Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Tactics, Techniques, and Procedures (TTP)

Overview

TTP stands for Tactics, Techniques, and Procedures, a structured way to describe how threat actors plan, execute, and operate attacks over time. In plain terms: TTPs are the playbook details of an attacker—from their big-picture goals down to the specific steps they take on systems.

Breaking Down Tactics, Techniques, and Procedures

  • Tactics

    • The high-level goals or objectives in an operation (for example, initial access, persistence, lateral movement, data exfiltration).

    • They answer “why is the attacker doing this stage?”

  • Techniques

    • The general methods used to achieve a tactic (for example, phishing emails for initial access, credential dumping for credential access, remote services for lateral movement).

    • They answer “how is the attacker pursuing this goal?” at a conceptual level.

  • Procedures

    • The exact, concrete steps and tools used in practice (for example, sending a spear‑phishing email with a malicious Excel file using a specific malware family, or running a named command with particular parameters).

    • They answer “what exactly are they doing?

Why TTPs Matter in Cybersecurity

  • Move beyond IOCs

    • Indicators of compromise (IOCs) like IP addresses and file hashes change quickly; TTPs change more slowly and better reflect an attacker’s habits and capabilities.

  • Improve detection and defense

    • Understanding TTPs helps defenders design behavior-based detections rather than chasing single artifacts.

  • Support attribution and profiling

    • Certain groups are known for characteristic TTP patterns, which can aid in clustering activity and assessing likely threat actors.

  • Enable structured sharing

    • TTP descriptions provide a common language across teams, organizations, and tools when sharing threat intelligence.

Use of TTPs in Frameworks and Analysis

  • Threat intelligence reporting

    • Reports often describe an intrusion in terms of the TTPs used at each phase, giving defenders a clear map of attacker behavior.

  • Security frameworks

    • Well-known models (like lifecycle or kill chain frameworks, and matrices that map behaviors by tactic and technique) rely on TTP concepts to organize how attacks unfold.

  • Detection engineering and hunting

    • Teams build and prioritize detection rules, logging, and hunts around high‑value TTPs (for example, specific privilege‑escalation methods or exfiltration patterns).

Practical Example (Plain-Language)

Consider a phishing-led intrusion:

  • Tactic: Initial access.

  • Technique: Spear‑phishing attachment.

  • Procedure: The attacker sends an email posing as HR with an attached “bonus.xlsx” that contains a malicious macro which, when opened, downloads and runs their remote access tool.

Here, the big-picture goal (get in), the method (phishing with attachment), and the exact implementation (specific file, macro, and payload) together form the attacker’s TTPs for that phase.