Tactics, Techniques, and Procedures (TTPs)
Definition
Tactics, Techniques, and Procedures (TTPs) is a concept used in cybersecurity and threat intelligence to describe the behavior of a threat actor. Tactics are the high-level goals, techniques are the methods used to achieve those goals, and procedures are the specific implementations of those techniques.
Why It Matters
Understanding an adversary's TTPs is more valuable than just knowing their Indicators of Compromise (IoCs). While an attacker can easily change their IP address or malware hash (the IoCs), their fundamental behavior (the TTPs) is much harder to change. Defending against TTPs is a more robust and proactive security strategy.
Contextual Example
An attacker's tactic might be "Initial Access." Their technique might be "Spear Phishing Attachment." Their procedure might be to send a crafted Word document with a malicious macro to the finance department.
Common Misunderstandings
- The MITRE ATT&CK framework is a comprehensive knowledge base of adversary TTPs that is widely used by security professionals.
- TTPs focus on the "how" of an attack, while IoCs focus on the "what".