TTP(Tactics, Techniques and Procedures)
They describe how attacker thinks, acts and operate during a cyber attack.
If as Indicator Of Compromise(IOC) tells you what happened, TTPs tell you how and why it happened.
SOC analyst use TTPs to:
Detect attacks even when IOC change
Understand attacker's intent
Build better detection, alerts and response playbooks
Why TTPs important in a SOC-
imagine :
IOC : "A masked person was seen."
TTP : " The attacker broke the lock, entered through the backdoor, disable CCTV, and escaped via the fire exit."
The SOC analyst cares more about behaviour than just indicators.
Tactics - The goal
Tactics = why attacker is doing something.
Tactics | Meaning |
initial access | How attacker first gets in |
Execution | Running malicious code |
Persistance | Staying in the system |
Privilege escalation | Becoming admin or gain high privilege |
Defence evasion | Avoiding antivirus/EDR |
Credentials access | Stealing passwords |
Lateral Movement | Moving to another system |
Exfilteration | Stealing data |
Each tactics represents a phase of the attack lifecycle.
Common attack goals-
Gaining iniatial access
Stealing credentials
Lateral movement
Exfilterate data
Maintain persistance
2. Technique - The method
Technique = 'how' the attacker archeive a tactic.
Technique :
Keylogging
Credential dumping(LSASS)
Browser pass theft
Phishing for credentials
Each tactics has multiple techniques
2. Procedures - The execution step
Procedures = attacker's real world exact implementation.
This is where :
Tools
Commands
Scripts
Timing etc comes into play
e.g. Technique : "Credential dumping."
Procedure : "procdum.exe -accepteula -ma lsass.exe lsass.dmp"
# Most SOC team maps TTPs using MITRE ATT&CK.
It is a global knowledge base used by SOCs, SIEM, EDR, XDR. Build around Tactics and Techniques.
IOC - Indicators Of Compromise
They are observable evidence that suggests a system may be compromised or under attack.
If TTPs describe attacker's behaviour, IOC are the footprints attackers leave behind.
SOC analyst hunt, detect, correlate and respond using IOCs every single day.
IOC - "Something bad happened here and we can prove it with data."
That data comes from:
Logs
Network traffic
Endpoint activity
Email headers
File systems
In real SOC environment, IOCs help you:
Trigger alert in SIEM
Confirm malicious activity
Correlate attacks accross systems
Respond quickly
Write incident reports
1. Types of IOCs - Network based IOCs-
These show what happened inside the network.
e.g.
Malicious IP
Suspecious domain
C2 server communication
Unusual ports or protocol
Where SOC sees them:
Firewall logs
Proxy logs
DNS logs
IDS/IPS alerts
2. Host/Endpoint-based IOCs-
These show what happened inside the system.
e.g.
Suspected Processes
Unexpected services
Registry changes
New scheduled tasks
Where SOC sees them:
EDR/XDR
Windows Event logs
Sysmon
Linux audit logs
3. File based IOCs-
These related to malicious files.
e.g.
File hash(MD5, SHA256)
File name patterns
File size anomalies
Where SOC sees them:
Antivirus
EDR
Email security gateways
Sandboxes
4. Email based IOCs-
These related to malicious emails.
e.g.
Malicious sender mail
Phishing subject lines
Malicious URL
Header anomalies
Where SOC sees them:
Email security tools
Microsoft defender
Proofpoint/Mimecast
User reports
IOCs Confidence Level
All IOCs are not equal to all
| Confidence | Example |
|---|---|
| Low | Single suspecious IP |
| Medium | Known phishing domain |
| High | Malware hash + execution |
| Very high | Multiple correlate IOCs |
SOC analysts never rely on a single IOC.
IOC | TTP |
Evidence | Behaviour |
What happened | How it happened |
Short-lived | Long-lived |
Easy to change | hard to change |
Used for alerts | Used for detection logic |
Real SOC flow:
IOC detected(IP/hash/code)
SIEM generates alerts
SOC L1 validates IOC
SOC maps to TTP
Decision : True positive or False Positive
Escalation or Close
Alert Triage
Alert triage : structured process of quickly analyzing security alerts to decide where they are real threats, false alarms or need escalation.
Alert triage = seperating real attacks from noise, fast and accurately.
Alerts generated by - SIEM, EDR/XDR, IPD/IDS, email security etc.
Why alert triage is critical-
Without proper triage:
SOC teams drown in alerts
Real attacks get missed
Response is delayed
Bussiness impact is increases
With good triage:
False positives(noise) are reduced
Real threats caugh early
SOC becomes effiecient and trusted
SOC analysts are prompted based on triage quality not the number of alerts closed.
triage decides whether an alert becomes and incident.
Alert Properties-
Alert Severty- urgency assigned by detection [low, medium, high, critical].
Alert Status- Current lifecycle state [new, in progress, closed].
Alert verdict- L1 classification outcome [true positive/false positive].
Alert Assignee- Analyst handling the alert [Assigned analyst name].
Alert Description- Detailed description of the suspecious activity.
Alert Feilds- Affected hostname, entered commandline etc.
Alert Prioritization
Process of deciding which "alert" to take is called alert prioritization.
"Every SOC team has its own prioritization rules and automates them by setting the appropritate alert shorting logic in SIEM or EDR."
Filter the alert- make sure other analyst not work on that alert.
Short by severty.
Short by time.
