Author Christopher Peacock
The TTP Pyramid
This blog was originally published on 3/16/22 by Scythe.
A Special Thanks
The TTP Pyramid expands David Bianco’s Pyramid of Pain. We extend a special thanks to Mr. Bianco for his contributions to the information security community and highly recommend reading his post as the TTP Pyramid builds upon his concepts.
A Brief History
Cyber threat intelligence (CTI) has evolved over the past decade and continues to do so. A shift began in 2013 when Mandiant published the APT1 report. This shift began to focus on the human element behind attacks, not just the malware itself. David Bianco authored The Pyramid of Pain in 2013, placing Tactics, Techniques, and Procedures (TTPs) as a single grouping in the pyramidion. Regarding the TTP pyramidion, David stated the following. “Finally, at the apex are the TTPs. When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools. For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks. From a pure effectiveness standpoint, this level is your ideal. If you are able to respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.“ - David Bianco.
It wasn’t until two years later, in 2015, that cyber threat intelligence inherited MITRE ATT&CK as a framework to break out procedures and catalog them as tactics and techniques. With the release of ATT&CK, practitioners could analyze forensic data and catalog procedures to the technique level. As a result, tactics, techniques, and sub-techniques (more specific techniques) are excellent for tracking activity groups and describing adversaries' activities at a strategic level. For example, you can now see what data sources apply to an adversary’s known techniques, which can influence strategic decisions on data collection. However, some issues arise at the operational and tactical level of cyber defense, such as detecting and responding to the adversary’s actions known as their procedures.
Getting to Procedures
We’ll start our journey up the TTP Pyramid by breaking down each category and explaining why higher levels provide more value.
Here, we have the objective an adversary is trying to accomplish with their procedure. In the example in the image, we use TA-006 - Credential Access. Tactics can be of interest but don’t help us ensure defense around them. We aren’t granular enough to take action as defenders, as there are currently fifteen techniques and forty sub-techniques for this tactic.
We currently see most cyber threat intelligence reported at this level, which is fantastic. We have come a long way up the pyramid. This level is more granular and, following our examples on the pyramid, lets us know the adversary is known to use T1003.001 OS Credential Dumping: LSASS Memory. However, we still aren’t granular enough as there are several ways to dump LSASS, such as leveraging Mimikatz, procdump, SecHack, or Windows Credential Editor. At this level, defenders know they need to look for LSASS dumping but can’t verify detections on an adversary's known procedures.
Here we reach the apex and know precisely how the adversary carries out their techniques. Often adversaries leverage the same procedures due to tooling, training, habit, or guidelines, and the Conti Playbook is an excellent example of this. In our example, we see the attacker ran procdump -ma lsass.exe lsass_dump. We find the most value here at the procedure level as we can now verify logging, alerting, and response to this procedure through emulation. It’s worth noting that one may be able to write detection logic for a technique such as dumping LSASS, but having the procedure allows us to ensure detection logic does not break for the adversary's method.
The effective use of this pyramid should drive the following to a procedural level:
Cyber Threat Intelligence
Focus on collection & reporting of procedures
Red Team Emulations
Emulate observed procedures
Adapt them to your environment when necessary
Detection Engineering & Alert Generation
Confirm logging and alerting on the procedures
Implement blocks where applicable
Security Monitoring and Incident Response
Ensure the appropriate response to procedures
Is there a response to the alert?
Is the response appropriate?
It’s worth noting that there is a high focus on techniques at this time, which is excellent for cataloging and communicating cyber threat intelligence. Still, the technique level was not meant for emulation or detection. For example, suppose a procedure is chosen to represent a tactic that does not align with the adversary’s actual method. In that case, the detection likely fails to address the issue presented by the adversary’s method. Furthermore, emulation likely doesn’t represent the real threat.
Attack, Detect, Respond
We recommend that organizations focus on gathering cyber threat intelligence at the procedure level, emulating said procedures, and confirming their logging, alerting, and response. Therefore, we have made the SCYTHE Mapping TTPs Template available to aid in organizing intelligence and make it actionable with emulations, preventions, and detections.
About the Author: Chris Peacock is an Adversary Emulation - Detection Engineer at SCYTHE, specializing in Purple Team Exercises and Detection Engineering. His previous experience includes multiple roles such as Cyber Threat Intelligence Analyst, Cyber Threat Hunter, Tier 3 SOC Analyst, Incident Responder, Cyber Security Consultant, and Purple Team Lead. He previously worked at Raytheon Intelligence & Space and General Dynamics Ordnance & Tactical Systems. Additionally, he has experience in multiple industries, including Energy, Finance, Healthcare, Technology, and Defense. Current certifications include GCTI, GCFA, GCED, eJPT, and CSIS.