Threat Landscape
Core Concepts

What are Tactics, Techniques, and Procedures (TTPs)?

TTPs stand for Tactics, Techniques, and Procedures, a way of describing how attackers operate. Think of TTPs as the behavioral fingerprint of a threat actor.

The TTP Triangle

Tactics

The attacker's high-level objectives or "why" in a given phase of an attack. For example, "Initial Access" or "Privilege Escalation" are tactics – they define what the attacker is trying to accomplish (gaining entry, elevating privileges, etc.).

Techniques

The general methods an adversary uses to achieve a tactic. These are the how. For instance, under the "Initial Access" tactic, techniques include spearphishing emails, exploiting public-facing applications, or purchasing credentials.

Procedures

The specific, step-by-step implementations of a technique – the granular details. This could be the exact phishing email content, specific command lines used, or the particular malware sample executed.

In NIST's words, "a tactic is the highest-level description of behavior, techniques give a more detailed description, and procedures an even lower-level, highly detailed description."

Example

Reconnaissance (tactic) → Spearphishing (technique) → sending a malicious Word doc via personalized email (procedure)

Why TTPs Matter

Understanding TTPs is crucial because it lets you think like the attacker, not just chase indicators. For example, if you know a threat group favors "Credential Access" via "Brute Force" (a technique), you'll focus on strengthening authentication systems proactively.

Analyzing TTPs also helps connect seemingly unrelated incidents – you may spot the same pattern of behavior across multiple alerts.

Modern Context: MITRE ATT&CK

Frameworks like MITRE ATT&CK catalog thousands of real-world TTPs. These frameworks turn messy threat reports into structured, searchable knowledge. Automated tools can map events to ATT&CK TTPs so you quickly see an adversary's behavior chain.

For example, seeing C2 traffic (tactic: Command and Control) that matches an ATT&CK technique helps you attribute it to known malware families.

Common Pitfalls

  • Focusing only on TTP names without understanding context
  • Merely listing a technique (e.g. "Phishing") isn't enough – you must tailor detection and response to your environment
  • Not updating your knowledge; TTPs evolve as threat actors continuously develop new methods

Practical Tips

  • Map your detections to ATT&CK TTPs and visualize the kill chain; this reveals gaps in your defenses
  • Use threat reports and CTI feeds to stay informed of new TTPs in your sector
  • Automate ingesting TTP sightings via STIX objects
  • Collaborate with hunters: have them "hunt TTPs" by looking for related behaviors across endpoints and networks
  • Enrich alerts: attach TTP context to each IOC or log entry to gauge severity

Next Steps

For a deeper dive, see our article on MITRE ATT&CK Framework, which organizes tactics and techniques, and the CTI program guide on leveraging TTP knowledge across your security team.

Experience the Threat Intelligence Copilot firsthand or explore practical applications in the Threat Intelligence Platform.

Previous ArticleNext Article