RedSheep SecurityRedSheepSecurity
Academy/Advanced/Lesson 24
Advanced — Lesson 24 of 10

Advanced TTP Analysis

8 min read

Tactics, Techniques, and Procedures (TTPs) sit at the top of David Bianco's Pyramid of Pain because they represent adversary behavior — the hardest thing for attackers to change. While earlier lessons introduced the MITRE ATT&CK framework, this lesson pushes deeper into sub-technique and procedure-level analysis, TTP extraction from real-world reports, behavioral profiling of threat actors, and using TTP analysis to drive predictive defense and detection engineering.

Learning Objectives

  • Distinguish between technique-level, sub-technique-level, and procedure-level TTP analysis
  • Extract TTPs from incident reports and threat intelligence publications
  • Build and compare TTP profiles across threat actors to identify behavioral signatures
  • Understand ATT&CK data sources and their relationship to collection and detection
  • Apply TTP analysis for predictive defense and detection opportunity identification

Beyond Technique-Level Analysis

The ATT&CK Hierarchy

MITRE ATT&CK organizes adversary behavior into a hierarchy:

Level Description Example Analyst Value
Tactic The adversary's goal (the "why") Credential Access (TA0006) Strategic understanding
Technique How the goal is achieved (the "what") OS Credential Dumping (T1003) Operational awareness
Sub-Technique A specific variant of the technique LSASS Memory (T1003.001) Targeted detection
Procedure The exact implementation by a specific actor APT28 uses Mimikatz with specific flags and renames the binary to avoid detection Precise detection and hunting

Most CTI reporting stops at the technique level. Advanced analysis requires drilling into sub-techniques and, critically, into procedures — the specific way a particular actor implements a technique in their operations.

Why Procedures Matter Most

Key Insight: Two different threat actors may both use T1059.001 (PowerShell), but one invokes encoded commands via powershell -enc launched from a macro, while another uses PowerShell through a custom C2 framework with AMSI bypass. The technique is the same; the procedures — and therefore the detection opportunities — are completely different.

Procedures capture the operational specifics: the exact command-line arguments, the order of operations, the tools used, the evasion methods applied. This is where detection engineering becomes precise and where behavioral analytics gain their power.

TTP Extraction from Incident Reports

Converting narrative incident reports into structured TTP data is a core CTI analyst skill.

Extraction Process

  1. Read the full report before extracting anything — context matters for accurate mapping
  2. Identify actions — look for verbs: "the actor deployed," "exfiltrated via," "moved laterally using"
  3. Map to ATT&CK — for each action, identify the tactic, technique, and sub-technique
  4. Capture the procedure — record the specific implementation details (tools, commands, configurations)
  5. Note the data source — what telemetry revealed this behavior (process creation logs, network captures, etc.)
  6. Record temporal sequence — the order of operations matters for understanding the attack chain

Common Extraction Pitfalls

  • Over-mapping: Not every action maps to ATT&CK. Routine system administration by an attacker on a compromised host is not always a distinct technique.
  • Technique vs. tool confusion: Mimikatz is a tool, not a technique. It implements multiple techniques (T1003.001, T1134, T1550.002, etc.). Map the behavior, not the tool name.
  • Missing context: A report stating "the actor achieved persistence" without specifying how leaves the analyst guessing. Flag gaps and seek additional sources.

Building TTP Profiles for Threat Actors

A TTP profile is a structured representation of a threat actor's known behavioral patterns across the ATT&CK framework.

Profile Components

  • Core TTPs: Techniques the actor uses consistently across multiple campaigns (their behavioral signature)
  • Occasional TTPs: Techniques observed in some campaigns but not all
  • Evolved TTPs: Techniques the actor has adopted or abandoned over time
  • Tool-TTP Mapping: Which tools the actor uses to implement each technique
  • Procedure Details: The specific implementation for each technique

Using ATT&CK Navigator for Profiling

MITRE's ATT&CK Navigator (a web-based tool available at mitre-attack.github.io/attack-navigator/) allows analysts to create layered heatmaps of technique usage. You can:

  • Create a layer for each threat actor showing observed techniques
  • Color-code by frequency or confidence
  • Overlay multiple actor layers to compare coverage
  • Export layers as JSON for programmatic analysis

Comparing TTP Profiles Across Actors

Comparing TTP profiles serves multiple analytical purposes:

Actor differentiation: When two intrusion sets show significant TTP overlap, it may indicate they are the same actor, share tooling or training, or operate under the same organizational umbrella. The overlap between APT groups linked to China's Ministry of State Security (MSS), for instance, reflects shared tooling ecosystems and contractor relationships.

Actor clustering: Groups with similar TTP profiles may share sponsors, developers, or operational doctrine. Russian GRU-linked groups (Sandworm, APT28) show different TTP profiles from SVR-linked groups (APT29/Cozy Bear), reflecting different organizational cultures and missions.

Gap identification: Comparing a threat actor's profile against your detection coverage reveals where you are blind to their specific behaviors.

Comparison Dimension What It Reveals
Initial Access overlap Shared phishing infrastructure or exploit preferences
Execution method differences Different operational toolkits or developer teams
Persistence mechanism variety Actor sophistication and adaptability
Lateral movement patterns Network operations doctrine
Exfiltration methods Operational security priorities

Detecting TTP Evolution Over Time

Threat actors evolve. Tracking how TTPs change over time provides insight into an adversary's development cycle, response to defensive improvements, and strategic priorities.

APT29 (Cozy Bear) provides a well-documented example of TTP evolution. Their operations shifted from primarily spear-phishing with custom backdoors (2014-2016) to supply chain compromises (SolarWinds, 2020) and exploitation of cloud identity infrastructure (2021-present). This evolution reflected both increased sophistication and adaptation to hardened on-premises defenses.

When tracking evolution, document:

  • When new techniques first appeared
  • What techniques were abandoned and potential reasons
  • Whether changes correlate with public exposure, tool leaks, or defensive improvements
  • How the overall operational tempo and targeting shifted

ATT&CK Data Sources and Collection Mapping

MITRE ATT&CK version 10 (October 2021) introduced refactored Data Sources — structured descriptions of the telemetry needed to observe specific techniques.

Definition: A Data Source in ATT&CK represents a category of information (e.g., Process Creation, Network Traffic Flow, File Modification) that can be collected and analyzed to detect adversary behavior. Each data source has specific Data Components that describe the observable events.

Mapping Data Sources to Your Environment

For each relevant technique:

  1. Identify the ATT&CK data sources and data components listed
  2. Determine which logging/telemetry sources in your environment provide that data (e.g., Sysmon Event ID 1 for Process Creation, Windows Security Event ID 4688)
  3. Assess whether you are actually collecting and retaining that telemetry
  4. Identify gaps where you lack visibility

This mapping directly connects TTP analysis to security engineering decisions about what to log, where to forward telemetry, and what retention policies to apply.

Using TTPs for Predictive Analysis

TTP profiles enable a form of predictive analysis: if you know which actor is targeting your sector and you understand their behavioral patterns, you can anticipate their likely actions and prepare defenses in advance.

The Predictive Workflow

  1. Identify relevant actors based on targeting (sector, geography, data of interest)
  2. Build their TTP profile from published reporting and your own observations
  3. Map their likely attack path through your environment using their known behavioral sequence
  4. Identify detection gaps where their preferred techniques lack coverage
  5. Prioritize defensive investments based on the specific techniques most likely to be used against you

This is the foundation of threat-informed defense, a concept formalized by MITRE in their Threat-Informed Defense philosophy underpinning the Center for Threat-Informed Defense (CTID).

Technique Sightings

Definition: A technique sighting is a documented observation of a specific ATT&CK technique being used in the wild, tied to a particular time, context, and (where possible) threat actor.

Technique sightings provide empirical data on what adversaries actually do, as opposed to what they theoretically could do. The ATT&CK knowledge base includes procedure examples sourced from public reporting, providing a record of real-world usage.

Tracking sightings allows analysts to:

  • Prioritize the most commonly observed techniques for detection
  • Understand which techniques are trending (increasing in frequency)
  • Weight detection investments toward techniques with demonstrated real-world prevalence
  • Identify whether a technique is used broadly (commodity) or narrowly (targeted)

Key Takeaways

  • Procedure-level analysis provides far greater detection value than technique-level mapping alone
  • TTP extraction from reports requires careful reading, accurate ATT&CK mapping, and attention to implementation specifics
  • TTP profiles serve as behavioral fingerprints for threat actors, enabling comparison, clustering, and tracking evolution
  • ATT&CK data sources directly link adversary techniques to the telemetry needed for detection
  • Predictive TTP analysis allows defenders to anticipate actor behavior and prioritize gaps before an intrusion occurs
  • Technique sightings ground analysis in empirical observation rather than theoretical possibility

Practical Exercise

Select a threat actor relevant to your organization or sector (e.g., APT41, FIN7, Sandworm, Lazarus Group). Using publicly available reporting:

  1. Extract procedures from at least two different campaign reports for the same actor
  2. Build a TTP profile using ATT&CK Navigator — create a layer showing all observed techniques, color-coded by how many reports document each one
  3. Identify core TTPs (present in multiple campaigns) vs. occasional TTPs (single campaign only)
  4. Map data sources for the actor's top 5 most-used techniques — determine which telemetry sources in your environment (or a hypothetical environment) would detect them
  5. Write an analytical assessment (one paragraph) predicting the actor's most likely attack path against a target in your sector, based on their TTP profile

Further Reading

  • MITRE ATT&CK. ATT&CK Data Sources. Available at: https://attack.mitre.org/datasources/
  • Strom, Blake E. et al. (2018). "MITRE ATT&CK: Design and Philosophy." MITRE Technical Report MTR180314.
  • Bianco, David (2013). "The Pyramid of Pain." Enterprise Detection & Response blog.
  • MITRE Center for Threat-Informed Defense. Technique Sightings and ATT&CK Workbench. Available at: https://ctid.mitre-engenuity.org/