{"id":161385,"date":"2024-02-01T12:32:06","date_gmt":"2024-02-01T12:32:06","guid":{"rendered":"https:\/\/www.techopedia.com\/?post_type=definition&p=161385"},"modified":"2024-02-01T12:32:06","modified_gmt":"2024-02-01T12:32:06","slug":"tactics-techniques-and-procedures-ttps","status":"publish","type":"definition","link":"https:\/\/www.techopedia.com\/definition\/tactics-techniques-and-procedures-ttps","title":{"rendered":"Tactics, Techniques, and Procedures (TTPs)"},"content":{"rendered":"

What are Tactics, Techniques, and Procedures (TTPs)?<\/span><\/h2>\n

Tactics, techniques, and procedures (TTPs) are the strategic plans, methodologies, and actions an adversary uses to develop and conduct an attack. The term, which has its roots in the military, is used in cybersecurity<\/a> to describe how a\u00a0threat actor<\/a> might conduct a\u00a0cyberattack<\/a>.<\/p>\n

It\u2019s important for security professionals to stay on top of TTPs to understand potential attack surfaces<\/a> (areas vulnerable to attack) and attack vectors<\/a> (methods of attack).\u00a0 Knowing how specific types of attacks are conducted makes it easier to prepare for, detect, and respond to an actual attack.<\/p>\n

Techopedia Explains<\/h3>\n

The TTPs can be used as a framework<\/a> to provide security professionals with a structured and organized way to understand, document, discuss, and respond to cyberthreats<\/a>.<\/p>\n

The relationship between tactics, techniques, and procedures is hierarchical. Tactics guide the selection of techniques, and techniques inform the development of procedures.<\/p>\n

\"TTPs\"<\/p>\n

What is a Tactic?<\/span><\/h2>\n

A tactic is a plan that includes what<\/b> is going to happen \u2013 and why<\/b> it is going to happen. In the context of cybersecurity, a threat actor\u2019s tactic might be to \u201cgain network access to exfiltrate<\/a> sensitive data.\u201d<\/p>\n

What is a Technique?<\/span><\/h2>\n

A technique is a specific method for executing a tactic. Cybercriminals<\/a> and other threat actors<\/a> will often use multiple planned and opportunistic techniques to conduct an attack. The choice and number of techniques depend on the attacker’s skills, the attack\u2019s objectives, and the target\u2019s vulnerabilities.<\/p>\n

For example, if the plan is to gain network access and exfiltrate sensitive data, the attacker might use phishing<\/a> and server<\/a> misconfigurations as techniques.<\/p>\n

Using both techniques not only expands the attack surface<\/a>\u00a0but also increases the attacker\u2019s chances of gaining unauthorized access to the network. Once inside, they can move laterally<\/a> to escalate privileges<\/a>, locate the data they\u2019re after, and steal it without being detected.<\/p>\n

What is a Procedure?<\/span><\/h2>\n

A procedure is an action plan. It describes what steps are required to execute a specific technique.<\/p>\n

For example, if one of the attacker\u2019s techniques is to phish<\/a> for credentials<\/a>, the accompanying procedures will include reconnaissance<\/a>, creating convincing phishing emails, selecting appropriate targets, sending the emails, and monitoring responses.<\/p>\n

Similarly, if a second technique involves exploiting server misconfigurations, the accompanying procedures might be to conduct port scans<\/a> to identify vulnerabilities<\/a>, use brute force attacks<\/a> to gain initial access, and then look for ways to gain administrative privileges<\/a>.<\/p>\n

What are TTPs Used For in Cybersecurity?<\/span><\/h2>\n

Cybersecurity professionals use TTPs to reverse engineer<\/a> cyberattacks and understand how attackers think. When a security team knows how different types of attacks are conducted, they can proactively identify and address vulnerabilities in their own computer systems and networks, recognize indicators of compromise (IOCs) early on, and contain damage.<\/p>\n

TTPs and Red Teaming<\/span><\/h2>\n

The TTP hierarchy is often used in red team exercises<\/a> to provide a loose framework for simulating real-world cyberattacks<\/a>. The hierarchical structure can be used to help team members decide what techniques are most relevant for specific tactics, and what procedures are most relevant for specific techniques.<\/p>\n

Example<\/h3>\n

Below is an example of how a red team could use the TTPs in an exercise.<\/p>\n

For the sake of consistency, let\u2019s say the exercise is focused on one tactic: gain network access and locate customer data. For the sake of brevity, let\u2019s also assume the tactic<\/strong> was selected in advance. (In real life, this approach is used in time-constrained red teaming exercises aligned with specific security concerns.)<\/p>\n

    \n
  1. In this scenario, the exercise would begin by having team members brainstorm what techniques<\/strong> they could use to gain network access.<\/li>\n
  2. \u00a0They would then need to select which techniques to focus on during the rest of the exercise. The selection process is an important part of the exercise because it requires team members to research known techniques, talk about potential techniques, and assess potential entry points within their organization’s IT infrastructure<\/a>.<\/li>\n
  3. Once X number of techniques have been selected for the sake of the exercise, the next step is for team members to brainstorm procedures and decide what procedures<\/strong> to focus on for the rest of the exercise. This step is important because it requires team members to research known procedures, discuss potential procedures, and document the steps required to execute a specific technique.<\/li>\n<\/ol>\n

    Essentially, the TTP hierarchy helps red team members break complex objectives (tactics) into smaller, actionable steps (techniques and procedures).<\/p>\n

    The process encourages red team members to stay on top of emerging threats<\/a>, assess their organization\u2019s security posture<\/a>, and be proactive about creating, updating, and enforcing security controls<\/a>.<\/p>\n

    Is There a List of Well-Known TTPs?<\/span><\/h2>\n

    While there isn’t a single comprehensive list of well-known tactics, techniques, and procedures because of the evolving nature of cyber threats, there are several reputable organizations that provide information on common TTPs and threat intelligence<\/a>.<\/p>\n

    Popular resources include:<\/p>\n