Tactics, Techniques, and Procedures (TTPs) in Cybersecurity

Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors.” TTPs help analyzes and profile threat actors. It can further be used to strengthen the security infrastructure of an organization. 


Tactics are defined as a guideline describing how an attacker performs their attack from beginning to end and why an attacker is performing the attack. It consists of the various tactics used to gather information for the initial exploitation, perform privilege escalation, and deploy measures for resistance access to the system. 

Threat actors can be profiled by an organisation based on the tactics they use; for instance:
  • The way they Gather Information. 
    • Some adversaries depend solely on the information on the Internet, whereas others might perform social engineering or use connections in the organizations. 
    • Information like email addresses of employees of the target organization is gathered, and the adversaries then choose to approach the target.
    • The adversaries' designed payload can be persistent in the system or may change based on the target. Thus, to understand the adversaries better, tactics used in the early stages of an attack must be analyzed properly.
  • Methods they follow for initial compromise.
  • Several entry points they use while attempting to enter the target network.
  • Analyzing the APT groups by inspecting the infrastructure and tools used to perform their attacks. 
    • A Sophisticated adversary may exploit many zero-day vulnerabilities. However, less-sophisticated adversaries generally depend on publicly known vulnerabilities and open-source tools.
    • Identifying this type of tactic helps in profiling the APT groups and building defensive measures in advance. 
  • Understanding the tactics used in the last stage of the attack aid in identifying the threat actor.
  • The methods used to cover the tracks help the target organization understand the attack campaign. 
By analyzing the tactics, the target organization can create an initial profile of the adversary. This profile helps in performing further analysis of the techniques and procedures used by the attackers. 
An attacker may continually change the TTPs used, so it is important to constantly review and update the tactics used by the APT groups.


Techniques are defined as the technical methods used by an attacker to achieve intermediate results during their attack. The techniques followed by the threat actor to conduct an attack might vary, but they are mostly similar and can be used for profiling. Techniques can include initial exploitation, settings up and maintaining command and control channels, accessing the target infrastructure, and covering the tracks of data exfiltration. Techniques can be divided into three stages and can analyze at each stage of the threat life cycle. 

Initial Stage

Techniques used in this stage need not necessarily have a technical aspect. For example, social engineering with certain non-technical tools can be an effective way of gathering information like the email address of the target organization's employees through publicly available resources. Secondly, purely human-based social engineering can be used. For example, a victim can be tricked via a phone call to reveal their login credentials for accessing the target organization's internal network. Thus, this kind of technique can be used by attackers to gather information about the target and can help them break the first line of defence. 

Middle Stage

Techniques used in this stage mostly depend on technical tools for initially escalating privileges on systems within the target organization's network. The attackers use exploits, or vulnerabilities, or may exploit network design flaws to gain access to other systems in the network. This allows an attacker to perform a successful attack. In this scenario, the term,  "technique" is the set of tools and the way they are used to obtain intermediate results during an attack campaign.

Last Stage

Techniques used in this stage can have both technical and non-technical aspects. For example, an attacker might steal data from the network by encrypting it and transferring them through the command and control channel and copying it to their own system. Once the attack is successfully executed, the attacker might use certain purely technical techniques to cover their tracks by clearing the log files to evade detection.

Therefore, understanding the techniques used in different stages of an attack is essential for analyzing and creating a profile of the threat groups effectively. 


Procedures are detailed descriptions of the components used in an attack, including the tools and practices that attackers used to orchestrate it. This involves a sequence of actions performed by the threat actors to execute different steps of an attack life cycle. 

In a basic procedure of reconnaissance, an attacker collects information about the target organization; identifies key targets such as collecting contact details, identifies vulnerable systems and potential entry points to the target network, and documents all the collected information. This information can assist threat actors in performing spear phishing, monitoring security controls to identify zero-day exploits in the target systems, and other tasks. 

In an extensive procedure, an attacker may execute a detailed malware payload, which at the time of execution decrypts itself, evades security monitoring controls, deploys persistence, and establishes a command and control channel between the victim's and the attacker's system. This is a common procedure, where different threat actors may implement the same feature, and hence it is useful in forensic investigations. 

In the initial stage of an attack, such as information gathering, observing the procedure of an APT group is difficult. However, the later stages of an attack can leave trails that may be used to understand the procedures the attacker followed. An understanding and proper analysis of the procedures followed by certain threat actors helps organizations profile threat actors. 


To understand and defend against the threat actors, it is essential to understand the TTPs used by APTs. Click here to read, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment