What Are TTPs? Tactics, Techniques & Procedures Explained

The term Tactics, Techniques and Procedures (TTP) describes the behavior of a threat actor and a structured framework for executing a cyberattack. The actors can range from hacktivists and hobbyist hackers to autonomous cybercriminals, underground rings and state-sponsored adversaries.

By understanding the Tactics, Techniques and Procedures involved in a cyberattack kill chain, businesses can discover, evaluate and respond to security threats with a proactive approach.

Let’s take a look.

TTPs in security: Defining tactics, techniques & procedures

Taken collectively, TTPs are indicators of system artifacts or behavioral attributes that humans, often security professionals, actually observe. TTPs indicate, or show, when an unauthorized entity tries to take a blocked or disallowed activity, such as:

• Changing the network.
• Accessing sensitive computing resources .
• Sending data to an external command and control server.

These indicators usually follow a consistent framework. These behavioral indicators suggest that an imminent cybersecurity risk is underway. When used effectively, TTPs can inform cyber threat intelligence and other security uses cases, like proactive threat hunting.

One security framework, MIRE ATT&CK, is a comprehensive collection of TTPs that attackers use in the real world.

Let’s define each part of the TTP triangle:

• Tactics: The high-level description of the behavior and strategy of a threat actor. The tactic includes a set of behaviors and actions employed by the adversary to achieve a specific objective.
• Techniques: These are the non-specific guidelines and intermediate methods that describe how a tactic action can be realized.
• Procedures: These refer to the sequence of actions performed using a technique to execute on an attack tactic. The procedure involves detailed descriptions on the tailored activities that enable a threat actor to successfully achieve their targets.

Now let’s review the Tactics, Techniques and Procedures in detail.

(TTPs in action: threat researchers analyze the TTPs employed by APT29 in the WINELOADER campaign and backdoor.)

Tactics

Tactics of a threat actor describe how they behave across different stages of the cyberattack kill chain. These stages include:

• Reconnaissance
• Delivery and exploitation
• Acting on the objectives

The difficulty of attributing potential threat to a campaign depends on the novelty and sophistication of the attack. If the threat indicators demonstrate common attack patterns — such as DDoS attacks — the next stages of the campaign tactics can be predicted by gathering data on things like:

• The initial entry point(s)
• Compromised nodes or credentials

A sophisticated attack tactic is focused on keeping under the radar and making only subtle changes to the compromised network until a malicious payload is delivered or data assets are exfiltrated to an external command and control server.

How to uncover tactics

One of the ways to discover such attacks is to closely analyze the artifacts, tools and infrastructure changes that lead up to any anomalous networking incident:

• A sophisticated cyber-attack that exploits zero day vulnerabilities may rely on custom tools that are highly obfuscated or layered away.
• In contrast, a casual hacker may only use open-source or publicly accessible tools.

You can use a fingerprint of the actor’s tactical behavior — entry points, attack tooling, infrastructure changes and network traffic behavior — to associate a profile to the adversary and proactively authorize countermeasures for defense.

Techniques

Techniques are what the threat actors do in order to cause all sorts of bad problems:

• Infiltrate a network.
• Establish command and control centers.
• Move laterally within the network without trace.
• Spread malware infection across distributed network locations.
• Establish control for untraceable infrastructure modifications and data transfers.

These techniques tend to be generic and applicable to any cyberattack campaign. That’s why it is crucial to understand the methods and tooling that threat actors can employ for compromising your systems.

An important distinction. Techniques may not specify the technology, but only focus on the methodology of the campaign and guide on the sequence of actions involved.

For example, a social engineering spear phishing tactic may be used to trick an unsuspecting user into clicking a link that downloads a malicious payload to the local machine and steals login credentials. This technique may be designed specifically to target a limited set of users, in order to make the social engineering attack more convincing.

Detecting techniques

At the later stages of the attack, especially where payload delivery, movement across the network, configuration changes and vulnerability discovery is involved, the choice of tooling plays an important role.

At this stage, the adversary may already have installed a custom code into a vulnerable system component. If the installation remains untraced, InfoSec teams may need to analyze the system for:

• Configuration abuse
• Infrastructure modifications
• Privilege escalations
• Other unauthorized changes to the system

The final stage of the cyber-attack technique may involve a combination of methodology and tooling: for instance, exfiltrating compromised data assets by first obfuscating it using the actor’s choice of networking protocols and encryption schemes.

Procedures

Procedures are the detailed description of how tactics are executed using the choice of techniques and a set of actionable, carefully crafted and precise actions (that is, procedures).

These actions are highly customized and the process is documented for threat actors to follow exactly according to specifications. These actions tend to be extensive but frequently repeated.

A malicious code may be delivered and patched onto vulnerable software for automated data gathering. Such a code automatically decrypts and interacts with related services and tools.

Learning the procedures

Security analytics can reconstruct these procedures by analyzing network and events logs. A cyber forensics team analyzing this information will also focus on the extended kill-chain process, techniques and tactics employed by the threat actor.

TTP underpins cyber threat intelligence

TTP information serves as an important guideline to gain contextual knowledge on threat indicators and traces discovered during security monitoring. TTP is also part of the open and community based cybersecurity programs recommended by the National Institute of Standards and Technology (NIST), which provides guidelines on sharing TTP knowledge base to help businesses improve their security posture.