Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects simply to a non-technical, business audience. Over…
Natalie is an editor specializing in educational content, with a deep passion for technology and cryptocurrency. Her expertise lies in transforming complex tech and crypto…
Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an adversary uses to develop and conduct an attack. The term, which has its roots in the military, is used in cybersecurity to describe how a threat actor might conduct a cyberattack.
It’s important for security professionals to stay on top of TTPs to understand potential attack surfaces (areas vulnerable to attack) and attack vectors (methods of attack). Knowing how specific types of attacks are conducted makes it easier to prepare for, detect, and respond to an actual attack.
The TTPs can be used as a framework to provide security professionals with a structured and organized way to understand, document, discuss, and respond to cyberthreats.
The relationship between tactics, techniques, and procedures is hierarchical. Tactics guide the selection of techniques, and techniques inform the development of procedures.
A tactic is a plan that includes what is going to happen – and why it is going to happen. In the context of cybersecurity, a threat actor’s tactic might be to “gain network access to exfiltrate sensitive data.”
A technique is a specific method for executing a tactic. Cybercriminals and other threat actors will often use multiple planned and opportunistic techniques to conduct an attack. The choice and number of techniques depend on the attacker’s skills, the attack’s objectives, and the target’s vulnerabilities.
For example, if the plan is to gain network access and exfiltrate sensitive data, the attacker might use phishing and server misconfigurations as techniques.
Using both techniques not only expands the attack surface but also increases the attacker’s chances of gaining unauthorized access to the network. Once inside, they can move laterally to escalate privileges, locate the data they’re after, and steal it without being detected.
A procedure is an action plan. It describes what steps are required to execute a specific technique.
For example, if one of the attacker’s techniques is to phish for credentials, the accompanying procedures will include reconnaissance, creating convincing phishing emails, selecting appropriate targets, sending the emails, and monitoring responses.
Similarly, if a second technique involves exploiting server misconfigurations, the accompanying procedures might be to conduct port scans to identify vulnerabilities, use brute force attacks to gain initial access, and then look for ways to gain administrative privileges.
Cybersecurity professionals use TTPs to reverse engineer cyberattacks and understand how attackers think. When a security team knows how different types of attacks are conducted, they can proactively identify and address vulnerabilities in their own computer systems and networks, recognize indicators of compromise (IOCs) early on, and contain damage.
The TTP hierarchy is often used in red team exercises to provide a loose framework for simulating real-world cyberattacks. The hierarchical structure can be used to help team members decide what techniques are most relevant for specific tactics, and what procedures are most relevant for specific techniques.
Below is an example of how a red team could use the TTPs in an exercise.
For the sake of consistency, let’s say the exercise is focused on one tactic: gain network access and locate customer data. For the sake of brevity, let’s also assume the tactic was selected in advance. (In real life, this approach is used in time-constrained red teaming exercises aligned with specific security concerns.)
Essentially, the TTP hierarchy helps red team members break complex objectives (tactics) into smaller, actionable steps (techniques and procedures).
The process encourages red team members to stay on top of emerging threats, assess their organization’s security posture, and be proactive about creating, updating, and enforcing security controls.
While there isn’t a single comprehensive list of well-known tactics, techniques, and procedures because of the evolving nature of cyber threats, there are several reputable organizations that provide information on common TTPs and threat intelligence.
Popular resources include:
It is important to note that since there isn’t a standard for categorizing tactics, techniques, and procedures, one resource may categorize data exfiltration as a tactic, while another resource might classify it as a technique or procedure.
Categorizations can also depend on the definition of a specific tactic, technique, or procedure, the context in which the activity is being analyzed, the specific goals of the entity categorizing it, or the broader security framework within which the categorization is being made.
While these two terms are sometimes used interchangeably, they have distinct meanings. Tactics refer to the overall plan. Techniques refer to the specific methods used to carry out the plan.
If an attacker wanted to target financial data, they might use reconnaissance as a tactic and phishing emails as a technique, and sending phishing emails to C-level executives (whaling) as a procedure.
In cybersecurity, TTP stands for tactics, techniques, and procedures. Tactics describe the attacker’s overall objective. Techniques are the methods employed to achieve the objective. Procedures are the detailed, step-by-step processes used to carry out techniques.
In a Security Operations Center (SOC), TTP stands for tactics, techniques, and procedures. TTPs provide SOC teams with insights into how attackers operate. This knowledge allows SOC teams to develop more effective cyber defense mechanisms, anticipate potential threats, and respond more quickly and efficiently to cyber incidents.
Techopedia’s editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.
What is Differential Privacy? Differential privacy is a mathematical framework for determining a quantifiable and adjustable level of privacy protection....
Margaret RouseTechnology Expert
What are Tactics, Techniques, and Procedures (TTPs)? Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an...
What is a Security Posture? Security posture definition refers to the ability an organization has to protect its information technology...
Trending NewsLatest GuidesReviewsTerm of the Day