Tactics, Techniques, and Procedures (TTPs) — Understanding Adversary Behavior Patterns
Tactics, Techniques, and Procedures (TTPs) describe how threat actors operate across the attack lifecycle. This SECMONS glossary entry explains what TTPs are, how they differ from indicators of compromise, and why behavioral intelligence is critical for long-term defense.
What Are Tactics, Techniques, and Procedures (TTPs)? 🧠
Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns adversaries use to achieve their objectives.
Rather than focusing on specific artifacts such as file hashes or IP addresses, TTPs explain how attackers operate.
They are central to modern threat intelligence and commonly mapped to frameworks such as MITRE ATT&CK.
TTP analysis connects:
- Activities of specific /glossary/threat-actor/ groups
- Vulnerabilities listed under /vulnerabilities/
- Campaign reporting published in /research/
- Techniques documented under /attack-techniques/
Breaking Down Tactics, Techniques, and Procedures 🔎
| Component | Meaning |
|---|---|
| Tactics | The adversary’s high-level objective (e.g., initial access, persistence) |
| Techniques | The method used to achieve that objective |
| Procedures | The specific implementation details used in a campaign |
Example:
- Tactic: Initial Access
- Technique: Phishing
- Procedure: Sending spear-phishing emails impersonating HR with weaponized attachments
This layered view allows defenders to think beyond isolated incidents.
Why TTPs Matter 🎯
Unlike /glossary/indicators-of-compromise/, which may change quickly, TTPs tend to remain consistent across campaigns.
Understanding TTPs helps defenders:
- Anticipate future attacks
- Detect behavior rather than static indicators
- Identify campaign overlaps
- Attribute activity to known actors
- Build resilient detection strategies
TTP-based detection is particularly important in advanced operations such as:
- /glossary/advanced-persistent-threat/ activity
- Coordinated ransomware campaigns
- Supply chain compromise
TTPs Across the Attack Lifecycle 🔄
TTPs can span all major phases:
- /glossary/initial-access/
- /glossary/privilege-escalation/
- /glossary/lateral-movement/
- /glossary/persistence/
- /glossary/command-and-control/
- /glossary/data-exfiltration/
- /glossary/defense-evasion/
This lifecycle mapping allows defenders to understand adversary intent rather than focusing only on symptoms.
TTPs vs IOCs 🔬
| Concept | Stability | Detection Focus |
|---|---|---|
| IOC | Often short-lived | Specific artifacts |
| TTP | More stable | Behavioral patterns |
| Signature | Tool-specific | Known malware traits |
| Vulnerability | Technical weakness | Exploitable condition |
IOCs help identify known threats.
TTPs help anticipate evolving ones.
Defensive Considerations 🛡️
Leveraging TTP intelligence requires:
- Behavioral monitoring capabilities
- Threat hunting practices
- Continuous intelligence feeds
- Cross-environment correlation
- MITRE ATT&CK alignment
- Red team and adversary simulation exercises
Operational strategies are often documented under:
Why SECMONS Treats TTPs as Foundational 📌
Technical vulnerabilities explain how systems fail.
TTPs explain how adversaries operate.
Understanding both enables organizations to move from reactive patching toward strategic resilience.
Authoritative References 📎
- MITRE ATT&CK Framework: https://attack.mitre.org/
- CISA Threat Intelligence Resources: https://www.cisa.gov/