TTP-Based Detection
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
4 hours 42 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:00
>> Welcome to Lesson 1.3 of threat hunting fundamentals.
00:00
In the last lesson, we define
00:00
the terms precision and recall.
00:00
We reviewed three types of
00:00
traditional detection approaches: Signature-based,
00:00
profile-based, and anomaly-based.
00:00
Each has its strengths and limitations.
00:00
This course is about
00:00
a fourth approach to detection focused
00:00
on knowledge of adversarial behaviors
00:00
as described in attacks,
00:00
tactics, techniques, and procedures.
00:00
This approach has its own strengths and limitations
00:00
and is intended as
00:00
a complement to those other three approaches.
00:00
Attack provides defenders with a tremendous amount of
00:00
valuable information about how
00:00
adversaries behave in terms of tactics,
00:00
techniques, and procedures, or TTP.
00:00
How can we apply
00:00
that information in our detections and hunting?
00:00
Since TTPs and attack describe malicious activity,
00:00
it makes sense to most directly
00:00
compare TTP-based detection to signature-based detection.
00:00
Both of these approaches start with
00:00
a characterization of malicious activity.
00:00
They differ primarily in how they
00:00
describe or characterize that malicious activity.
00:00
Traditional signature-based approaches as
00:00
we define them in Lesson 1.2
00:00
focus on indicators of
00:00
compromise or IOCs that are very specific.
00:00
As we discussed in the last lesson,
00:00
these might be strings in a binary,
00:00
domain names, or other details unique to
00:00
a piece of malware or command and control infrastructure.
00:00
In the TTP-based approach,
00:00
malicious activity is described in terms of
00:00
the higher-level techniques employed by malicious actors.
00:00
It turns out that this change in how we characterize
00:00
the malicious activity can
00:00
have big benefits in the analytics we create.
00:00
Let's dive deeper into this difference
00:00
with David Bianco's pyramid of pain.
00:00
In 2013, David Bianco
00:00
published this graphic
00:00
visualizing the different levels of
00:00
difficulty and adversary has in
00:00
changing various observables of their campaign.
00:00
It's called the pyramid of pain
00:00
because the adversary experience is more pain
00:00
when trying to create
00:00
new TTPs than when
00:00
changing the hash value of their malware.
00:00
At the bottom of the pyramid,
00:00
we have hash values.
00:00
Hash values are the output of
00:00
a cryptographic hash function such as SHA-2 56.
00:00
Cryptographic hash functions map numerical inputs to
00:00
a set of fixed size numerical outputs
00:00
using a one-way function.
00:00
These hash functions are designed to ensure
00:00
that the same input will always
00:00
>> produce the same output,
00:00
>> that it is computationally difficult to
00:00
derive the input if you're given the output,
00:00
and that even a small change to the input will
00:00
result in an output that is
00:00
not correlated with the original hash value.
00:00
Cryptographic hash functions are often used in
00:00
authentication and ensuring message integrity.
00:00
In cybersecurity,
00:00
these hash functions are also sometimes used as a way
00:00
to identify a piece of malware
00:00
by using the binary as the input to
00:00
the hash function and sharing
00:00
the output as a unique identifier of that binary.
00:00
Unfortunately for cyber defenders,
00:00
but fortunately for attackers,
00:00
these functions are designed to produce
00:00
very different outputs if
00:00
even a single bit is changed on the input.
00:00
As a result, it's extremely
00:00
easy for an adversary to change the hash value of
00:00
their malware without modifying
00:00
its functionality by just
00:00
adding or flipping a single bit.
00:00
This is so easy that it can and has been
00:00
scripted so that every target system of
00:00
a campaign can be presented with
00:00
a slightly modified file attachment or
00:00
malware binary with very different hashes
00:00
without any real effort by the human attacker.
00:00
Now, at the second level,
00:00
IP addresses are used by routers to
00:00
route Internet traffic to the intended destination.
00:00
They're also very easy for an adversary
00:00
to change using redirection services.
00:00
It might take an adversary a bit more effort to set
00:00
this up and use it wisely but not much.
00:00
At the third level, we have domain names.
00:00
Domain names are human-readable text
00:00
that maps onto IP addresses.
00:00
These must be registered with the servers in
00:00
the domain name system so that they
00:00
associate the domain name with the intended IP address.
00:00
Registering the domain name takes some time to
00:00
initiate and you have to allow some time
00:00
for the propagation of that change
00:00
across the distributed set of DNS servers.
00:00
However, it is still relatively easy to
00:00
change the domain names
00:00
associated with malicious activity.
00:00
Now the next level is
00:00
much more difficult for an adversary to
00:00
change and this is the network or host artifact level.
00:00
Malicious activity creates artifacts on
00:00
the victim hosts or in network traffic.
00:00
These could be the names of files or registry keys.
00:00
They could be in the form of typos and
00:00
header fields or other distinctive patterns.
00:00
To change these values,
00:00
the adversary will need
00:00
a much deeper understanding of their own tools and
00:00
activity to first understand
00:00
what artifacts they are creating,
00:00
then determine what they must change in
00:00
their code or procedures to alter those artifacts,
00:00
and then make those changes
00:00
without disrupting their intended activity.
00:00
For example, if an adversary wants to evade
00:00
an analytic that detects
00:00
a process creation with the string Mimikatz,
00:00
and they're using Mimikatz,
00:00
they would need to recompile the source with a new name.
00:00
If they want to evade an analytic that detects
00:00
a process creation with secure LSA in the command line,
00:00
they would need to modify the source code, recompile,
00:00
and modify any invocations of this new version of
00:00
Mimikatz to replace the secure LSA with the new string.
00:00
Secure LSA is just one of
00:00
many strings in Mimikatz that would need to
00:00
be modified in order to evade
00:00
this type of detection more broadly.
00:00
A careful adversary would need to change
00:00
lots of these and make sure that
00:00
they understood all of
00:00
the ripple effects that those changes might
00:00
have throughout the rest of
00:00
the code base, potentially breaking functionality.
00:00
These changes might also require
00:00
changes in their other tools or
00:00
their procedures to account for
00:00
the fact that these strings are different.
00:00
The invocation of Mimikatz will have
00:00
to be adjusted to use those new strings.
00:00
Now, some of that work could be scripted,
00:00
but this still represents
00:00
much more effort for the adversary relative
00:00
to those lower levels such as
00:00
domain names, IPs, and hashes.
00:00
[NOISE] Now,
00:00
the second to last level of the pyramid is tools.
00:00
To return to our Mimikatz example,
00:00
let's imagine an adversary who has gone through
00:00
that last slide's process and
00:00
decides that changing all of
00:00
those host artifacts from
00:00
Mimikatz is just too much effort.
00:00
They decided to just avoid using Mimikatz at all.
00:00
Now, if they still want to have the same functionality,
00:00
they face the even more expensive task
00:00
of developing a whole new tool.
00:00
This is probably going to require a team of developers
00:00
with deep knowledge of
00:00
Windows and good programming skills,
00:00
and this team will need to create and test
00:00
this new code on all of the relevant target systems and
00:00
configurations and still their other tools and procedures
00:00
for use might need to be
00:00
refactored to adapt to this new tool.
00:00
Now, in addition to the extra costs
00:00
associated with the development and test of the new tool,
00:00
there's an additional cost to the adversary,
00:00
in that they're now using a unique tool
00:00
that's at first at least going to
00:00
be uniquely associated with them,
00:00
and so that increases their risk
00:00
of attribution and the risk that
00:00
defenders will be able to connect different intrusions
00:00
across a broader campaign
00:00
because of the use of this unique tool.
00:00
Whereas if they were just using stock Mimikatz,
00:00
that's something that
00:00
many different actors might be using.
00:00
That's an additional cost to the adversary that wasn't
00:00
present in the lower level indicators.
00:00
Now, if this new tool is
00:00
detected and it surely will be at some point,
00:00
then new host artifacts are likely to be
00:00
discovered by the security researchers
00:00
and shared amongst the defenders.
00:00
The attackers are back in
00:00
the position of having to either
00:00
obfuscate those new hosts artifacts
00:00
or create yet another tool.
00:00
For all these reasons,
00:00
it's much more challenging for an adversary to evade
00:00
detection at the tool level
00:00
than the lower levels of the pyramid.
00:00
Now we reach the pinnacle of the pyramid of pain,
00:00
tactics, techniques, and procedures or TTPs.
00:00
These are the most difficult aspects of
00:00
malicious activity for an adversary to change or create.
00:00
While it's challenging to
00:00
re-implement existing techniques to create a new tool,
00:00
creating new techniques requires even deeper expertise in
00:00
the target systems or protocols and
00:00
often extensive and expensive research.
00:00
The option space here is also more
00:00
limited at this level of the pyramid
00:00
since the new techniques must interact with
00:00
the existing functionality of the target system,
00:00
whether that's application APIs or operating system APIs,
00:00
protocol specifications, or even lower level
00:00
like CPU instructions or
00:00
physical limitations of hardware.
00:00
If defenders can affectively
00:00
mitigate or detect malicious activity at the TTP level,
00:00
it will cause much more pain to the adversary than
00:00
defending solely based on lower levels of this pyramid.
00:00
Because of the costs associated with developing
00:00
new techniques and the constraints
00:00
of interacting with the target system functionality,
00:00
adversary TTPs don't change nearly as
00:00
frequently as indicators of
00:00
compromise lower on the pyramid,
00:00
so Defenders can afford to
00:00
invest more into defending at this level,
00:00
knowing that a success here is likely to pay off for
00:00
a longer time and
00:00
possibly across multiple malicious actors.
00:00
While mitigations and detections
00:00
at all levels of the pyramid are useful,
00:00
this course will focus on how to apply attack to
00:00
hunting and attack describes adversary TTPs.
00:00
Although defending at this level can be difficult,
00:00
we believe it's worth the effort.
00:00
To summarize, signature-based and TTP-based approaches
00:00
both describe malicious activity.
00:00
Unlike an allow list where you're describing
00:00
the benign activity and
00:00
detecting or blocking anything else,
00:00
these are both focusing on
00:00
understanding what the malicious activity will look like.
00:00
The difference is that signature-based approaches tend to
00:00
focus lower on the pyramid of pain with
00:00
their indications of compromise
00:00
and TTP-based is trying to
00:00
focus at that top level to
00:00
understand and detect those behaviors.
00:00
The value here is that those TTPs are very difficult for
00:00
the adversaries to create or modify.
00:00
We're going to get more bang for our buck as
00:00
defenders if we can defend at that level.
00:00
All of these approaches,
00:00
signature-based, profile-based, anomaly-based,
00:00
and TTP-based are valuable and complement each other.
00:00
This course is going to focus
00:00
on the application of attack to hunting,
00:00
so we're going to use the TTP-based approach.
Up Next
Module 1 Knowledge Check
5m
