Definitions:

An IOC (Indicator of Compromise) and a TTP (Tactics, Techniques, and Procedures) are two different types of cybersecurity indicators that organizations use to detect and respond to cyber threats.

An IOC is a piece of evidence that indicates an organization may have been compromised or is currently under attack. An IOC can take many forms, such as a malicious IP address, a file hash, or a domain name, and is used to identify malicious activity or artifacts within an organization's IT environment. Once identified, security teams can use IOCs to search for related threats or to block access to malicious resources.

On the other hand, TTPs are a set of tactics, techniques, and procedures that attackers use to achieve their goals. TTPs describe the steps an attacker takes to gain access, move laterally within a network, exfiltrate data, and achieve their objectives. TTPs provide a framework for understanding the methods and tools that attackers use, and can help organizations to better identify and respond to cyber threats.

While both IOCs and TTPs are important cybersecurity indicators, they serve different purposes. IOCs are specific indicators that point to malicious activity, while TTPs describe the methods used by an attacker to carry out their attacks. While IOCs can be useful in detecting specific attacks, TTPs provide a more comprehensive understanding of an attacker's behavior and can help organizations to better identify and respond to ongoing or future attacks.

IOCs are used to identify specific artifacts or activities that are indicative of a cyberattack, while TTPs are used to describe the methods and techniques used by attackers to carry out their attacks.

Today’s Challenge:

In today's technology-driven world, new vulnerabilities are being discovered at an unprecedented pace, leaving organizations struggling to keep up with the pace of patching. Security teams are inundated with the daunting task of evaluating the vast amount of vulnerabilities and determining which ones pose the greatest risk to the organization.

To tackle this challenge, organizations need to leverage a behavior-based vulnerability intelligence approach. This approach is designed to provide security teams with the critical context required to prioritize vulnerabilities that pose the most risk to their organization. It provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others.

Shortcomings of the Current Solution:

While CVSS (Common Vulnerability Scoring System) scores provide a starting point for evaluating the severity of a vulnerability, they were never meant to measure the risk to a particular organization. Moreover, relying exclusively on the CVSS score to prioritize patching is insufficient, as it doesn't consider whether a vulnerability is being exploited in the wild or whether it is on a business-critical service or system.

The Common Vulnerability Scoring System (CVSS) is a widely used standard for assessing the severity of security vulnerabilities. It provides a numerical score between 0 and 10, with higher scores indicating more severe vulnerabilities. There are two versions of CVSS in use: CVSS version 2 and CVSS version 3.

CVSS version 2 was introduced in 2007 and is still used by many organizations today. It consists of three metric groups: Base, Temporal, and Environmental. The Base group includes metrics such as Access Vector, Access Complexity, and Authentication, while the Temporal group includes metrics such as Exploitability and Remediation Level. The Environmental group allows organizations to customize scores based on their specific IT environment. While CVSS version 2 has some benefits, such as being easy to use and providing a standardized approach to vulnerability assessment, it has several limitations.

CVSS version 3, which was introduced in 2015, is an improvement over version 2. It includes several enhancements, such as new metrics for Scope and Attack Complexity, which provide a more accurate assessment of the risk posed by a vulnerability. Additionally, version 3 provides a broader range of scores, with scores ranging from 0 to 10 in increments of 0.1, allowing for more precise risk assessment.

Despite these improvements, relying solely on CVSS scores, even version 3, can still be insufficient for prioritizing vulnerabilities. The main issue is that CVSS is a technical assessment of vulnerability severity and does not take into account an organization's specific threat landscape or business needs. Furthermore, as mentioned earlier, the CVSS score does not provide any indication of whether a vulnerability is being actively exploited in the wild, or if it poses a threat to a specific business-critical system.

This is where a CTI (Cyber Threat Intelligence) team can make a significant difference. CTI teams provide an organization with threat intelligence that takes into account the organization's specific threat landscape, including details on the types of threats the organization faces, how those threats operate, and the specific vulnerabilities they are targeting. CTI teams can use this intelligence to help organizations assess the risk posed by vulnerabilities in their environment and prioritize their patching efforts accordingly.

Behavior Based Vulnerability Intelligence:

Building an organization's security strategy around TTPs (Tactics, Techniques, and Procedures) rather than IOCs (Indicators of Compromise) offers several advantages. A behavior-based vulnerability intelligence approach incorporates risk-focused contextual information specific to an organization's environment, enabling security teams to assess the true risk of a vulnerability to the organization. By combining internal asset criticality and internal vulnerability scanning data with external intelligence from various sources, security teams can strike the correct balance between patching vulnerable systems and interrupting business operations.

TTPs provide a more comprehensive view of an attacker's behavior and are less likely to become outdated. IOCs are specific pieces of data that are tied to a particular attack, and once they are discovered, attackers can easily modify their tactics to bypass defenses. TTPs, on the other hand, describe the broader techniques and methods that attackers use, and are much more difficult for attackers to change. By focusing on TTPs, organizations can build a more resilient security strategy that is better equipped to detect and respond to evolving threats.

TTPs enable a proactive, rather than reactive, security approach. By understanding the tactics and techniques used by attackers, organizations can identify potential attack scenarios and vulnerabilities in their environment, and take proactive steps to reduce their risk exposure. By contrast, an IOC-based approach relies on identifying specific attacks or indicators after they have already compromised the network.

TTPs provide a better basis for threat intelligence sharing between organizations. IOCs are specific to individual attacks and may not be relevant or useful to other organizations. TTPs, however, provide a more general description of the techniques used by attackers, which can be shared across multiple organizations to help them better protect themselves.

Finally, a TTP-based approach is more adaptable to changes in the threat landscape. As new attack techniques and tools are developed, TTPs can be updated and modified to reflect the latest threats. This enables organizations to stay ahead of the curve and maintain an effective security posture over time.

Behavior-based vulnerability intelligence empowers security teams to make informed decisions when prioritizing vulnerabilities that pose the greatest risk to their organization. It helps reduce downtime and prevent attacks, ensuring that security teams can focus their efforts on protecting critical assets while maintaining business operations.