Skip to main content
Skip to footer
What are TTPs?
TTPs stand for Tactics, Techniques and Procedures (TTPs), and are terms that describe the behaviour and approaches used by threat actors, such as hackers and state-sponsored adversaries, to plan and execute attacks.
Understanding TTPs helps security teams gain insights into different aspects of an attack, enabling them to proactively discover, evaluate and respond to potential threats.
Tactics
Tactics refer to the overall goals that threat actors want to achieve during an attack. They are an adversary’s tactical objective and represent the “why” behind an attack.
A common example of a tactic is data exfiltration, where the attacker aims to steal sensitive information from a target organisation. This could involve stealing customer data, intellectual property or financial records.
Techniques
Techniques are the specific methods threat actors use to achieve their tactical goals. They represent the “how” of an attack and provide more detail on the approach used.
For instance, with the tactic of data exfiltration, a technique might be phishing. In this case, attackers send fraudulent emails to trick employees into revealing their login credentials, which are then used to access and steal sensitive data.
Procedures
Procedures are the specific, step-by-step processes that threat actors follow to execute their techniques. They represent the “what” of an attack, outlining the exact actions taken.
For example, with a phishing technique, a procedure might involve crafting a convincing email that appears to come from a trusted source, including a malicious link or attachment in the email, sending it to targeted employees and using any credentials entered into the fake login page to access the organisation’s network and exfiltrate data.
Importance of TTPs in cybersecurity and threat intelligence
Tactics, Techniques, and Procedures (TTPs) are vital in cybersecurity and threat intelligence because they enhance threat detection, enable proactive defence and improve incident response. By knowing how attackers operate, security teams can recognise patterns, anticipate threats and respond more effectively.
TTPs are especially important in the context of threat intelligence, where the focus is on understanding and anticipating threats before they impact an organisation. They provide detailed insights into the behaviour and methods of threat actors, enabling threat intelligence teams to profile attackers, predict future attacks and tailor defences.
Additionally, TTPs facilitate collaboration and information sharing within the cybersecurity community. TTPs are a common language in the cybersecurity community, and this collective knowledge strengthens overall defences and helps organisations stay ahead of potential threats.
How threat analysts use TTPs
Some key ways threat analysts use TTPs include:
- Developing threat intelligence – Gathering and analysing TTPs from various sources to develop threat intelligence, which helps analysts understand the evolving threat landscape and predict future attacks
- Mapping attacks – Mapping observed behaviours to the MITRE ATT&CK framework, which provides a comprehensive matrix of TTPs. This helps in identifying the tactics and techniques used in an attack, understanding its progression and determining the threat actor’s objectives
- Proactive threat detection – Studying common TTPs used by threat actors to anticipate potential attacks and proactively implement security controls to mitigate those risks
- Prioritising vulnerabilities – Prioritise vulnerabilities based on the likelihood of them being exploited by attackers using known techniques
- Threat hunting – Proactively hunt for threats within their environment, searching for indicators of compromise (IOCs) and suspicious activities that match known TTPs
- Incident response – Using TTPs to identify the attacker responsible (by comparing observed behaviours to known TTPs associated with specific threat actors) and to understand the attacker’s goals, methods and actions in order to contain the incident and develop recovery strategies
What is a TTP in cyber security?
Tactics, Techniques, and Procedures (TTPs) in cybersecurity describe the behaviour and methods used by threat actors to plan and execute cyberattacks. TTPs provide insights into the overall tactical goals (tactics), specific methods (techniques), and detailed steps (procedures) that attackers use, helping security teams understand and counteract potential threats.
What is an example of TTP in cyber?
One example that illustrates the components of TTPs in cyber is a data breach. Here, the tactic is to gain unauthorised access to sensitive information. The technique is phishing, which involves sending fraudulent emails that appear to come from a trusted source to trick recipients into revealing their login credentials. The procedure includes crafting the email, embedding a malicious link, sending it to targeted individuals and using the stolen credentials to access and exfiltrate data from the organisation’s network.
What is the difference between tactics and techniques?
Tactics are the high-level goals or strategies that threat actors aim to achieve during an attack, such as data exfiltration or system disruption. Techniques are the specific methods used to accomplish these goals, such as phishing, malware deployment or exploiting software vulnerabilities. Tactics represent the “why” of an attack, while techniques represent the “how.”
TTPs and Silobreaker
TTPs are essential for understanding and defending against cyber threats. Yet, organisations often struggle to identify the TTPs that are most relevant to their organisation. Without a clear understanding of the TTPs that matter most, it becomes challenging to anticipate and mitigate potential attacks effectively.
Silobreaker automates the collection, aggregation and analysis of unstructured data in a single platform, enabling intelligence teams to produce and disseminate timely, actionable reports in line with priority intelligence requirements (PIRs). It enables you to identify common TTPs and IOCs specific to the industry and region in which you operate, and get the insights you need to proactively detect and respond to threats based on threat actor capabilities, motivations and intent.
Silobreaker helps you spot emerging risks earlier, based on real-time data. This empowers stakeholders to make more informed decisions faster, to safeguard their enterprise from cyber, geopolitical and physical threats, mitigate risks and maximise business value.