🚀 A CloudSEK se torna a primeira empresa de segurança cibernética de origem indiana a receber investimentos da Estado dos EUA fundo
Leia mais
Tactics, techniques, and procedures (TTPs) are the behavioral patterns that describe how attackers plan and carry out an intrusion. Tactics are the adversary's objectives at each stage; techniques are the methods used to achieve them; and procedures are the specific steps and tools used in a real attack.
Adversaries reuse these behaviors across campaigns even when their malware, domains, and infrastructure change. Capturing the patterns lets defenders recognize the same actor or method across different environments.
Structured models such as the MITRE ATT&CK framework catalog these behaviors into defined categories. Clear classification sharpens detection logic and supports faster, more consistent response.
The three layers answer different questions. Tactics describe the why, techniques the how, and procedures the exact what of an attacker's actions.
These layers nest together. A single observed action maps from a broad tactic down to a precise procedure: the tactic Credential Access, achieved through the technique OS Credential Dumping, carried out by the procedure of running Mimikatz against LSASS memory.
TTPs unfold in a sequence that moves from entry toward an attacker's final objective. The stages below align with the Cyber Kill Chain and the tactic categories in MITRE ATT&CK.
The MITRE ATT&CK framework organizes observed behavior into a structured matrix of tactics, techniques, and procedures across the intrusion lifecycle.
The Pyramid of Pain, introduced by security researcher David Bianco, explains why TTPs hold the most defensive value. It ranks indicators by how much pain it causes an attacker when defenders detect and block them. From the bottom of the pyramid to the top, each level is harder for an adversary to change.
Detecting at the indicator levels removes one campaign's infrastructure. Detecting at the TTP level forces an attacker to relearn their craft, which is why behavior-based defense delivers lasting value.
TTPs, indicators of compromise (IoCs), and indicators of attack (IoAs) work at different levels. TTPs describe behavior, IoCs are evidence left behind, and IoAs flag suspicious activity in progress.
TTP-based defense gives security teams visibility that survives the changes attackers make to evade detection.
Patterns stay recognizable even after malware, domains, or file hashes change. Behavioral tracking surfaces malicious activity that signature-based tools miss.
Malware families and payloads change quickly, but adversary habits stay relatively stable. That stability makes behavioral analysis a more durable basis for defense than static indicators.
Controls aligned to real intrusion methods outperform those built on assumptions. Verizon's 2025 DBIR found that compromised credentials were the initial access vector in 22 percent of breaches, the single most common entry point, which is exactly the kind of behavior TTP mapping targets.
Security teams turn TTP analysis into daily operations across detection, hunting, and response.
SIEM and EDR platforms map authentication logs, endpoint activity, and network traffic to known techniques, flagging anomalies like unusual logins or unexpected privilege changes even when no malware signature is present.
Hunters start from known techniques such as credential dumping and lateral movement, then search endpoints, Windows event logs, DNS queries, and process data for hidden activity that automated alerts miss.
Responders reconstruct an intrusion by correlating logins, process creation, and network connections against known techniques, revealing how access began, how privileges grew, and how movement spread.
Engineers build and tune detection rules around techniques like persistence and privilege escalation, aligning logic to structured frameworks to raise accuracy and cut false positives.
Threat intelligence feeds add context on adversary groups and their evolving techniques, helping teams recognize recurring intrusion patterns faster.
Real intrusions map cleanly to documented techniques in MITRE ATT&CK, which makes the methods easier to identify and counter.
Emails mimicking trusted platforms send users to spoofed login pages. Captured credentials open direct access to services like Microsoft 365 through legitimate accounts.
Tools such as Mimikatz extract authentication data from LSASS memory. The stolen credentials enable privilege escalation without tripping malware signatures.
SMB and Remote Desktop Protocol let attackers move between systems after entry. Reused credentials and admin utilities extend reach toward domain controllers and servers.
Scheduled tasks and system changes keep access alive across reboots and logoffs, removing the need to break in again.
Outbound connections to attacker servers deliver commands and move data, usually over HTTPS or DNS, to blend with normal traffic.
Data is staged, compressed, and sent out through encrypted channels or trusted services so the transfer looks legitimate.
Exploiting a vulnerability or abusing elevated tokens raises access levels, handing attackers deeper control over critical systems.
A real adversary shows how the layers combine. Scattered Spider, tracked by MITRE ATT&CK as group G1015 and documented by CISA in advisory AA23-320A, chains TTPs across an entire intrusion. For initial access, the tactic is gaining entry, the technique is social engineering, and the procedure is calling a company's IT help desk while impersonating an employee to reset a password or multi-factor authentication, often paired with push bombing or SIM swapping.
Once inside, the group installs legitimate remote-access tools such as AnyDesk or TeamViewer for persistence, steals credentials, moves laterally with valid accounts, and then exfiltrates data to cloud storage before deploying ransomware. The 2023 intrusions at MGM Resorts and Caesars followed this pattern.
Knowing the methods attackers reuse lets teams block them at the points that matter most.

Credential abuse remains a primary entry vector. Multi-factor authentication, conditional access, and login-anomaly detection cut off unauthorized account use.
Internet-facing RDP, SSH, and VPN gateways are common entry paths. IP allowlisting, network-level authentication, and zero-trust policies shrink that exposure.
Excess permissions enable escalation. Role-based access, just-in-time elevation, and removing dormant admin accounts limit internal risk.
Open internal communication lets intrusions spread. Network segmentation, firewall rules, and restricted SMB and RDP contain movement.
Many techniques abuse native tools like PowerShell and WMI. Application control, script restrictions, and endpoint detection reduce that misuse.
Sensitive data becomes the target once attackers are inside. Data loss prevention and encryption policies, with outbound-traffic monitoring, curb unauthorized transfer.
Mapping TTPs depends on knowing which adversaries are active and how they operate. CloudSEK Threat Intelligence tracks threat actors along with their tactics, techniques, and procedures, the vulnerabilities they exploit, and the malware and ransomware campaigns tied to them.
That actor-level context helps security teams connect activity in their own environment to known behavior, prioritize the techniques most likely to target their sector, and turn raw intelligence into detection and hunting leads. It works alongside the frameworks and controls covered above rather than replacing them.
TTP stands for tactics, techniques, and procedures. Together, they describe an attacker's behavior: the goal, the method, and the exact steps used during an intrusion.
TTP stands for tactics, techniques, and procedures. It is sometimes written as threats, techniques, and procedures, but that expansion is incorrect, since the first T refers to the attacker's tactical goal rather than a threat.
A tactic is the attacker's objective, such as gaining initial access. A technique is the method used to reach it, such as spear-phishing, and procedures are the specific steps that carry the technique out.
Credential Access as the tactic, OS Credential Dumping as the technique, and running Mimikatz against LSASS memory as the procedure form a common TTP chain.
TTPs describe how attackers behave, while indicators of compromise are artifacts like file hashes or IP addresses left behind. TTPs stay stable longer, so they hold more lasting detection value.
TTPs reflect how an adversary actually operates, so changing them means relearning their craft. The Pyramid of Pain places TTPs at the top for this reason.
MITRE ATT&CK is the most widely used framework. It organizes real-world tactics, techniques, sub-techniques, and procedures into a matrix that guides detection and response.
