TTPs (Tactics, Techniques, Procedures)
TTPs (Tactics, Techniques, Procedures)
One-liner: The hierarchy describing why an adversary acts (Tactics), what they do (Techniques), and how they do it (Procedures).
π― What Is It?
TTPs represent the behavioral patterns of threat actorsβfrom high-level goals down to specific implementation details. Understanding TTPs enables defenders to detect adversaries based on behavior rather than easily-changed indicators like IP addresses or file hashes.
| Level | Question | Example |
|---|---|---|
| Tactics | WHY? (Adversary goal) | Persistence |
| Techniques | WHAT? (Method to achieve goal) | Scheduled Task |
| Procedures | HOW? (Specific implementation) | schtasks /create /sc daily /tn "Update" /tr malware.exe |
π€ Why It Matters
TTPs sit at the top of the Pyramid of Painβthey're the hardest thing for adversaries to change. An attacker can trivially change their malware hash or C2 IP, but changing their entire operational methodology is expensive and time-consuming.
/\
/ \ β TTPs (HARD to change)
/ \
/ Tools \
/ββββββββββ\
/ Network/ \
/ Host \
/ Artifacts \
/ββββββββββββββββββ\
Hashes β (EASY to change)
π¬ How It Works
The TTP Hierarchy
TACTIC: Persistence (TA0003)
β
βββ TECHNIQUE: Scheduled Task/Job (T1053)
β β
β βββ SUB-TECHNIQUE: Scheduled Task (T1053.005)
β β
β βββ PROCEDURE: APT29 creates task via schtasks.exe
β at login with SYSTEM privileges
β
βββ TECHNIQUE: Boot/Logon Autostart (T1547)
β
βββ SUB-TECHNIQUE: Registry Run Keys (T1547.001)
MITRE ATT&CK Mapping
The ATT&CK framework catalogs known TTPs:
- 14 Tactics β Adversary goals across the attack lifecycle
- 200+ Techniques β Methods to achieve each tactic
- 600+ Sub-techniques β Granular variations
- Procedures β Real-world examples from APT groups
π Tactics Overview (Enterprise)
| ID | Tactic | Goal |
|---|---|---|
| TA0043 | Reconnaissance | Gather victim info |
| TA0042 | Resource Development | Build attack infrastructure |
| TA0001 | Initial Access | Get into the network |
| TA0002 | Execution | Run malicious code |
| TA0003 | Persistence | Maintain access |
| TA0004 | Privilege Escalation | Get higher permissions |
| TA0005 | Defense Evasion | Avoid detection |
| TA0006 | Credential Access | Steal credentials |
| TA0007 | Discovery | Learn the environment |
| TA0008 | Lateral Movement | Move through network |
| TA0009 | Collection | Gather target data |
| TA0011 | Command & Control | Communicate with implants |
| TA0010 | Exfiltration | Steal data out |
| TA0040 | Impact | Disrupt or destroy |
π‘οΈ Detection & Prevention
How to Detect (TTP-based Detection)
TTP-based detection focuses on behavior patterns rather than IOCs:
| Instead of... | Detect this behavior... |
|---|---|
| Block known malware hash | Alert on schtasks.exe creating tasks in unusual paths |
| Block C2 IP | Alert on beaconing patterns (regular intervals) |
| Signature match | Alert on LSASS memory access (credential dumping) |
Why TTP Detection > IOC Detection
| Aspect | IOC Detection | TTP Detection |
|---|---|---|
| Lifespan | Days to weeks | Months to years |
| Evasion | Change hash, change IP | Must change entire methodology |
| Coverage | Known threats only | Known + unknown variants |
| False Positives | Lower | Higher (requires tuning) |
π€ Interview Angles
Common Questions
- "What are TTPs and why are they important for threat detection?"
- "How do TTPs relate to the Pyramid of Pain?"
- "Give an example of detecting based on TTPs vs IOCs."
STAR Story
Situation: SOC relied entirely on IOC feeds; attackers bypassed by changing hashes.
Task: Improve detection resilience against evasive threats.
Action: Shifted focus to TTP-based detection using MITRE ATT&CK. Built behavioral rules for credential dumping (LSASS access), persistence (scheduled tasks from unusual paths), and lateral movement (remote service creation). Validated with Atomic Red Team.
Result: Detected red team engagement that previous IOC-based approach missed completely. Reduced reliance on threat intel freshness.
β Best Practices
- Map your detections to ATT&CK techniquesβvisualize coverage gaps
- Prioritize high-impact TTPs relevant to your threat model
- Use Atomic Red Team to test TTP-based detections
- Combine TTP detection with IOC matching for defense-in-depth
- Update TTP knowledge as adversaries evolve
β Common Misconceptions
- "TTPs = MITRE ATT&CK" β ATT&CK is a TTP catalog, but TTPs exist independently
- "Detect TTPs, ignore IOCs" β Use both; IOCs are fast, TTPs are resilient
- "One detection per technique" β Techniques have many procedures; need multiple rules
π Related Concepts
- MITRE ATT&CK
- Pyramid of Pain
- Threat Emulation
- Detection Engineering
- Threat-based detection
- Indicator Detection
- Cyber Threat Intelligence (CTI)
π References
- MITRE ATT&CK: https://attack.mitre.org/
- MITRE ATT&CK Navigator
- SANS TTP-based Detection Strategies