Tactics, Techniques, and Procedures (TTPs)
Tactics, Techniques, and Procedures (TTPs) are an analysis of historical cyberattacks and adversary actions.
- describe a core concept in computer security that is directly related to the study of threat actor behavior
- signature-based detection is not wholly effective
- need to monitor a wider range of behaviors known as TTPs
- Tactic
- high level description of a threat behavior
- e.g.,
- reconnaissance
- persistence
- privilege escalation
- Technique
- intermediate-level description of how a threat actor progresses a tactic
- e.g.,
- reconnaissance can be accomplished via
- active network scanning
- vulnerability scanning
- email harvesting
- reconnaissance can be accomplished via
- Procedure
- detailed description of how a technique is performed
- e.g., a particular threat actor might use a particular tool in a distinctive way to perform vulnerability scanning
- leverage the documented TTPs attributed to various threat actor groups to fingerprint how adversaries conduct cyberattacks
- help security researchers associate an attack with known threat actor