TTP#

A TTP — Tactics, Techniques, and Procedures — describes a cyber adversary’s behavior.

TTPs borrow their name and definition from military jargon:

  • Tactics: “the employment and ordered arrangement of forces in relation to each other.”

  • Techniques: “non-prescriptive ways or methods used to perform missions, functions, or tasks.”

  • Procedures: “standard, detailed steps that prescribe how to perform specific tasks.”

(Definitions from: “Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms, 8 November 2010 (as amended through 15 February 2016)”)

TTPs include details such as:

  • The steps the adversary performs to achieve their goal.

  • The equipment, gear, or tools they use.

    For example, software, hardware, USB sticks, forged ID badges, and so on.

  • Information on any parties they associate with, or the victims they target, as well as on any exploit targets they may leverage achieve their goals.

  • How they act on, or react to the victim’s behavior to avoid detection or defeat.

  • The intended goals the adversary wants to achieve.

Create a TTP by selecting:

  • In the side navigation bar + Create > TTP.

Or:

  • (Requires Beta: Intelligence creation on the graph)

    In the top navigation bar of a graph, select + and then TTP to create a draft entity.

  • Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Descriptive title for this entity. See Titles and aliases.

Analysis

data.description

Long description of TTP.

Intended effects

data.intended_effects[]

See Intended effects.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for TTPs:

Characteristics: Exploit#

Exploit identified in the context of this TTP. ExploitType.

Tip

Adding this characteristic to a TTP embeds this information in the entity. You may want to create a separate Exploit target entity and create a relationship to that instead.

Field

EIQ JSON field

Description

Title*

data.behavior.exploits[].title

Descriptive title.

Description

data.behavior.exploits[].description

Free text description.

Characteristics: Malware#

Malware identified in the context of this TTP. Analogous to MalwareType.

Field

EIQ JSON field

Description

Names

data.behavior.malware[].names[]

Enter one or more names to identify this malware by.

Types

data.behavior.malware[].types[].value

See Malware types.

On publishing this entity, also creates a new malware observable for each malware name added here.

Characteristics: Attack pattern#

Attack pattern identified in the context of this TTP. Analogous to AttackPatternType

Field

EIQ JSON field

Description

CAPEC

data.behavior.attack_patterns[].capec_id

Enter a CAPEC ID.

Title*

data.behavior.attack_patterns[].title

Title of attack pattern.

Description

data.behavior.attack_patterns[].description

Free text description.

Characteristics: Infrastructure#

Describes infrastructure in the context of this TTP. Analogous to InfrastructureType.

Field

EIQ JSON field

Description

Title

data.resources.infrastructure.title

Title of infrastructure.

Description

data.resources.infrastructure.description

Free text description.

Types

data.resources.infrastructure.types[]

See Infrastructure types

Characteristics: Persona#

Personas identified in the context of this TTP. Analogous to PersonasType.

Field

EIQ JSON field

Description

Name*

data.resources.personas[].name

Name of persona.

On publishing this entity, also creates a new name observable with values specified here and links it to this entity.

Characteristics: Tools#

Attacker tools identified in the context of this TTP. Analogous to ToolsType.

Field

EIQ JSON field

Description

Name*

data.resources.tools[].name

Name of tool.

Types

data.resources.tools[].types[]

Type of attacker tool. Analogous to AttackerToolTypeVocab-1.0.

Available options:

  • Malware

  • Penetration Testing

  • Port Scanner

  • Traffic Scanner

  • Vulnerability Scanner

  • Application Scanner

  • Password Cracking

Description

data.resources.tools[].description

Description of tool.

Hashes

data.resources.tools[].hashes[]

Add one or more hashes to this TTP. Analogous to HashType.

For each hash added, configure these two fields:

  • Hash type*: Select a hash type.

  • Simple hash value*: Enter a hash value.

Each hash added here also creates a corresponding hash-* observable containing the Simple hash value when the entity is published.

Characteristics: Targeted victim#

Set one targeted victim for this TTP. Analogous to VictimTargetingType.

Field

EIQ JSON field

Description

Name

data.victim_targeting.identity.name

Name of targeted victim.

Specification

data.victim_targeting.identity.specification_xml

Add details to describe the targeted victim. See Targeted victim: Specification

Targeted systems

data.victim_targeting.targeted_systems[]

Select one or more targeted systems. Analogous to SystemTypeVocab-1.0.

Targeted information

data.victim_targeting.targeted_information[]

Select one or more items. Analogous to InformationTypeVocab-1.0.

Targeted victim: Specification#

Add one or more items to Specification to flesh out the identity being described. Content here is used to construct the XML content in the specification_xml field in EIQ JSON. Analogous to STIXCIQIdentity3.0Type as used in IdentityType/ CIQIdentity3.0InstanceType/ CIQ 3.0 Specifications.

Field

Description

Account

Describes a bank account or similar.

Available fields:

  • Account type*: Set an account type. Free text field.

  • Account status*: Set an account status. Free text field.

  • Account specification: Add one or more account specifications.

    For each account specification, set these fields:

    • Type*: One of the following options:

      • Account ID

      • Issuing authority

      • Account type

      • Account branch

      • Issuing country name

    • Value*: Set a value for this account specification.

Person

Add one or more properties describing a person.

  • Type*: Select one of these options:

    • Preceding title

    • Title

    • First name

    • Middle name

    • Last name

    • Other name

    • Alias name

    • Generation identifier

    • Degree

  • Value*: Enter a value for this Type.

Organization

Add one or more properties describing an organization.

  • Type*: Select one of these options:

    • Name only

    • Type only (i.e. “Inc”)

    • Full name

  • Value*: Enter a value for this Type.

Electronic address

Add one or more electronic addresses for this targeted victim.

  • Type*: Select an electronic address type.

  • Value*: Enter the full electronic address.

Each item added to the Specification section creates an observable with the corresponding type:

Specification field

Resulting observable type(s)

Account

  • bank-account

Person

  • person

Organization

  • organization

Electronic address

  • email

  • domain

  • handle

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link names

See Observable link names

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relations#

Add relationships to this entity by selecting + Relationship.

  1. From the drop-down menu select the option corresponding to the relationship you want to create:

    • Exploit targets

    • Related TTPs

    • Campaign Right arrow Related TTPs

    • Indicator Right arrow Indicated TTPs

    • Incident Right arrow Leveraged TTPs

    • Report Right arrow TTPs

    • Threat actor Right arrow Observed TTPs

    • Sighting Right arrow TTP

  2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

    Note

    You can narrow down the displayed entities by entering a search query, or by using the filter Filter.

  3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

  • Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

  • Set a Relationship type

    • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

    • Select one of these options:

      • Indicates malware

      • Is associated campaign to

      • I don’t know

      • Could be anything

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Information source#

Field

EIQ JSON field

Description

Description

data.information_source.description

Description of information source.

Identity

data.information_source.identity

Name of this information source

Roles

data.information_source.roles[]

One or more information source roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.information_source.references[]

One or more URLs.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.