There’s no shortage of confusing terminology and acronyms in the cybersecurity field. In this article, we’re taking a look at one acronym that even those who don’t make a living defending others against cybersecurity threats should know about: TTP.
What Does TTP Mean in Cybersecurity?
TTP stands for Tactics, Techniques, and Procedures, and this acronym is used when talking about the behavior of a threat actor. Here’s how the National Institute of Standards and Technology defines its individual elements:
Essentially, tactics describe what cybercriminals plan to achieve. Examples include obtaining access to sensitive information or making certain important resources unavailable to damage the victim financially or reputationally.
Techniques are the general strategies cybercriminals use to breach their victims’ defenses, and they roughly correspond to the major cyber threats, such as malware, phishing, man-in-the-middle attacks, password compromise, and others.
Finally, procedures are the specific steps cybercriminals follow to achieve their nefarious goals. They may correspond to specific software vulnerabilities, such as the recently discovered Microsoft Exchange server elevation of privilege vulnerability, or they may reflect gaps in the victims’ defenses.
According to MITRE, a not-for-profit organization providing a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, collecting and filtering data based on TTPs is an effective method for detecting malicious activity.
“This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals post-compromise,” explains MITRE.
TTPs shouldn’t be confused with Indicators of Compromise, or IoCs for short. If TTPs describe what cybercriminals do, then IoCs talk about the consequences of their actions.
If cybercriminals were bank robbers, then TTPs would be the strategies used to reach the inside of the vault. IoCs, on the other hand, would be anything from a smashed lock to missing money.
We can illustrate the difference between IoCs and TTPs on a phishing attack whose goal is to steal login credentials:
When detected, IoCs ignite incident response activities to protect valuable systems from threat actors. TTPs give the security team the information needed to protect all possible attack vectors.
Should SMBs Study TTPs?
Small and medium-sized businesses rarely employ a cybersecurity team—let alone one large enough to dedicate time to the study of current and emerging TTPs.
Instead of trying to assemble such a team, SMBs are much better off outsourcing this activity to a managed security service provider (MSSP) that provides threat intelligence and threat detection services.
SMBs that have yet to implement beginning-to-end strategies to improve their cybersecurity defenses can especially benefit from a partnership with an experienced MSSP, borrowing its experience to implement cybersecurity best practices, such as:
- Multi-factor authentication (MFA): Many TTPs used by today’s cybercriminals target weak authentication and login mechanisms. MFA, which strengthens the authentication process by adding one or more extra layers of protection, can block as much as 99.9 percent of identity attacks.
- Cybersecurity awareness training: People remain the weakest link in the cybersecurity chain because their actions can sabotage even the most well-thought-out policies and controls. Cybersecurity awareness training can strengthen this link and make it less likely to break.
- Endpoint protection: The proliferation of the hybrid work model has led to an explosion of end-points (laptops, tablets, smartphones, etc.), each of which represents a possible attack vector. Modern endpoint protection solutions help discover and defend these endpoints regardless of where they’re physically located.
At Aligned Technology Solutions, we understand the Tactics, Techniques, and Procedures cybercriminals use to accomplish their objectives, and we’re happy to share this knowledge with SMBs like yours. Book a consultation with us today.