Tactics, Techniques and Procedures (TTPs)
What is Tactics, Techniques and Procedures (TTPs)?
Tactics, Techniques and Procedures (TTPs)A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
TTPs come from military intelligence and have been adopted by cybersecurity to characterize adversary behavior at three levels. Tactics describe the attacker's high-level goal (e.g., Initial Access, Persistence, Exfiltration). Techniques explain the general way that goal is achieved (e.g., Spearphishing Attachment, Scheduled Task). Procedures capture the specific implementation observed in the wild, such as the exact PowerShell loader or registry path used. TTPs are the most durable level of threat intelligence: changing them forces the adversary to retool. The MITRE ATT&CK framework is the de facto taxonomy for TTPs.
● Examples
- 01
Tactic: Credential Access. Technique: OS Credential Dumping. Procedure: Mimikatz sekurlsa::logonpasswords.
- 02
Tactic: Persistence. Technique: Scheduled Task. Procedure: schtasks.exe creating a daily task that runs an obfuscated VBScript.
● Frequently asked questions
What is Tactics, Techniques and Procedures (TTPs)?
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation). It belongs to the Defense & Operations category of cybersecurity.
What does Tactics, Techniques and Procedures (TTPs) mean?
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
How do you defend against Tactics, Techniques and Procedures (TTPs)?
Defences for Tactics, Techniques and Procedures (TTPs) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Tactics, Techniques and Procedures (TTPs)?
Common alternative names include: TTPs, Tradecraft.