Project

Cyber Forensics Investigation Tactics, Techniques, and Procedures (TTP)

While pursuing the M.S. Cybersecurity degree at CSUSM and as part of the semester in residence (SiR) requirement, I opted to pursue a subject not previously performed in my professional life and has the potential of being a real benefit in the realm of cyber forensics. The idea of developing a cyber forensics investigation Tactics, Techniques, and Procedures (TTP) document was conceived from a real-world request to conduct a cyber forensics investigation on a person of interest (POI) who was believed to be transferring proprietary information to an unauthorized person. The request was from a pharmaceutical company based in San Diego, CA, started by college friends who put together their own information technology (IT) infrastructure. As a cyber-security consultant, I sometimes rely on established methodologies to inform the work I do for my customers. Here, there was no published methodology and I reluctantly turned down the engagement, but it did spawn the question of where would I turn for a guide for conducting a cyber forensics investigation. The guide could be used within cybersecurity firms, cyber incident response teams (CIRT), or within other organizations whereby cyber forensics investigations are conducted. Tactics, Techniques, and Procedures (TTPs) publications have been a tradition in United States military doctrine. The TTP model contains detailed processes which can be used by people with little, to no instruction from an educator, trainer, or supervisor. The use of TTPs in the U.S. military has been quite successful and another tool in the arsenal from which the civilian, commercial sector can take note and incorporate into its own processes. Admittedly, during my time of working with my law enforcement committee member, Mr. Darren Bennett, I have learned that the law enforcement community develops TTPs solely to understand the behavior of the target / suspect / adversary! I kept the term “TTP”, as this document is intended for a wide audience of organizations that may conduct a cyber forensics investigation.

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.