Cyber threat intelligence
Note that the term cyber is arguably misused in the context of "Cyber Threat Intelligence" 1 and should be considered more as an equivalent for "Digital Threat Intelligence" or "Internet Threat Intelligence".
Cyber Threat Indicator: A set of cyber observables combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.2
TTP, in the context of cyber threat intelligence, is short for Tactics, Techniques and Procedures also sometimes referred to as Tools, Techniques, Procedures.
TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail.3
Note that the abbreviation TTP is highly ambiguous, e.g. in another context it can mean Trusted Third Party.
- Highly Mandiant product centric standard, though seems to have digressed a bit from this since version 1.1
- Driving a Collectively Stronger Security Community with Microsoft Interflow, by Jerry Bryant, June 23, 2014
- NIST Special Publication 800-150 (Draft) - Guide to Cyber Threat 6 Information Sharing (Draft), NIST
Feeds (or equivalent)
- Cyber Observable eXpression
- Structured Threat Information eXpression
- Malware Attribute Enumeration and Characterization (MAEC)
- Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™), by Sean Barnum, 2013