TTP-Based Hunting

By Roman Daszczyszak, II , Daniel Ellis , Steve Luke , Sean Whitley

This paper describes a methodology for hunting cyber adversaries, using TTPs from MITRE’s ATT&CK knowledge base and a concept of hunting analysis space, created for use by the U.S. Cyber Command’s Cyber National Mission Force.

Download Resources

A growing body of evidence from industry, MITRE, and government experimentation confirms that collecting and filtering data based on knowledge of adversary tactics, techniques, and procedures (TTPs) is an effective method for detecting malicious activity. This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals post-compromise.

There are a relatively small number of these techniques, and they occur on systems owned by the victim organization. All adversaries must either employ these known techniques or expend vast resources to develop novel techniques regardless of their capabilities or strategic mission objectives.

This paper expands on existing best practices to detect malicious behaviors expressed as techniques, using a method that is operating system technology agnostic, and describes the step-by-step procedures to implement.