Documentation

TTP Analysis

Google Threat Intelligence allows you to explore Threat Actors and Malware on the basis of the MITRE ATT&CK® Framework. Analyzing Threat Actors and Malware this way helps you explore threats in terms of adversary Tactics, Techniques, and Procedures (TTPs) based on real-world observations.

In the MITRE ATT&CK Framework:

  • Tactics represent the route or path of a MITRE ATT&CK technique or sub-technique, which is the tactical goal (why) of an adversary.
  • Techniques and sub-techniques represent how an adversary achieves a tactical goal by performing an action.

Google Threat Intelligence currently supports MITRE ATT&CK version 8 (v8).

After reading this article, you will be able to:

Video: Explore MITRE ATT&CK

Analyze Threat Actors using the Explore MITRE ATT&CK Dashboard

For example, say you want to explore the TTPs associated with five Actors recently observed targeting the automotive industry:

  • UNC2500
  • UNC2633
  • UNC2824
  • UNC4705
  • UNC2529

To filter and analyze Threat Actors

  1. Select Threat Landscape > TTP Analysis to go to the Explore MITRE ATT&CK dashboard
  2. Choose Actors from the drop-down. This displays all Actors currently tracked by Google Threat Intelligence.
  3. Select Automotive from the list of TARGET INDUSTRY filters to narrow your search.
  4. Sort the resulting Actors List by Last Reference Date - Most Recent.
    The Actors Selection dashboard lets you choose Actors. You may select more than one Actor and your selection will appear as Selected Actors. You can also use Filters like Automotive as a TARGET INDUSTRY to refine your search according to your needs.
  5. Click Analysis or Next to populate the MITRE ATT&CK heat map with TTPs specific to the Selected Actors.
    Press Analysis or Next on the Actors Selection dashboard to navigate to the Selected Actors heat map page. If more than one Actor is selected and analyzed as per the MITRE ATT&CK framework, you get a heat map showing the number of selected Actors associated with each technique or sub-technique to aid in prioritizing mitigation efforts. If there are sub-techniques associated with a technique, a drop-down arrow will expand the heat map cell to reveal them.

If more than one Actor is selected and analyzed as per the MITRE ATT&CK framework, the heat map shows the number of selected Actors associated with each technique or sub-technique to aid in prioritizing mitigation efforts. If there are multiple sub-techniques associated with a technique, an expander arrow can be clicked to reveal them. Clicking directly on either a technique or a sub-technique provides a brief description.

Clicking the Actions menu reveals the option to Download CSV. A red box highlights this feature in the screenshot of the MITRE ATT&CK heat map.

You can select and de-select Actors on the heat map page itself to easily compare Actor TTPs within the heat map view.

Download the MITRE ATT&CK heat map as a CSV

You can download the MITRE ATT&CK (multi-actor) heat map as a CSV file for further analysis by clicking Actions > Download CSV. This allows you to filter and sort heat map data to aid in prioritizing mitigation efforts. For example, you can filter on specific techniques or sub-techniques for a given MITRE Category Name (or, tactic), and then sort Actor(s) Usage Count to focus on the most commonly used techniques.

The following fields are included in the exported CSV file:

  • MITRE Category Name
  • Technique ID
  • Technique Name
  • Sub-Technique IDs
  • Sub-Technique Names
  • Actor(s) usage count
  • Actor 1
  • Actor 2
  • Actor 3

Analyze Malware using the Explore MITRE ATT&CK Dashboard

The workflow for exploring Malware is similar to exploring Actors, but with different filtering options. For example, suppose a recent report noted an increased use of backdoor Malware in your industry. A vulnerability scan of Malware in your environment included the following Malware families, so you want to explore them further to understand your associated risk:

  • BEACON
  • QAKBOT
  • ADWIND
  • CARWASH
  • EXPLOSIVE

To filter and analyze malware

  1. Select Threat Landscape > TTP Analysis to go to the Explore MITRE ATT&CK dashboard

  2. Choose Malware from the drop-down.

  3. Select Backdoor from the list of ROLE filters.

  4. Select the five Malware families noted in your vulnerability scan.
    The Malware Selection dashboard lets you choose Malware. You may select more than one Malware and your selection will appear as Selected Malware. You can also use Filters like Backdoor ROLE to refine your search according to your needs.

  5.  Click Analysis or Next to populate the MITRE ATT&CK heat map with TTPs specific to the selected Malware.
    Press Analysis or Next on the Malware Selection dashboard to navigate to the Selected Malware heat map page. If more than one Malware is selected and analyzed as per the MITRE ATT&CK framework, you get a heat map showing the number of selected Malware associated with each technique or sub-technique to aid in prioritizing mitigation efforts. If there are sub-techniques associated with a technique, a drop-down arrow will expand the heat map cell to reveal them.

You can select and de-select Malware on the heat map page itself to easily compare Malware TTPs within the heat map view.

If more than one Malware is selected and analyzed in the MITRE ATT&CK framework, a heat map displays the number of selected Malware associated with each technique or sub-technique. As with Threat Actors, if you have a subscription to Security Validation and you click on a technique or sub-technique, you can pivot directly to the Security Validation platform to test your defenses against it. Again, you can download the heat map as a CSV for further analysis to aid in prioritizing mitigation efforts against the selected Malware.

Updated 3 months ago