Tactics, Techniques, and Procedures (TTPs)

What are Tactics, Techniques, and Procedures (TTPs)?

Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an adversary uses to develop and conduct an attack. The term, which has its roots in the military, is used in cybersecurity to describe how a threat actor might conduct a cyberattack.

Advertisements

It’s important for security professionals to stay on top of TTPs to understand potential attack surfaces (areas vulnerable to attack) and attack vectors (methods of attack).  Knowing how specific types of attacks are conducted makes it easier to prepare for, detect, and respond to an actual attack.

Techopedia Explains

The TTPs can be used as a framework to provide security professionals with a structured and organized way to understand, document, discuss, and respond to cyberthreats.

The relationship between tactics, techniques, and procedures is hierarchical. Tactics guide the selection of techniques, and techniques inform the development of procedures.

TTPs

What is a Tactic?

A tactic is a plan that includes what is going to happen – and why it is going to happen. In the context of cybersecurity, a threat actor’s tactic might be to “gain network access to exfiltrate sensitive data.”

What is a Technique?

A technique is a specific method for executing a tactic. Cybercriminals and other threat actors will often use multiple planned and opportunistic techniques to conduct an attack. The choice and number of techniques depend on the attacker’s skills, the attack’s objectives, and the target’s vulnerabilities.

For example, if the plan is to gain network access and exfiltrate sensitive data, the attacker might use phishing and server misconfigurations as techniques.

Using both techniques not only expands the attack surface but also increases the attacker’s chances of gaining unauthorized access to the network. Once inside, they can move laterally to escalate privileges, locate the data they’re after, and steal it without being detected.

What is a Procedure?

A procedure is an action plan. It describes what steps are required to execute a specific technique.

For example, if one of the attacker’s techniques is to phish for credentials, the accompanying procedures will include reconnaissance, creating convincing phishing emails, selecting appropriate targets, sending the emails, and monitoring responses.

Similarly, if a second technique involves exploiting server misconfigurations, the accompanying procedures might be to conduct port scans to identify vulnerabilities, use brute force attacks to gain initial access, and then look for ways to gain administrative privileges.

What are TTPs Used For in Cybersecurity?

Cybersecurity professionals use TTPs to reverse engineer cyberattacks and understand how attackers think. When a security team knows how different types of attacks are conducted, they can proactively identify and address vulnerabilities in their own computer systems and networks, recognize indicators of compromise (IOCs) early on, and contain damage.

TTPs and Red Teaming

The TTP hierarchy is often used in red team exercises to provide a loose framework for simulating real-world cyberattacks. The hierarchical structure can be used to help team members decide what techniques are most relevant for specific tactics, and what procedures are most relevant for specific techniques.

Example

Below is an example of how a red team could use the TTPs in an exercise.

For the sake of consistency, let’s say the exercise is focused on one tactic: gain network access and locate customer data. For the sake of brevity, let’s also assume the tactic was selected in advance. (In real life, this approach is used in time-constrained red teaming exercises aligned with specific security concerns.)

  1. In this scenario, the exercise would begin by having team members brainstorm what techniques they could use to gain network access.
  2.  They would then need to select which techniques to focus on during the rest of the exercise. The selection process is an important part of the exercise because it requires team members to research known techniques, talk about potential techniques, and assess potential entry points within their organization’s IT infrastructure.
  3. Once X number of techniques have been selected for the sake of the exercise, the next step is for team members to brainstorm procedures and decide what procedures to focus on for the rest of the exercise. This step is important because it requires team members to research known procedures, discuss potential procedures, and document the steps required to execute a specific technique.

Essentially, the TTP hierarchy helps red team members break complex objectives (tactics) into smaller, actionable steps (techniques and procedures).

The process encourages red team members to stay on top of emerging threats, assess their organization’s security posture, and be proactive about creating, updating, and enforcing security controls.

Is There a List of Well-Known TTPs?

While there isn’t a single comprehensive list of well-known tactics, techniques, and procedures because of the evolving nature of cyber threats, there are several reputable organizations that provide information on common TTPs and threat intelligence.

Popular resources include:

It is important to note that since there isn’t a standard for categorizing tactics, techniques, and procedures, one resource may categorize data exfiltration as a tactic, while another resource might classify it as a technique or procedure.

Categorizations can also depend on the definition of a specific tactic, technique, or procedure, the context in which the activity is being analyzed, the specific goals of the entity categorizing it, or the broader security framework within which the categorization is being made.

FAQs

What are tactics and techniques?

What is an example of a TTP?

What does TTP mean in cybersecurity?

What is TTP in SOC?

Advertisements

Related Questions

Related Terms

Margaret Rouse

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.