What is TTP?

TTP Definition

TTP (Tactics, Techniques, Procedures) is a hierarchical model describing how cybercriminals and APT groups operate. The TTP framework forms the foundation of modern threat analysis and threat intelligence, enabling systematic description and categorization of attacker behaviors.

TTP Structure

Tactics:

• Strategic attack objective
• “Why” the attacker performs an action
• Example: Initial Access, Persistence, Exfiltration

Techniques:

• Method to achieve the objective
• “How” the attacker accomplishes the tactic
• Example: Phishing, Valid Accounts, Data Encrypted

Procedures:

• Specific technique implementation
• Specific tools and commands
• Example: Spear-phishing with .docx attachment containing macro

TTP in MITRE ATT&CK

The MITRE ATT&CK framework is a practical implementation of the TTP model:

• 14 tactics (matrix columns)
• 200+ techniques
• Sub-techniques as refinements
• Procedures in group and campaign descriptions

TTP Applications

• Threat Intelligence: APT group profiling
• Detection Engineering: Creating detection rules
• Incident Response: Analyzing attacker behavior
• Red Team: Attack simulation planning
• Risk Assessment: Organizational threat assessment

TTP vs IOC

Aspect	TTP	IOC
Durability	Stable, hard to change	Easily changed
Level	Behavioral	Technical
Detection	More reliable	Easy to evade
Example	Attack technique	Hash, IP, domain

TTP represents behaviors that are harder to change than technical indicators of compromise.

Pyramid of Pain

David Bianco’s model illustrates TTP value:

• Top of pyramid: TTP - hardest for attacker to change
• Middle: Tools, network artifacts
• Bottom: Hash values, IP - easy to change

TTP-based detection is most effective long-term.

TTP is the language describing cybercriminal behavior, essential for mature security operations and threat intelligence.