Tactics, Techniques, and Procedures (TTPs)

What are Tactics, Techniques, and Procedures (TTPs)?

Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an adversary uses to develop and conduct an attack. The term, which has its roots in the military, is used in cybersecurity to describe how a threat actor might conduct a cyberattack.

It’s important for security professionals to stay on top of TTPs to understand potential attack surfaces (areas vulnerable to attack) and attack vectors (methods of attack).  Knowing how specific types of attacks are conducted makes it easier to prepare for, detect, and respond to an actual attack.

Techopedia Explains

The TTPs can be used as a framework to provide security professionals with a structured and organized way to understand, document, discuss, and respond to cyberthreats.

The relationship between tactics, techniques, and procedures is hierarchical. Tactics guide the selection of techniques, and techniques inform the development of procedures.

What is a Tactic?

A tactic is a plan that includes what is going to happen – and why it is going to happen. In the context of cybersecurity, a threat actor’s tactic might be to “gain network access to exfiltrate sensitive data.”

What is a Technique?

A technique is a specific method for executing a tactic. Cybercriminals and other threat actors will often use multiple planned and opportunistic techniques to conduct an attack. The choice and number of techniques depend on the attacker’s skills, the attack’s objectives, and the target’s vulnerabilities.

For example, if the plan is to gain network access and exfiltrate sensitive data, the attacker might use phishing and server misconfigurations as techniques.

Using both techniques not only expands the attack surface but also increases the attacker’s chances of gaining unauthorized access to the network. Once inside, they can move laterally to escalate privileges, locate the data they’re after, and steal it without being detected.

What is a Procedure?

A procedure is an action plan. It describes what steps are required to execute a specific technique.

For example, if one of the attacker’s techniques is to phish for credentials, the accompanying procedures will include reconnaissance, creating convincing phishing emails, selecting appropriate targets, sending the emails, and monitoring responses.

Similarly, if a second technique involves exploiting server misconfigurations, the accompanying procedures might be to conduct port scans to identify vulnerabilities, use brute force attacks to gain initial access, and then look for ways to gain administrative privileges.

What are TTPs Used For in Cybersecurity?

Cybersecurity professionals use TTPs to reverse engineer cyberattacks and understand how attackers think. When a security team knows how different types of attacks are conducted, they can proactively identify and address vulnerabilities in their own computer systems and networks, recognize indicators of compromise (IOCs) early on, and contain damage.

TTPs and Red Teaming

The TTP hierarchy is often used in red team exercises to provide a loose framework for simulating real-world cyberattacks. The hierarchical structure can be used to help team members decide what techniques are most relevant for specific tactics, and what procedures are most relevant for specific techniques.

Example

Below is an example of how a red team could use the TTPs in an exercise.

For the sake of consistency, let’s say the exercise is focused on one tactic: gain network access and locate customer data. For the sake of brevity, let’s also assume the tactic was selected in advance. (In real life, this approach is used in time-constrained red teaming exercises aligned with specific security concerns.)

1. In this scenario, the exercise would begin by having team members brainstorm what techniques they could use to gain network access.
2.  They would then need to select which techniques to focus on during the rest of the exercise. The selection process is an important part of the exercise because it requires team members to research known techniques, talk about potential techniques, and assess potential entry points within their organization’s IT infrastructure.
3. Once X number of techniques have been selected for the sake of the exercise, the next step is for team members to brainstorm procedures and decide what procedures to focus on for the rest of the exercise. This step is important because it requires team members to research known procedures, discuss potential procedures, and document the steps required to execute a specific technique.

Essentially, the TTP hierarchy helps red team members break complex objectives (tactics) into smaller, actionable steps (techniques and procedures).

The process encourages red team members to stay on top of emerging threats, assess their organization’s security posture, and be proactive about creating, updating, and enforcing security controls.

Is There a List of Well-Known TTPs?

While there isn’t a single comprehensive list of well-known tactics, techniques, and procedures because of the evolving nature of cyber threats, there are several reputable organizations that provide information on common TTPs and threat intelligence.

Popular resources include:

• MITRE: MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a widely recognized resource that catalogs a broad range of TTPs associated with various threat actor groups. It provides detailed information on tactics and techniques used in cyberattacks, along with examples and real-world use cases.
• Cybersecurity Industry Reports: Organizations and cybersecurity companies often release reports and publications that describe observed TTPs associated with specific threat actors or incidents. These reports can provide valuable insights into threat trends.
• Threat Intelligence Feeds: Many threat intelligence resources provide links to feeds and databases that include information on known TTPs, indicators of compromise (IOCs), and attack patterns.
• Open Source Threat Intelligence Sharing Platforms: Open source platforms like Malware Information Sharing Platform & Threat Sharing (MISP) enable organizations to share and access threat intelligence, including TTPs, with the broader cybersecurity community.
• Government and Law Enforcement Reports: Government agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also provide information on observed TTPs.

It is important to note that since there isn’t a standard for categorizing tactics, techniques, and procedures, one resource may categorize data exfiltration as a tactic, while another resource might classify it as a technique or procedure.

Categorizations can also depend on the definition of a specific tactic, technique, or procedure, the context in which the activity is being analyzed, the specific goals of the entity categorizing it, or the broader security framework within which the categorization is being made.

FAQs