TTP-Based Hunting

reportActive / Technical Report | Accesssion Number: AD1106492 | Open PDF

Abstract:

This paper builds upon a growing body of evidence from the cybersecurity community to present a robust and successful approach to detecting malicious activity based on an understanding of adversaries' tactics, techniques, and procedures (TTP) in cyberspace. It attempts to show that, by describing adversary behavior at the right level of abstraction, appropriate sensors (host and network-based) can be deployed and analytics can be designed to detect adversaries with high accuracy, even across variations in different implementations. The approach presented, TTP-based hunting, is complementary to existing practices such as using indicators of compromise (IOCs) or using statistical analysis of data to detect anomalies. This paper makes recommendations for how hunting teams can implement a TTP-based approach.

Author(s):
Daszczyszak, Roman ; Ellis, Dan ; Luke, Steve ; Whitley, Sean
Author Organization(s):
MITRE CORP MCLEAN VA
Funding Organization(s):
Publication Date:
2019 Mar 01
Pagination:
0

Security Markings

RECORD

Collection: TRECMS
Subject Terms
Modernization Areas:
Cyber
Communities of Interest:
Cyber
Descriptor(s):
operating systems, network protocols, data analysis, computer network security, cyberspace operations, statistical analysis, cyber threats, cyberattacks, cybersecurity, data compression, detection, systems engineering, detectors, insider threats, internet of things, intrusion detectors, operations security
Keyword(s):
cybersecurity community, robust, detecting malicious activity, adversaries, TTP(tactics techniques procedures)
Subject Categories:
Mathematical and Computer Sciences; Mechanical, Industrial, Civil and Marine Engineering
Update Date:
2020 Oct 15