What are TTPs? Tactics, Techniques, and Procedures

TTPs are the tactics, techniques, and procedures that describe how adversaries operate. Learn the difference, MITRE ATT&CK mapping, and the Pyramid of Pain.
تم كتابته بواسطة
تم النشر في
Sunday, July 12, 2026
تم التحديث بتاريخ
July 12, 2026

What are TTPs?

Tactics, techniques, and procedures (TTPs) are the behavioral patterns that describe how attackers plan and carry out an intrusion. Tactics are the adversary's objectives at each stage; techniques are the methods used to achieve them; and procedures are the specific steps and tools used in a real attack.

Adversaries reuse these behaviors across campaigns even when their malware, domains, and infrastructure change. Capturing the patterns lets defenders recognize the same actor or method across different environments.

Structured models such as the MITRE ATT&CK framework catalog these behaviors into defined categories. Clear classification sharpens detection logic and supports faster, more consistent response.

What is the Difference Between Tactics, Techniques, and Procedures?

The three layers answer different questions. Tactics describe the why, techniques the how, and procedures the exact what of an attacker's actions.

Component What it Represents Question it Answers Example
Tactics The adversary's goal at a stage of the attack Why are they doing this? Gaining initial access to a network
Techniques The general method used to achieve that goal How are they doing it? Spear-phishing to steal credentials
Procedures The specific implementation, tools, and steps What exactly did they do? Sending a spoofed invoice email linking to a fake Microsoft 365 login

These layers nest together. A single observed action maps from a broad tactic down to a precise procedure: the tactic Credential Access, achieved through the technique OS Credential Dumping, carried out by the procedure of running Mimikatz against LSASS memory.

How Do TTPs Map to the Stages of a Cyberattack?

TTPs unfold in a sequence that moves from entry toward an attacker's final objective. The stages below align with the Cyber Kill Chain and the tactic categories in MITRE ATT&CK.

  • Reconnaissance. Attackers gather details on systems, employees, and exposed services to guide targeting before any intrusion.
  • Initial access. Entry comes through spear-phishing, exposed remote services such as RDP, or unpatched vulnerabilities, establishing the first foothold.
  • Execution and persistence. Payloads run through scripts, macros, or trusted system binaries, while scheduled tasks and registry changes keep access alive across reboots.
  • Privilege escalation. Credentials pulled from LSASS memory or cached sessions raise permissions, unlocking domain resources and critical systems.
  • Lateral movement. Attackers spread across systems using SMB, RDP, and reused credentials, mapping file servers, databases, and domain controllers.
  • Exfiltration and impact. Sensitive data is staged, compressed, and moved out over encrypted channels, or operations are disrupted to achieve the final goal.

How are TTPs Mapped in the MITRE ATT&CK Framework?

The MITRE ATT&CK framework organizes observed behavior into a structured matrix of tactics, techniques, and procedures across the intrusion lifecycle.

  • Tactics. Columns group the adversary's objectives, such as initial access, persistence, and exfiltration.
  • Techniques. Each tactic lists the methods that achieve it, including phishing, credential dumping, and lateral movement.
  • Sub-techniques. Granular variations refine a technique into specific forms, showing how one method adapts across environments.
  • Procedures. Documented commands, scripts, and tools tie real incidents to known techniques.
  • Detection coverage. Teams measure their monitoring against the matrix to expose visibility gaps and refine rules.

The Pyramid of Pain: Why TTPs Sit at the Top

The Pyramid of Pain, introduced by security researcher David Bianco, explains why TTPs hold the most defensive value. It ranks indicators by how much pain it causes an attacker when defenders detect and block them. From the bottom of the pyramid to the top, each level is harder for an adversary to change.

  • Hash values. Trivial to change, since altering a single byte produces a new hash.
  • IP addresses. Easy to swap with a new server or proxy.
  • Domain names. Slightly harder, though registered and rotated cheaply.
  • Network and host artifacts. More effort, because they require changing how the tooling behaves.
  • Tools. Costly to replace, forcing attackers to find or build new ones.
  • TTPs. The hardest to change, because they reflect how an adversary actually operates.

Detecting at the indicator levels removes one campaign's infrastructure. Detecting at the TTP level forces an attacker to relearn their craft, which is why behavior-based defense delivers lasting value.

What Is the Difference Between TTPs, IoCs, and IoAs?

TTPs, indicators of compromise (IoCs), and indicators of attack (IoAs) work at different levels. TTPs describe behavior, IoCs are evidence left behind, and IoAs flag suspicious activity in progress.

Aspect TTPs (Tactics, Techniques, Procedures) IoCs (Indicators of Compromise) IoAs (Indicators of Attack)
Core Focus Behavioral patterns across the intrusion lifecycle Evidence left behind after a compromise Signals of suspicious activity in progress
Detection Type Behavior-based analysis Signature or artifact-based detection Activity-based monitoring
Time Relevance Durable across many incidents Short-lived and quickly outdated Relevant during active stages
Data Source Patterns and adversary methods File hashes, IP addresses, domains Process behavior and unusual activity
Adaptability Hard for attackers to change Easily changed through new infrastructure Moderate, depending on detection logic
Use Case Threat hunting and long-term defense Identifying known compromises Stopping activity in real time

Why are TTPs Important in Cybersecurity?

TTP-based defense gives security teams visibility that survives the changes attackers make to evade detection.

Behavior-Based Detection

Patterns stay recognizable even after malware, domains, or file hashes change. Behavioral tracking surfaces malicious activity that signature-based tools miss.

Long-Term Intelligence Value

Malware families and payloads change quickly, but adversary habits stay relatively stable. That stability makes behavioral analysis a more durable basis for defense than static indicators.

Stronger Security Planning

Controls aligned to real intrusion methods outperform those built on assumptions. Verizon's 2025 DBIR found that compromised credentials were the initial access vector in 22 percent of breaches, the single most common entry point, which is exactly the kind of behavior TTP mapping targets.

How Do Security Teams Use TTPs?

Security teams turn TTP analysis into daily operations across detection, hunting, and response.

Threat Detection

SIEM and EDR platforms map authentication logs, endpoint activity, and network traffic to known techniques, flagging anomalies like unusual logins or unexpected privilege changes even when no malware signature is present.

Threat Hunting

Hunters start from known techniques such as credential dumping and lateral movement, then search endpoints, Windows event logs, DNS queries, and process data for hidden activity that automated alerts miss.

Incident Investigation

Responders reconstruct an intrusion by correlating logins, process creation, and network connections against known techniques, revealing how access began, how privileges grew, and how movement spread.

Detection Engineering

Engineers build and tune detection rules around techniques like persistence and privilege escalation, aligning logic to structured frameworks to raise accuracy and cut false positives.

Threat Intelligence Integration

Threat intelligence feeds add context on adversary groups and their evolving techniques, helping teams recognize recurring intrusion patterns faster.

Real-World Examples of TTPs Mapped to MITRE ATT&CK

Real intrusions map cleanly to documented techniques in MITRE ATT&CK, which makes the methods easier to identify and counter.

Phishing for Access (T1566, T1078)

Emails mimicking trusted platforms send users to spoofed login pages. Captured credentials open direct access to services like Microsoft 365 through legitimate accounts.

Credential Dumping (T1003)

Tools such as Mimikatz extract authentication data from LSASS memory. The stolen credentials enable privilege escalation without tripping malware signatures.

Lateral Movement (T1021)

SMB and Remote Desktop Protocol let attackers move between systems after entry. Reused credentials and admin utilities extend reach toward domain controllers and servers.

Scheduled Task Persistence (T1053)

Scheduled tasks and system changes keep access alive across reboots and logoffs, removing the need to break in again.

Command and Control (T1071)

Outbound connections to attacker servers deliver commands and move data, usually over HTTPS or DNS, to blend with normal traffic.

Data Exfiltration (T1041)

Data is staged, compressed, and sent out through encrypted channels or trusted services so the transfer looks legitimate.

Privilege Escalation (T1068)

Exploiting a vulnerability or abusing elevated tokens raises access levels, handing attackers deeper control over critical systems.

Threat Actor in Focus: Scattered Spider

A real adversary shows how the layers combine. Scattered Spider, tracked by MITRE ATT&CK as group G1015 and documented by CISA in advisory AA23-320A, chains TTPs across an entire intrusion. For initial access, the tactic is gaining entry, the technique is social engineering, and the procedure is calling a company's IT help desk while impersonating an employee to reset a password or multi-factor authentication, often paired with push bombing or SIM swapping.

Once inside, the group installs legitimate remote-access tools such as AnyDesk or TeamViewer for persistence, steals credentials, moves laterally with valid accounts, and then exfiltrates data to cloud storage before deploying ransomware. The 2023 intrusions at MGM Resorts and Caesars followed this pattern.

How Can TTPs Help Prevent Cyberattacks?

Knowing the methods attackers reuse lets teams block them at the points that matter most.

how can ttps help prevent cyber attacks

Identity Protection

Credential abuse remains a primary entry vector. Multi-factor authentication, conditional access, and login-anomaly detection cut off unauthorized account use.

Service Exposure Control

Internet-facing RDP, SSH, and VPN gateways are common entry paths. IP allowlisting, network-level authentication, and zero-trust policies shrink that exposure.

Privilege Restriction

Excess permissions enable escalation. Role-based access, just-in-time elevation, and removing dormant admin accounts limit internal risk.

Lateral Movement Barriers

Open internal communication lets intrusions spread. Network segmentation, firewall rules, and restricted SMB and RDP contain movement.

Endpoint Hardening

Many techniques abuse native tools like PowerShell and WMI. Application control, script restrictions, and endpoint detection reduce that misuse.

Data Protection Controls

Sensitive data becomes the target once attackers are inside. Data loss prevention and encryption policies, with outbound-traffic monitoring, curb unauthorized transfer.

How CloudSEK Threat Intelligence Tracks Adversary TTPs

Mapping TTPs depends on knowing which adversaries are active and how they operate. CloudSEK Threat Intelligence tracks threat actors along with their tactics, techniques, and procedures, the vulnerabilities they exploit, and the malware and ransomware campaigns tied to them.

That actor-level context helps security teams connect activity in their own environment to known behavior, prioritize the techniques most likely to target their sector, and turn raw intelligence into detection and hunting leads. It works alongside the frameworks and controls covered above rather than replacing them.

Frequently Asked Questions

What does TTP stand for in cybersecurity?

TTP stands for tactics, techniques, and procedures. Together, they describe an attacker's behavior: the goal, the method, and the exact steps used during an intrusion.

Is it tactics or threats, techniques, and procedures?

TTP stands for tactics, techniques, and procedures. It is sometimes written as threats, techniques, and procedures, but that expansion is incorrect, since the first T refers to the attacker's tactical goal rather than a threat.

What is the difference between a tactic and a technique?

A tactic is the attacker's objective, such as gaining initial access. A technique is the method used to reach it, such as spear-phishing, and procedures are the specific steps that carry the technique out.

What is an example of a TTP?

Credential Access as the tactic, OS Credential Dumping as the technique, and running Mimikatz against LSASS memory as the procedure form a common TTP chain.

How do TTPs differ from indicators of compromise?

TTPs describe how attackers behave, while indicators of compromise are artifacts like file hashes or IP addresses left behind. TTPs stay stable longer, so they hold more lasting detection value.

Why are TTPs the hardest thing for attackers to change?

TTPs reflect how an adversary actually operates, so changing them means relearning their craft. The Pyramid of Pain places TTPs at the top for this reason.

What framework is used to map TTPs?

MITRE ATT&CK is the most widely used framework. It organizes real-world tactics, techniques, sub-techniques, and procedures into a matrix that guides detection and response.

المشاركات ذات الصلة
What are TTPs? Tactics, Techniques, and Procedures
TTPs are the tactics, techniques, and procedures that describe how adversaries operate. Learn the difference, MITRE ATT&CK mapping, and the Pyramid of Pain.
How Does a Threat Intelligence Platform Support SOC Teams?
Threat intelligence platforms support SOC teams by enriching alerts, improving detection accuracy, and accelerating incident response.
What are Indicators of Compromise (IoCs) in Cybersecurity?
Indicators of Compromise (IoCs) are digital clues like IPs, hashes, and logs that reveal cyberattacks and help detect and respond to threats.

ابدأ العرض التوضيحي الخاص بك الآن!

جدولة عرض تجريبي
إصدار تجريبي مجاني لمدة 7 أيام
لا توجد التزامات
قيمة مضمونة بنسبة 100%

مقالات قاعدة المعارف ذات الصلة

لم يتم العثور على أية عناصر.