : NLP Tutorial For Beginners In Python - S1 E4
5.0 / 5 (0 votes)