TTPs (Tactics, Techniques, Procedures)

TTPs, or Tactics, Techniques, and Procedures, refers to the behaviors and methods that threat actors use to plan and execute cyberattacks. 

Understanding TTPs is important for cybersecurity professionals to defend against attacks.

Key Concepts

Definition

TTPs outline the specific tools, exploits, infrastructure, actions, and procedures that adversaries take in order to achieve their objectives during a cyberattack. This includes initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact.

Purpose

Studying TTPs enables cybersecurity teams to gain insights into attackers' thought processes, capabilities, and weaknesses. This knowledge aids in identifying threats early and protecting against them.

Relevance

TTPs form a core part of cyber threat intelligence. Tracking and analyzing TTPs is key for security operations centers to anticipate attacks, halt intrusions, minimize damage, and prevent future incidents.

Also Known As

Tactics, techniques, and procedures may also be referred to as threat actor tactics and techniques (TAT) or MITRE ATT&CK.

Components/Types

TTPs can be broken down into three categories:

Tactics

The adversaries’ goals or objectives at a high level, such as establishing foothold, escalating privileges, exfiltrating data, or causing disruption.

Techniques

The tools, exploits, and malware used by attackers to accomplish each tactic. This includes phishing, credential stuffing, SQL injection, backdoors, keyloggers, etc.

Procedures

The step-by-step methods followed by attackers to operationalize techniques and achieve tactics. For example, sending phishing emails, moving laterally across a network, obscuring activity, and stealing credentials.

Importance in Cybersecurity

Security Risks

Failure to understand and track TTPs leaves organizations vulnerable to attacks. Attackers rely on proven techniques, so awareness of TTPs enables prediction and prevention of incidents.

Mitigation Strategies

Organizations can develop intelligence-driven defenses tailored to attackers' known TTPs. This includes implementing controls to disrupt reconnaissance, block delivery of malware, detect lateral movement, and more.

Best Practices

• Continuously monitor threat intelligence feeds on latest attack TTPs. Subscribe to threat intel services that track and report on latest TTPs observed across industries.
• Incorporate knowledge of TTPs into security awareness training. Educate end users on common attack techniques like phishing and social engineering so they can help defend the organization.
• Perform red team exercises modeling real-world attacks and TTPs. Conduct controlled simulations of attacks to validate security controls against known adversary TTPs.
• Develop and validate controls focused on disrupting high-risk TTPs. Identify the TTPs that pose the greatest risk and implement safeguards designed specifically to detect and disrupt those behaviors.

Related Terms

• MITRE ATT&CK® Framework - Industry framework for describing adversary TTPs, a common lexicon used to discuss and address threats.
• Indicators of Compromise (IOCs) - Forensic artifacts of intrusions that can signify malicious activity based on TTPs.
• Security Information and Event Management (SIEM) - Technology for aggregating, correlating, and analyzing event data to detect IOCs and TTP behaviors.

Tips for Success

• Document observed TTPs from incidents for future reference.
• Regularly update defense controls to account for evolution of TTPs over time.
• Contribute intelligence by sharing relevant and validated TTPs with industry communities.

Further Reading

• MITRE - Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - https://attack.mitre.org
• SANS Institute - Tracking Cyber Threat Actor Techniques - https://www.sans.org/white-papers/33945/

Key Takeaways

Understanding TTPs provides the context and knowledge to defend against determined adversaries. Tracking attacker behaviors and tools provides actionable intelligence to identify, predict, prevent, detect, and respond to intrusions. Knowledge of TTPs should inform ongoing security strategies, control implementation, and incident response plans.