Quick Takeaways
- The cybersecurity community faces persistent challenges in defining, standardizing, and operationalizing procedures (the "P" in TTPs), crucial for threat-informed defense and scalable detection.
- MITRE ATT&CK provides a high-level framework of tactics and techniques but lacks detailed, adaptable procedural data, which is vital for precise detection, testing, and risk management.
- Tidal Cyber developed a comprehensive procedures library, leveraging AI and extensive threat intelligence to extract, cluster, and link detailed adversary actions with defenses, tools, and threat actors at scale.
- This library enables real-time, granular visibility into adversary activities, allowing defenders to confidently map real-world procedures to existing defenses, thereby improving efficiency and proactive security measures.
The Issue
At this year’s Black Hat USA conference, cybersecurity experts Scott Small and Harrison Van Riper addressed a major industry challenge: the difficulty in defining, tracking, and operationalizing Procedures—detailed, repeatable actions that adversaries execute to achieve their objectives. Small explained that prior knowledge bases like MITRE ATT&CK primarily catalog tactics and techniques but lack the granular, procedural-level detail needed by defenders for precise detection and response. To bridge this gap, Tidal Cyber developed an extensive Procedures library by leveraging artificial intelligence (AI) and analyzing over 1,500 threat reports, extracting specific adversarial actions—such as malware commands and tool use—linked directly to real-world threats. This effort involved standardizing the definition of Procedures as clear, repeatable sets of technical actions, enabling security teams to better understand, monitor, and defend against evolving threats.
Small and Van Riper’s team at Tidal Cyber employed AI-driven data processing and clustering techniques to manage the vast volume of threat intelligence, building a comprehensive, scalable repository of Procedures. This database not only correlates Procedures with threat actors, malware, and defensive measures but also allows organizations to verify existing defenses—like specific detection rules—against real-world adversary activity. The approach offers a strategic advantage: it provides defenders with the detailed insights needed to craft precise detections and simulate real attack scenarios. As a result, this initiative aims to transform threat intelligence into actionable, targeted defense strategies, addressing a long-standing industry challenge by making Procedures more standardized, accessible, and operationally useful.
Potential Risks
At this year’s Black Hat USA, cybersecurity experts highlighted a persistent industry challenge: the effective operationalization and tracking of Procedures—executable, repeatable technical actions adversaries use to achieve specific objectives. Despite extensive threat intelligence, the industry struggled with a lack of standardized definitions, granular data modeling, and dynamic tracking of procedures, especially at scale. The MITRE ATT&CK framework provides valuable Tactics and Techniques but falls short in detailing the procedural level—how adversaries precisely execute techniques using tools and commands. Recognizing this gap, Tidal Cyber developed a comprehensive Procedures library by leveraging AI and automated data processing on vast amounts of public threat reports. This library categorizes, clusters, and links procedures to threat actors, tools, and defensive measures, enabling defenders to not only identify adversary behavior at a granular level but also verify existing defenses against specific procedures in real-world contexts. This innovation promises to enhance threat understanding, improve detection accuracy, and streamline proactive security measures in a landscape characterized by rapidly evolving adversary tactics.
Fix & Mitigation
Addressing security vulnerabilities swiftly is critical to safeguarding sensitive information and maintaining trust. Delayed remediation can lead to exploitation, data breaches, and reputational damage, making prompt action essential for effective security management.
Mitigation Strategies
Risk Assessment
Identify vulnerabilities early through continuous monitoring and vulnerability scanning to understand potential threats.
Patch Management
Apply security patches and updates promptly to close known vulnerabilities and prevent exploitation.
Access Controls
Enforce strict access controls and multi-factor authentication to limit unauthorized entry and contain potential damage.
Incident Response Plan
Develop and regularly update an incident response plan to ensure swift and organized action when issues arise.
Employee Training
Educate staff about security best practices and common attack vectors to foster a security-aware culture.
Regular Audits
Conduct routine security audits and penetration testing to detect weaknesses before they are exploited.
Backup and Recovery
Implement reliable data backups and recovery procedures to quickly restore operations after an incident.
Vendor Management
Ensure third-party providers also maintain adequate security measures to prevent supply chain vulnerabilities.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
