TTP-Based Hunting

Abstract

This paper builds upon a growing body of evidence from the cybersecurity community to present a robust and successful approach to detecting malicious activity based on an understanding of adversaries' tactics, techniques, and procedures (TTP) in cyberspace. It attempts to show that, by describing adversary behavior at the right level of abstraction, appropriate sensors (host and network-based) can be deployed and analytics can be designed to detect adversaries with high accuracy, even across variations in different implementations. The approach presented, TTP-based hunting, is complementary to existing practices such as using indicators of compromise (IOCs) or using statistical analysis of data to detect anomalies. This paper makes recommendations for how hunting teams can implement a TTP-based approach.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 01, 2019
Accession Number
AD1106492

Entities

People

  • Dan Ellis
  • Roman Daszczyszak
  • Sean Whitley
  • Steve Luke

Organizations

  • MITRE Corporation

Tags

Communities of Interest

  • Cyber
  • Materials and Manufacturing Processes
  • Sensors

DTIC Thesaurus Topics

  • Best Practices
  • Big Data
  • Computer Network Security
  • Computer Networks
  • Cyber Threats
  • Cyberattacks
  • Cybersecurity
  • Cyberspace Operations
  • Data Analysis
  • Data Compression
  • Detection
  • Detectors
  • Information Science
  • Insider Threats
  • Internet Of Things
  • Intrusion Detection
  • Intrusion Detectors
  • Network Protocols
  • Operating Systems
  • Operations Security
  • Statistical Analysis
  • Systems Engineering

Fields of Study

  • Computer science

Readers

  • Cybersecurity.

Technology Areas

  • Cyber