Askeal Logo

TTPs (Tactics, Techniques, and Procedures)

TTPs describe the behavior and methods adversaries use when carrying out cyberattacks. They provide a structured way to understand how attackers operate, beyond just tools or indicators of compromise.

What are TTPs?How they typically work?Common techniquesImpactFurther reading

What is TTPs?

TTPs describe the behavior and methods adversaries use when carrying out cyberattacks. They provide a structured way to understand how attackers operate, beyond just tools or indicators of compromise.

TTPs (Tactics, Techniques, and Procedures)

TTPs describe the behavior and methods adversaries use when carrying out cyberattacks. They provide a structured way to understand how attackers operate, beyond just tools or indicators of compromise.

Table of Contents

What are TTPs?

In cybersecurity, Tactics, Techniques, and Procedures (TTPs) are a framework for describing adversary behavior.

  • Tactics represent the high-level goals of an attacker, such as gaining initial access or moving laterally.
  • Techniques are the specific ways those goals are achieved, for example spear phishing or exploiting a vulnerability.
  • Procedures are the detailed implementations of those techniques, such as a crafted phishing email that includes a malicious attachment.

By documenting TTPs, defenders gain insights into not only what an attacker is doing, but why and how. Unlike simple indicators such as IP addresses or file hashes, TTPs are harder for adversaries to change and therefore more valuable for long-term detection.

How they typically work?

  1. Observation: security teams collect data on an adversary’s actions during incidents.
  2. Categorization: observed actions are mapped to frameworks such as MITRE ATT&CK, which structures tactics and techniques.
  3. Documentation: analysts detail the procedures used, such as the exact malware variant or command sequence executed.
  4. Correlation: defenders connect TTPs across multiple incidents to identify recurring attacker playbooks.
  5. Defense adaptation: detection rules and response strategies are updated to counter the observed TTPs.

This workflow allows SOCs and incident response teams to move from reactive defense to proactive threat hunting.

Common techniques

  • Initial Access TTPs: spear phishing, drive-by compromise, supply chain attacks.
  • Execution TTPs: malicious scripts, exploitation of remote services, scheduled tasks.
  • Persistence TTPs: creating new accounts, registry run keys, service installation.
  • Privilege Escalation TTPs: exploiting vulnerabilities, bypassing user account controls.
  • Defense Evasion TTPs: disabling security tools, obfuscation, encryption of payloads.
  • Credential Access TTPs: keylogging, credential dumping with tools like Mimikatz.
  • Lateral Movement TTPs: remote desktop protocol abuse, pass-the-hash techniques.
  • Exfiltration TTPs: encrypted channels, cloud storage misuse, custom data staging.

Impact

The use of TTPs as a classification method improves the resilience of cybersecurity operations. Instead of chasing single indicators that quickly change, security teams gain the ability to recognize patterns in attacker behavior.

By focusing on TTPs, defenders can:

  • Build detection signatures that remain relevant even when malware variants evolve.
  • Anticipate the next move of an attacker by understanding their overall tactics.
  • Share structured intelligence with other organizations in a consistent format.

For SecOps teams, TTPs are central to modern threat hunting and proactive defense. They also power advanced frameworks such as MITRE ATT&CK, which has become a global standard for analyzing adversary behavior.

Further reading

  • MITRE ATT&CK: Overview of TTPs. Read more
  • CISA: Understanding attacker TTPs. Read more
  • ENISA: Cyber threat landscape report. Read more
  • SANS Institute: Applying TTPs in detection. Read more

Related topics

MITRE ATT&CKThreat IntelligenceSOCThreat Hunting