In order to stop cybercriminals, one must get inside their heads and understand their goals, analyze their strategies, and map out their plans of attack.
And most cybersecurity experts agree that the best way to do so is to break down each attacker’s behavior into three categories: tactics, techniques, and procedures, collectively known as TTPs.
As cyberattacks and the motives behind them grow more and more complex, TTP analysis becomes even more important. So just what does this method look like — and how can you use it to protect yourself?
Everything You Need to Know About Tactics, Techniques and Procedures
What Are TTPs?
Tactics, techniques, and procedures, or TTPs, are the three elements that comprise a cyberattack.
Each consecutive element represents a higher level of detail, from the big picture of the attack to the nitty-gritty specifics. When put together, they can be used to understand an attacker’s motives, behavioral patterns, and future attack plans.
Tactics are the general goals of the attacker — the “why” of the attack.
They include objectives like obtaining confidential data, privilege escalation, password theft, information gathering, and installation of malicious software.
Stay One Step Ahead of Cyber Threats
Attackers will often carry out multiple attacks against a target, each with its own tactic. For instance, the initial attack’s tactic may be to explore the structure of a system, the next tactic may be to escalate the attacker’s privileges within your system, and the final tactic may be to access and steal the desired data.
Techniques are the actions required to complete a tactical goal.
Though still quite broad and general in nature, techniques are more specific than tactics and illustrate the “how” of the attack.
For instance, if the chosen tactic is obtaining passwords, an attacker may utilize techniques like phishing, brute-force password cracking, input capture, or stealing browser cookies.
If the attacker’s goal is to collect information about a target to be used in a future attack, they may deploy techniques like network traffic sniffing, public database scanning, clipboard data collection, or screen capturing.
Some techniques can be broken down into sub-techniques, which are more specific than their parent techniques but less specific than procedures.
The input capture technique, for example, may take the form of keylogging (installation of a malicious program on the victim’s computer to capture and transmit all keystrokes) or web portal capture (in which a legitimate login page is compromised in such a way that all credentials entered are forwarded to the attacker).
Procedures are the most detailed TTP elements. They describe the specific tools and processes involved in an attack, breaking each technique down into concrete, actionable steps that can be used to achieve the tactical goal.
For example, an attacker may be trying to steal passwords (tactic) by harvesting them from a local password database (technique).
The procedure for that technique may be: use Metasploit’s PowerShell module to execute shellcode that downloads and installs a backdoor, then modifies the Windows registry to make the backdoor persist. Once in place, enter the system through the backdoor, then use the Windows Credentials Editor to access the desired credentials.
Because procedures are so specific to each attack and attacker, they can be analyzed to detect patterns, trace the origins of an attack, and create profiles of attackers.
How Are TTPs Constructed and Used?
Recovering from a cyberattack — and preventing future ones — requires a thorough understanding of the attacker’s motives and strategies. The TTP framework breaks these down into organized, standardized components, making it easier to trace the attack back to its origins and identify the weak links that made the attack possible.
Telemetry tools like network and server logs can be used to piece together TTPs. Anomalies like communication with unusual IP addresses or specific traffic patterns can indicate the steps and tools that comprise the procedures, highlighting any security holes that are present in the system.
Once a rough sketch of the procedures is complete, cybersecurity incident responders can organize them into a series of techniques utilized by the attacker. These techniques then demonstrate the overarching tactic — and, because attacks often occur in series, that tactic can then be used to predict the types of attack still to come.
However, the true utility of the TTP model becomes apparent when those findings are shared with others.
Because attackers often use the same TTPs across multiple attacks, a well-constructed TTP can serve as a fingerprint to identify the origins of subsequent attacks. Databases like MITRE ATT&CK and the Cyber Threat Alliance compile TTP data from around the world to create detailed profiles of various attackers, which can be compared with new TTPs to pin down the source of an attack.
And this standardized threat profile format will only prove more useful in the future as automation improves. Companies like Balbix are developing AI tools that can automatically map new vulnerabilities to existing TTPs, making it easier than ever to hunt down threat actors.
Key TTP Takeaways
- The tactics, techniques, and procedures (TTPs) model is a standardized way to break down a cyberattack’s objectives, strategies and processes.
- Tactics refer to the broader goals of an attack, such as obtaining user credentials, executing malicious code or stealing data.
- Techniques refer to the methods used to achieve a tactical goal, including phishing for passwords, conducting denial-of-service attacks, keylogging, or network sniffing.
- Procedures refer to the specific, granular steps and tools involved in an attack — all of the individual actions an attacker takes in order to deploy the techniques and fulfill the tactical objective.
- TTPs can be used to profile and fingerprint attackers, identify system vulnerabilities, determine the damages of an attack, and predict the attacker’s next move.
History of TTPs
The concept of tactics, techniques, and procedures originated in counterterrorism strategies. Military analysts used the model to identify behavioral patterns in terrorist groups like the Taliban, cataloging previous attacks and pinpointing common factors in order to predict future attacks.
As computing became more commonplace, many aspects of war and terrorism went digital, leading to the concepts of cybersecurity and cyberwarfare. The TTP concept was easily remapped to cyberattacks, providing cybersecurity analysts with an established framework for documenting and understanding acts of virtual terrorism.
Cybersecurity groups like the Open Worldwide Application Security Project (OWASP) promoted the TTPs model, and it became the de facto standard for understanding digital threat actors.
In 2013, non-profit security company MITRE created ATT&CK, a public knowledge base of TTPs compiled from incident reports around the world. It serves as a reference for professionals as well as a repository of specific hacking groups and their attacks and is endorsed by agencies like the US’s Cybersecurity and Infrastructure Security Agency (CISA).
TTPs by the Numbers
MITRE ATT&CK has used TTPs to profile 135 different cybercriminal groups, including dozens of state-sanctioned hacker collectives.
Over 700 software tools have been documented in TTPs, including malware, password crackers, network scanners, and remote access tools.
Tens of thousands of cyberattacks have been broken down into nearly 600 different techniques and sub-techniques, providing a near-comprehensive glossary to be used when creating TTPs.
Famous Attacks and their TTPs
Bad Rabbit Ransomware TTPs
In 2017, the Bad Rabbit ransomware infected computers across Russia and Ukraine. Its tactic was clear — infect victims with ransomware — but its tactics, techniques, and procedures were more complex.
Their techniques involved drive-by attacks and the use of malware droppers, while their procedures included placing infected ads on legitimate news sites and using the EternalRomance exploit to infect entire corporate networks.
LAPSUS$ Attack TTPs
The LAPSUS$ cybercrime group uses a variety of TTPs in their extortion attacks, most of which rely mainly on social engineering techniques.
To achieve the tactical goal of compromising corporate systems, the group uses techniques like scanning public databases for user credentials and tricking employees into providing privileged access. Procedures include using the credential dumper Mimikatz, infiltrating company Slack channels, and covering their tracks with NordVPN.
MITRE ATT&CK Framework for Beginners (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional