https://github.com/jymcheong/AutoTTP

What is TTP?

A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique. The behavior of an actor. - NIST CSRC

Abstract definitions tend to lead to “so what?”, what is it that defenders need to understand?

1. Tactics are sub-objectives (WHAT). When attacks are successful, there will be impacts to Confidentiality (e.g. attacker’s objective is to steal), Integrity (tamper) & Availability (deny) for Informational Systems. For Cyber-Physical systems, attacks can impact Safety with kinectic consequences (i.e. damage).
2. Techniques are specific methods (HOW) to achieve various sub-objectives. Different systems require different techniques.
3. Procedures are stringing techniques (WHEN to do WHAT, think OODA) together to achieve the desired offensive objectives.

Why Automate with AutoTTP?

• Tedious to manually re-run complex pen-testing procedures for regression tests, product evaluations, generate data for researchers & so on
• Modular & reusable
• Organise with whatever TTP mental-models you prefer

How?

• Pentesting-as-Code, goes hand-in-hand with Infra-as-Code to use in a Cyber-Range
• Any offensive tooling with API

Reference

A Survey of Open-Source Threat Emulators