Constructing the TTP Outline
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome to Lesson 2.5,
00:00
constructing the TTP outline.
00:00
During this lesson, we are going to explore
00:00
another key adversary emulation resource,
00:00
the TTP outline.
00:00
As we begin this lesson,
00:00
we'll start by explaining the purpose of the TTP outline.
00:00
We'll then explore the TTP outline in detail using
00:00
an example outline based on
00:00
the cyber threat actor menu pass.
00:00
We'll then describe why tracking CTI citations is useful.
00:00
We'll reinforce best practices for ensuring
00:00
your adversary emulation activities
00:00
are representative of real-world threats.
00:00
At the end of this lesson,
00:00
you'll have the skills and resources
00:00
to implement your own TTP outlines.
00:00
I want to start by talking about
00:00
why we need a TTP outline.
00:00
Very simply, the TTP outline will
00:00
drive many follow-on adversary emulation activities.
00:00
When we get to Module 3,
00:00
you'll see that we use the TTP outline to explain
00:00
planned red team activities and
00:00
also to negotiate scope and rules of engagement.
00:00
Later when we get to Module 4,
00:00
you'll see that we also use the TTP outline as
00:00
our roadmap to start implementing TTPs.
00:00
Beyond this course, you
00:00
may also find that you frequently
00:00
refer to the TTP outline to review CTI,
00:00
your emulation is based on.
00:00
The key takeaway here is that
00:00
you will use the TTP outline
00:00
quite a bit over the course of
00:00
an adversary emulation project.
00:00
We talked about why you need a TTP outline,
00:00
but we haven't really defined what it is or
00:00
what it looks like. Let's do that now.
00:00
Very simply, a TTP outline is a list of
00:00
an adversary's TTPs and supporting CTI citations.
00:00
Now the reason we make a TTP outline is so
00:00
that we know what TTPs we are planning to
00:00
emulate and also what
00:00
CTI sources our emulation is based on.
00:00
Now in this slide we show an example TTP outline.
00:00
This outline can be found on our GitHub repository,
00:00
and also in the cyber recourse resources section.
00:00
Now for this example,
00:00
we've chosen menu pass as our emulated adversary.
00:00
Incase you're unfamiliar,
00:00
according to attack menu pass is
00:00
associated with Chinese Ministry of state security,
00:00
and they're noted target healthcare, aerospace,
00:00
and government sectors among others.
00:00
Now the contents of
00:00
this TTP outline are fairly straightforward.
00:00
You can see that it includes the TTP name,
00:00
what's the TTP we're trying to emulate.
00:00
It also includes descriptions explaining how
00:00
the adversary was observed using this TTP in the wild.
00:00
I'll point out that these descriptions were copied
00:00
and pasted directly from attack.
00:00
Also notice that we include hyperlinks to
00:00
the original sources of this information.
00:00
Now, speaking from experience,
00:00
I find that this is the minimum information you
00:00
need in order to effectively negotiate scope,
00:00
rules of engagement,
00:00
and also to task developers,
00:00
you may have to start implementing TTPs.
00:00
All of that is to say, if you want to make
00:00
additions or change how this information is presented,
00:00
feel free to do so.
00:00
At the end of the day, this is really
00:00
just a tool to make your life easier.
00:00
It doesn't really matter how it's
00:00
formatted and really what matters most is that
00:00
you've documented the TTPs you want to emulate
00:00
and that you can tie them back to supporting CTI.
00:00
Now if you don't know where to start,
00:00
feel free to begin by using this format.
00:00
Otherwise, make something that
00:00
works for your particular project.
00:00
As a best practice,
00:00
we recommend closely tracking your CTI sources.
00:00
To that point, we've included
00:00
a CTI bibliography in our example TTP outline.
00:00
Why go to the trouble of making something like this?
00:00
To put the bottom line upfront,
00:00
this allows you to defend the realism of your emulation.
00:00
Using this document, you can easily explain to
00:00
a vendor that you didn't just make this content up.
00:00
You could show that you actually pull
00:00
TTPs from sources spanning semantic,
00:00
Mandiant and the department of justice, among others.
00:00
Another benefit from tracking your sources in
00:00
this way is you can identify
00:00
potential biases in your CTI.
00:00
For example, notice we have a column
00:00
titled number of times cited.
00:00
The point of this column is to identify
00:00
how many times a particular report was cited.
00:00
You can actually see what reports way most
00:00
heavily across your TTPs.
00:00
Here we can see immediately that PWC was cited 15 times.
00:00
Now I don't necessarily view that as a bad thing.
00:00
If you actually look at this particular PWC report,
00:00
you'll find that it has a lot of procedure level details,
00:00
which makes it really useful for
00:00
the purposes of adversary emulation.
00:00
Luckily, we still have a decent body of
00:00
other reports from reputable sources as well,
00:00
semantic, Mandiant, Department of Justice and so on.
00:00
I wouldn't be a little bit more concerned if for example,
00:00
maybe I had 20 or so TTPs
00:00
backed by a single report and nothing else.
00:00
At that point, it's fair to ask if
00:00
that one report is really
00:00
representative of the adversary you're trying to emulate.
00:00
That brings us to the Lesson 2.5 summary.
00:00
During this lesson, we
00:00
explored the purpose of the TTP outline.
00:00
We explained how the TTP outline
00:00
lists the TTPs we plan to emulate,
00:00
which enables us to negotiate
00:00
scope and rules of engagement.
00:00
We also talked about how the TTP outline will be used
00:00
later as our roadmap when implementing TTPs.
00:00
We also provided you an example TTP outline,
00:00
which contained menu pass attack TTP and CTI sources.
00:00
Again, you can find that example either on
00:00
our GitHub repository or
00:00
the Cyber Course Resources section.
00:00
Finally, we discussed how closely tracking
00:00
your CTI sources can empower
00:00
you to defend the realism of your emulation.
00:00
In our next and final lesson for this module,
00:00
we will talk about addressing intelligence gaps.
Up Next
