1.3 TTP Based Detection - MAD20 Threat Hunting & Detection Engineering Course

MAD20Tech
25 Apr 202413:32

Summary

TLDRThis lesson introduces the concept of TTP-based detection in threat hunting, comparing it with traditional approaches like signature-based detection. It explores the Pyramid of Pain, a model showing the difficulty for attackers to change various indicators of compromise (IOCs) such as hashes, IP addresses, and domain names. The focus is on TTPs (tactics, techniques, and procedures), which are harder for adversaries to modify and thus more effective for defenders. The lesson emphasizes that while multiple detection methods are valuable, applying TTP-based approaches provides long-term benefits in identifying and mitigating malicious activities.

Takeaways

  • 😀 Signature-based detection focuses on indicators like hashes, IPs, and domain names but is easy for attackers to bypass by modifying these indicators.
  • 😀 TTP-based detection focuses on the adversarial behavior using Tactics, Techniques, and Procedures (TTPs), which are harder for attackers to alter or evade.
  • 😀 The Pyramid of Pain illustrates how difficult it is for attackers to change different types of indicators, with TTPs being the most difficult to modify.
  • 😀 At the bottom of the Pyramid, low-level indicators (hash values, IP addresses, domain names) are easier for adversaries to change, resulting in lower detection reliability.
  • 😀 As we move up the Pyramid, network or host artifacts become more difficult for attackers to change, requiring a deeper understanding of their tools and procedures.
  • 😀 The tool level of the Pyramid represents a major challenge for attackers, as creating new tools requires extensive development and testing, increasing the risk of attribution.
  • 😀 Tactics, Techniques, and Procedures (TTPs) at the top of the Pyramid are the hardest to change and provide the most valuable long-term defense against adversaries.
  • 😀 TTP-based detection gives defenders a higher return on investment because it focuses on more stable, long-term adversarial behaviors rather than transient indicators.
  • 😀 Defenders can gain greater effectiveness by focusing on detecting malicious activities at the TTP level rather than relying solely on signature-based or lower-level detection methods.
  • 😀 All detection approaches (signature-based, profile-based, anomaly-based, and TTP-based) have their strengths and weaknesses and should complement each other for the best defense strategy.

Q & A

  • What are precision and recall, and why are they important in threat hunting?

    -Precision and recall are key performance metrics in threat detection. Precision refers to how many of the detected threats are actually malicious, while recall measures how many actual threats were detected. They are important in threat hunting to balance the detection of real threats while minimizing false positives and negatives.

  • What are the traditional detection approaches mentioned in the script?

    -The traditional detection approaches discussed are signature-based, profile-based, and anomaly-based detection. Each approach has its strengths and limitations in identifying malicious activities.

  • How does the TTP-based approach differ from signature-based detection?

    -The TTP-based approach focuses on detecting malicious activity based on adversaries' tactics, techniques, and procedures (TTPs), which describe the methods adversaries use, while signature-based detection focuses on identifying specific indicators of compromise (IOCs), such as unique malware signatures.

  • What is the Pyramid of Pain, and who created it?

    -The Pyramid of Pain, created by David Bianco in 2013, visualizes the difficulty adversaries face in changing various observables of their campaign. The pyramid represents different levels, from hash values at the bottom to tactics, techniques, and procedures (TTPs) at the top.

  • Why is it difficult for adversaries to change their TTPs, as mentioned in the Pyramid of Pain?

    -Adversaries find it difficult to change their TTPs because creating new techniques requires deep expertise in target systems or protocols and often requires significant research. Additionally, TTPs must interact with existing system functionalities, making them harder to alter without breaking the adversary's operations.

  • How does the difficulty of changing hash values compare to changing TTPs in the Pyramid of Pain?

    -Hash values are the easiest to change in the Pyramid of Pain, as modifying a small part of the input data (e.g., adding a single bit) can generate a completely different hash value. In contrast, changing TTPs requires much more effort and expertise, making them harder for adversaries to modify.

  • What role do domain names and IP addresses play in the adversary's ability to evade detection?

    -Domain names and IP addresses are relatively easy for adversaries to change. They can use redirection services or register new domains to alter these indicators of compromise. While it requires more effort than changing hash values, it remains an accessible method for attackers to evade detection.

  • Why is detecting TTPs considered a more effective defense strategy than detecting IOCs?

    -Detecting TTPs is considered more effective because TTPs are harder for adversaries to modify compared to IOCs. By focusing on TTPs, defenders can mitigate or detect malicious activity that would be harder for adversaries to evade, potentially increasing the longevity and effectiveness of the defense.

  • What are the challenges associated with adversaries developing new tools to evade detection?

    -Developing new tools is a costly and time-consuming process for adversaries. It requires deep knowledge, programming skills, and extensive testing across target systems. Additionally, using unique tools increases the risk of attribution and detection, as these tools can be traced back to specific actors.

  • How can defenders use the ATT&CK framework in threat hunting?

    -Defenders can use the ATT&CK framework to better understand and detect adversarial TTPs. The framework provides a comprehensive list of tactics, techniques, and procedures used by adversaries, allowing defenders to focus on behaviors rather than specific indicators, thus enhancing detection and response strategies.

Outlines

plate

Dieser Bereich ist nur für Premium-Benutzer verfügbar. Bitte führen Sie ein Upgrade durch, um auf diesen Abschnitt zuzugreifen.

Upgrade durchführen

Mindmap

plate

Dieser Bereich ist nur für Premium-Benutzer verfügbar. Bitte führen Sie ein Upgrade durch, um auf diesen Abschnitt zuzugreifen.

Upgrade durchführen

Keywords

plate

Dieser Bereich ist nur für Premium-Benutzer verfügbar. Bitte führen Sie ein Upgrade durch, um auf diesen Abschnitt zuzugreifen.

Upgrade durchführen

Highlights

plate

Dieser Bereich ist nur für Premium-Benutzer verfügbar. Bitte führen Sie ein Upgrade durch, um auf diesen Abschnitt zuzugreifen.

Upgrade durchführen

Transcripts

plate

Dieser Bereich ist nur für Premium-Benutzer verfügbar. Bitte führen Sie ein Upgrade durch, um auf diesen Abschnitt zuzugreifen.

Upgrade durchführen
Rate This

5.0 / 5 (0 votes)

Ähnliche Tags
Threat HuntingTTP DetectionCybersecurityATT&CK FrameworkAdversarial BehaviorDetection MethodsCyber DefenseSignature-based DetectionMalware AnalysisSecurity ResearchHacker Techniques
Benötigen Sie eine Zusammenfassung auf Englisch?