The term Tactics, Techniques, and Procedures (TTP) describes an approach of analyzing an APT’s operation or can be used as means of profiling a certain threat actor. The word Tactics is meant to outline the way an adversary chooses to carry out his attack from the beginning till the end. Technological approach of achieving intermediate results during the campaign is described by Techniques the attacker uses. Lastly, the organizational approach of the attack is defined by procedures which are used by the threat actor. In order to understand and fight the enemy one has to understand the Tactics, Techniques and Procedures (TTP) the attacker uses. Knowing the Tactics of an adversary can help in predicting the upcoming attacks and detect those in early stages. Understanding the Techniques used during the campaign allows to identify organization’s blind spots and implement countermeasures in advance. Finally, the analysis of the procedures used by the adversary can help to understand what the adversary is looking for within the target’s infrastructure.

TTPs that are described within this research are meant to show the complexity of the life-cycle rather than provide an exhaustive list. Additionally, it is shown that in order to perform certain stages of the attack attackers can use readily available tools and thus can focus on the tactical part rather than on developing tools.

Tactics of an APT group describe the way the threat actor operates during different steps of its operation/campaign. This include tactics of gathering information for initial compromise, conducting the initial compromise, escalating privileges, performing lateral movement, deploying persistence measures, etc. [1] While some of the APT groups rely on never changing tactics others adapt to different situations and modify the way they perform the whole or parts of the campaign [2]. Therefore, difficulty of detection and attribution of a campaign varies accordingly.

One way to profile an APT group is to analyze its tactics in the early stages of their campaign. This includes the way information is gathered for the initial compromise, the amount of entry points that are hit while attempting to establish the foothold on the target infrastructure, the sophistication of the payload delivered and so on. For example, some threat actors might stick only with the information which is available on the internet while the others might gather information through connections in intermediate organizations, social engineering or physically infiltrating the target organization. Furthermore, once the information, such as e-mail addresses, is gathered an APT group might choose to approach target individuals one-by-one or a few at once. Finally, the payload used during the attack can be similar throughout the whole existence of the APT or it might change every time and even per individual during the same campaign. Therefore, to understand the adversary, its tactics used in the early stages of the campaign have to be analyzed.

Another way to analyze an APT group is to examine the key facts of the infrastructure and artifacts used during the attack. For example, attackers can establish the C&C on servers they obtain legally or they have hijacked. Also, the C&Cs might be located in a specific geographic region or across the globe and additionally might be static or change rapidly. Moreover, it is important to analyze the artifacts/tools that are used and/or left behind the attack. An example of such is the variety of exploits and tools an APT possesses. In this case a sophisticated APT group might use multiple Zero-Day vulnerabilities, self-made tools and apply heavy obfuscation while a less sophisticated actor relies on public exploits and open source tools. Therefore, identifying such tactics may allow to fingerprint the APT’s profile and help to implement countermeasures in advance. In certain scenarios, tactics used during the last stages of the campaign might also be helpful to understand the adversary. For example, while some groups try to stay under radar while exfiltrating big chunks of information in a few rounds the others might take the risk and attempt to transfer information at once despite the fact that huge amount of traffic can be easily detected after work hours. Additionally, the way of covering tracks may vary across threat actors – while some groups prefer silent cleanup, others wipe systems completely and therefore loudly inform the target organization about their campaign [3].

Finally, the reuse of infrastructures compromised in previous attacks might be preferred by some, but not all APT groups. Therefore, deploying long term persistence in the last stages of the campaign may be performed due to adversary’s tactics and thus used as an indicator of a certain APT group. While it’s not sufficient to only analyze tactics of an adversary it helps to create a/an partial/initial profile by studying different steps of the APT campaign’s lifecycle from this (tactical) perspective. Using this profile, further analysis of Techniques and Procedures allows to fill in the gaps and therefore results in a distinguishable footprint of a threat actor. Moreover, the analysis of tactics needs to be constantly reviewed and updated due to APT’s tendency to stay below radar which is usually achieved by modifying tactics, techniques and procedures.

In order to successfully execute the attack, an APT group usually uses various techniques during its campaign. These techniques are meant to facilitate the initial compromise, maintain command and control centers, move within the target’s infrastructure, hide data exfiltration, etc. [2] Actual techniques vary across threat actors and while usually may not be unique separately, can be useful in profiling the group once aggregated. Therefore, understanding techniques used in various stages of the attack is important in order to analyze APT groups.

As with tactics, techniques can also be analyzed by every stage of the APT’s life-cycle. In this way, techniques of the early stages mainly describe tools used for the initial information gathering and initial compromise. However, techniques in this stage does not necessarily have to be technological in its nature. For example, social engineering, while often carried out with the help of certain software tools, is not technological by its nature and can be as effective in information gathering as a tool used to collect email addresses from the publicly available resources. Similarly, social engineering can be used to conduct the initial compromise based purely on human interaction via, for example, phone while tricking the victim into disclosing his/her login credentials for accessing company’s internal network via VPN. Therefore, techniques in the early stages can be understood as means of obtaining initial information about the target and a way to breach the first line of defense. While it’s still possible to use social engineering as a technique to perform parts of the attack in further stages, it is less common to observe such an approach. Therefore, techniques in the intermediate stages usually rely on technological tools for gaining higher privileges on the initially compromised system or moving laterally through the target’s network. In most cases to achieve their goals in this stage, attackers use exploits or abuse configuration issues on a vulnerable system. Additionally, a design flaw in the networks infrastructure can be targeted to gain access to other systems. In any way, a set of tools or exploits makes the attack succeed and therefor the term technique in this context refers to the tools and the way they are used in order to achieve intermediate results during the APT’s campaign.

Finally, the techniques in last stages can be both – technological and non-technological in their nature. In this case techniques for exfiltrating data are usually based on encryption and networking technology as the data being sent to the attacker’s server is initially obfuscated and then sent over a network via a protocol of attacker’s choice. Further steps while covering tracks or implementing long-term persistence can also be purely technological as the tracks can be wiped and the persistence can be deployed with a set of software tools. However, in some cases attackers use a technique to cover their tracks which is based on social tricks meant to mislead the society. An example of such a technique can be an intentional usage of artifacts which in the past were associated with other attackers [4]. Another example of such a technique is a public claim of a hack via a fake identity of an individual or, for example, an extremist group [5]. In this way, attackers attempt to use social tricks in order to avoid attribution and therefore might achieve multiple goals at once: obtaining sensitive information, hiding the actual identity, making an enemy to take the blame, etc.

Once a set of techniques is aggregated it can be very useful while profiling a threat actor. Therefore, an in-depth observation of technological and non-technological techniques used by the attacker is a crucial part of an investigation in order to make attribution as accurate as possible. However, in most cases the attribution is very difficult as a wide range of techniques for forging evidences in the digital world can be used to easily mislead investigators.

To perform a successful attack it’s not enough to have good tactics and techniques. Therefore, a specifically orchestrated tactical move which is carried out by using a set of techniques is needed. In other words, a special sequence of actions, known as procedures, is used by APT actors to execute every step in their attack cycle. The actual amount of actions in a procedure usually varies depending on the purpose of the procedure and the APT group. This means that usually a more advanced threat actor will use more actions to achieve the same intermediate result. This is mainly done due to the fact that a well-tailored procedure increases the success rate of a particular step in the attack’s lifecycle and additionally reduces the likelihood of detection.

A basic example of a reconnaissance procedure consists of: collecting initial information about the target, identifying key individuals and enumerating externally exposed systems that belong to the target, gathering contact details and additional information about potentially vulnerable systems, documenting collected information. Depending on the tactics of the APT group, further actions might take place. Such actions could include: extensive and repeated information gathering in order to collect the most up to date facts, targeted data-mining via social networks on each key individual which could facilitate spear-phishing, monitoring security feeds for zero days exploiting products which is used by the target, etc. An example of a more detailed procedure is the execution of the malware. In such a case the procedure consists of the actions that a malicious program performs in order to fulfill its purpose. For example, upon execution, a malicious program decrypts itself, attempts to detect and evade sandbox or heuristic analysis, collects environmental variables, deploys persistence and starts communicating with the C&C server. While this kind of procedure is quite common for malware, different threat actors might implement some unique feature which sticks out and therefore can be useful for investigators.

As with tactics and techniques the procedures used by a certain APT group can be helpful in order to profile a threat actor. While it is difficult to observe the procedures used in the reconnaissance phase, other stages can leave trails which can be used in order to reconstruct a procedure. For example, during a forensics investigation, actions performed by the attacker can be reconstructed via a file system analysis in a timeline approach [6]. In case when the arrival of a spear phishing email is selected as a starting point, observation of the file-system’s modification can provide hints on how the initial malware operates in terms of its configuration artifacts, persistence mechanisms, additional stages, etc. Similarly, lateral movement over the network can be reconstructed through the analysis of MS Windows event logs, firewall logs and so on.

1. Harwood, C. (2011). Advanced Persistent Threats.
https://www.govmu.org/portal/sites/cert/CSD2012/RSA%20Presentation%20APT.pdf

2. Ping Chen, L. D. (2014). A study on Advanced Persistent Threats.
https://lirias.kuleuven.be/bitstream/123456789/461050/1/2014-apt-study.pdf

3. McMillen, D. (2014). IBM MSS: Wiper Malware Analysis.
https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/Wiper_MSS_Threat_Report.pdf

4. Snorre Fagerland, W. G. (2014, December 9).
https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware

5. FireEye Threat Intelligence. (2015, June 2).
https://www.fireeye.com/blog/threat-research/2015/05/hacking_the_newsgl.html

6. Gudjonsson, K. (2010). Mastering the Super Timeline With log2timeline.
https://www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438