TTPs: Understanding and thwarting attack strategies
Knowledge of the Tactics, Techniques and Procedures (TTPs) of criminal groups helps to assess the dangers and develop protective measures.
(Image: Den Rise/Shutterstock.com)
It's not just a regular guest in the heise Security news ticker: the ransomware Blackcat, also known as AlphV. The gang behind the malicious code plays cat and mouse with law enforcement agencies, leaking sensitive information from the international defense supplier Ultra in the past and extracting a ransom of around 22 million US dollars from the US company UnitedHealth. According to the BKA, the infamous ransomware-as-a-service is also one of the top 10 blackmail threats in Germany.
The good news is that there are ways to protect yourself against such ransomware raids. Analyses of compromised systems, police investigations and reports from victims provide an overall picture that reveals the goals, strategies and detailed procedures of the criminal actors.
Using Blackcat as an example, we explain what makes this overall picture, known as Tactics, Techniques and Procedures (TTPs), so valuable for threat defense and how it can be used to protect your own company. Another topic: the MITRE ATT&CK knowledge database as a useful source of TTP research.
Attackers' approach broken down
TTPs refer to the knowledge of a specific actor's detailed approach during all phases of their cyberattack. The three terms Tactics, Techniques and Procedures are subordinate to each other:
This can be illustrated by a CISA security advisory on Blackcat from February 2024. The US authority uses the MITRE ATT&CK framework to describe the threat. Using entries with IDs, the knowledge database describes tactics, techniques and procedures in a standardized, clear form.
In a specific case, the CISA advisory reveals that in the past, Blackcat affiliates gained initial access to a company's infrastructure by posing as IT or helpdesk staff. They requested access data by telephone or SMS.
CISA assigns the ATT&CK ID T1958 to this process. If you look up this ID online, you end up in the ATT&CK entry for the "Phishing for Information" technique. This technique is superordinate to the tactic "Reconnaisance" (TA0043), i.e. the collection of information for later attack steps.
(Image: Screenshot / attack.mitre.org)
Blackcat therefore uses
Long-lasting strategies ...
Knowledge of the TTPs of a particular attacker is particularly suitable for developing effective long-term preventive measures. Of course, cybergangs sometimes change strategy, and especially with ransomware-as-a-service models such as Blackcat, it cannot be ruled out that different affiliates will also choose different approaches to gaining initial access, for example. And yet, while individual hacker tools or malware versions are often replaced in the course of different campaigns, the higher-level TTPs have a comparatively long lifespan. Completely overturning them is much more complex.
Blackcat extortionists also used the social engineering approach by telephone in September last year, when they successfully fooled employees of the billion-dollar casino and hotel chain MGM in a 10-minute conversation.
The idea that employee training on how to handle sensitive data on the phone as a preventive measure might have prevented worse things from happening are very obvious in this case. In other cases, where suitable defensive measures are more difficult to derive, MITRE ATT&CK can help with possible strategies. These are called mitigations in the database and include the aforementioned user training (M1017) against social engineering, phishing and the like.
Specific detection and mitigation options are assigned to certain techniques in ATT&CK. A good example of this is the ATT&CK overview of the sub-technique "Password Guessing" of the superordinate technique "Bruteforce". Comprehensive monitoring of failed login attempts is suggested for detection to track down automated attempts. Suggested mitigations include the introduction of a password policy and the use of multifactor authentication.
