The term procedure originates from the military, but enters common cybersecurity use in 2013, when it shows up in the Pyramid of Pain. Using this model, David J Bianco urges defenders to detect behavior (Tactics, Techniques, and Procedures (TTPs)) rather than indicators alone. Also in 2013, MITRE ATT&CK® classified attacker behavior into Tactics and Techniques while defining some procedures opportunistically.
There are two different (and incompatible) approaches to defining a procedure.
MITRE ATT&CK definition
Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the “Procedure Examples” section of technique pages.
The definition above sources from the ATT&CK FAQ. In practice, procedures in ATT&CK have no set format and are dependent on threat intelligence, taking the form of a table within each Technique page. Here’s an example from
On Detection definition
Jared Atkinson wrote a series of articles describing a comprehensive taxonomy for understanding attacker activity (beyond what MITRE defined with Tactics and Techniques). I highly recommend the entire series, but this is the key quote from part 6:
… one of the significant issues in the sub-discipline of Detection and Response is that our map is too low resolution to use to make sound and accurate predictions … we apprehend the cyber world as something composed of three layers [but there are] at least six layers (functions, operations, procedures, sub-techniques, techniques, and tactics)
Jared’s definition of a procedure (also from part 6) is as follows:
a sequence of operations that, when combined, implement a technique or sub-technique
This is necessary because, as Jared points out in part 1:
a three-tiered taxonomy (such as TTP) is far too limiting … which leads to grouping different things … at the bottom of the taxonomy. For this reason, it seems to me that the term “Procedures” is used too broadly …
Jared goes on to further define operations and functions, but for our purpose, it’s important to note that these two definitions of procedure are incompatible. In this latter definition, creating a logical relationship of technique to procedures allows researchers to define the boundaries of an attack via the Technique Research Report (TRR) and similar tools.
Procedure vs Instance
Andrew VanVleet wrote a blog post (TTPI’s: Extending the Classic Model) that explains MITRE ATT&CK is not recording procedures, but more precisely is documenting instances (or perhaps observables). Using the more precise term benefits detection engineers who are working to define coverage.
Remember:
- Procedures can be comprehensively enumerated, tested, and detected
- Instances are subject to threat intelligence reporting and recording, and detections based on threat intelligence are always opportunistic, not comprehensive.