What are Tactics, Techniques, and Procedures (TTPs)?
TTPs stands for tactics, techniques, and procedures. This is the term used by cybersecurity professionals to describe the behaviors, processes, actions, and strategies used by a threat actor to develop threats and engage in cyberattacks.
Tactics, Techniques, and Procedures Definition
Understanding an attacker’s TTPs is a key component of an information security security program.
The National Institute of Standards and Technology (NIST) describes tactics as being the highest-level description of the behavior. Techniques are a more detailed description of the threat actor’s actions within the context of a tactic. Procedures are an even lower level, more detailed description of the activities within the context of a technique.
Tactics–The overall goals behind the attack and the general strategies followed by the threat actor to implement the attack. For example, the threat actor’s goal may be to infiltrate a website to steal customer credit card information.
Procedures–The step-by-step description of the attack, including the tools and methods used to orchestrate it. Cybersecurity analysts most often use an attack’s procedures to help create a profile or fingerprint for a threat actor or threat group.
What are TTPs used for?
Security professionals define and analyze the tactics, techniques, and procedures of a threat actor to help them in counterintelligence efforts. TTPs can help security researchers correlate an attack to a known hacker or threat group and better understand an attack framework. TTPs help researchers focus their investigation path, identify threat source or attack vectors, define the severity of the threat, and support incident response and threat mitigation. Security professionals also use TTPs in threat modeling activities.
TTP research also goes beyond basic forensics. By identifying threat actors and groups, security researchers can ascertain relationships that may exist with other attackers. TTPs can also aid in identifying emerging threats and in developing threat and attack countermeasures.