The new TTP0 community wants to do for SOCs what OWASP has done for web security. It will help CISOs improve their threat intelligence and threat hunting capabilities as well. Credit: gorodenkoff/Getty If you need surgery, you want the surgeon that other doctors want to do their surgery. You want a surgeon who has been there, done that, and taken names. You don’t want a surgeon who is doing their first few surgeries or has too many negative outcomes. The surgeon you want is the one other surgeons want to learn from.With that in mind, I recently ran into a long-time cybersecurity friend, Carric Dooley, whom I’ve known going on 15 years. We both worked at Foundstone doing penetration testing and penetration testing education. We both worked together at Microsoft after Foundstone.Carric is a surgeon’s surgeon. He’s the whitehat hacker that other whitehat hackers want to be around and work with. He’s not only very good at what he does and is well-loved by his co-workers, but he understands the challenges of running a business while getting the very best, right-sized computer defense better than most.I hadn’t seen Carric in years when I stumbled across his new company, Indelible LLC. It focuses on building and improving security operations centers (SOCs), with the people who have been there and done that. I thought I knew a lot about SOCs, but within a few minutes Carric was schooling me like I was baby who only knew what SOC stood for. Indelible is trying to better educate all computer security professionals in security operations as well as improve all SOCs, using both its own commercial offerings and through the creation and support of TTP0. What is TTP0?TTP0 is a new community forum that stands for tactics, tools and procedures. The zero stands for Tier 0. Security professionals talk about computer security in the terms of Tier 0, Tier 1, Tier 2 and Tier 3. Tier 0 is your most critical infrastructure, servers, and the crown jewels of your organization, including the computer security and personnel that protect all the rest. Tier 1 and Tier 2 terms represent the ordinary, less critical servers and sources. Tier 3 covers the regular, non-privileged workstations and users. TTP0 encompasses all the computer security “tradecraft” being used to create and operate a Tier 0 computer security operation, in particular a Tier 0 SOC.TTP0 was founded by seasoned experts, including Carric, to focus on the topic of security operations and how to do it right. It is a new effort to create a community for those wishing to build, assess, optimize or understand what a SOC should do, how people are doing it successfully, and how to measure it. The desire is to provide guidance and content to everyone with an interest in security operations, from the CISO looking to build one to the SOC analyst looking to grow their skill set and career opportunity. TTP0 is a chance to hang out and learn from the best. These are professionals who have been there and done that. If you’re trying to build a new SOC or improve an already existing one, it can’t hurt to check out TTP0.Carric says more simply, “TTP0 is basically OWASP for SOCs.” OWASP (Open Web Application Security Project) was founded in 2001 as a community effort to better secure web applications. It did. Tens of thousands of programmers and educational programs have learned from, and contributed to, OWASP. Much of what we do by default to secure web programming came from OWASP. Carric and his friends are trying to do the same with security operations.TTP0 scenariosAs examples, TTP0 is especially good at getting answers and information in the following types of scenarios:I’m a CISO tasked with building a great SOC, but I don’t know where to begin.I’m trying to improve my company’s threat intelligence program, but I’m not even sure where to start.I need a world-class threat hunting program NOW!If you have one of these needs, then TTP0 is for you. TTP0 and its practitioners can help you to more quickly bridge the gap from “I don’t know much about those subjects” to “Hey, I have a world-class SOC, threat intelligence and threat hunting program now.” TTP0 offers free education, step-by-step guides, templates, and programming to get you started. Even if you think you already have a world-class SOC, it can’t hurt to check out TTP0 to make sure you didn’t miss anything.TTP0 resourcesIf you’re new to TTP0, but interested, I recommend these resources:One of the first presentations on TTP0 by SANS instructor, Ismael Valenzuela and Rob GreshamTTP0 on Github, a curated list of related information and resourcesTTP0 on TwitterLike many other successful open source, community-based computer security initiatives, it has both a free (TTP0) version and commercially supported alternative (Indelible), which supports the free arm. Many users want the expertise and formal support that a commercial organization offers beyond the free instance. Think Snort and Sourcefire, Nessus and Tenable, and Bro and Corelight. Although it doesn’t always guarantee success, in my 30 years of experience, usually when a free initiative is supported by a commercial arm, the free stuff is more likely to thrive and be updated. Both communities benefit. Carric said he and Indelible’s founders work hard to share, for free, the hard lessons they’ve learned in the trenches over the years. For instance, Carric said that one of the biggest mistakes he sees with his work with CISOs starting to build their own SOCs is that they often don’t have a clear vision of what their overall goals are to start with. He frequently sees them ordering what they think is the best-in-class software that they saw at some conference for their security operations without really knowing if it’s right for their specific needs.“Set the vision and goals first and then work backwards from there,” Carric says. “If you do that you will have a guide for choosing everything from right products to whether or not you build or buy the constituent components. That seems intuitive when you say it out loud, but I have seen multiple customers that started with choosing a SIEM (security information event monitor) first, instead of the other way around. That is how you wind up finding yourself $12 million dollars into a SOC that doesn’t actually do anything useful. But if you do it the right way, you can build the SOC from the ground up with the right skills, tools, and processes.” Words of wisdom.If you’re in the business of security operations (e.g., SOC, threat intelligence, threat hunting), it can’t hurt to check out TTP0. It’s quickly gaining advocates. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe