Tactics Techniques Procedures
Table of Contents
Introduction
In the world of cybersecurity where a lot of attacks are happened regularly, detection become more difficult. Each new attack is maybe related to another old technique. Thats why the idea of TTPs comes.
By using TTPs it become more easy to detect, defend and respond to an attack. It makes easy to identify any specific attackers group because most of the group uses similar TTPs or just an upgraded version of their previous one.
Here we are going to learn how TTPs works in simple and easy ways
Tactics
Tactics is a part of threat intelligence who represent the end goal of an attack. It describes why an attack was carried out. End goal can vary it maybe just reconnaissance or can be data exfiltration. Mitre tactics
Examples :
Reconnaissance
Initial Access
Execution
Persistence
Techniques
Techniques represent that the general method which was used to achieve the tactic. How the things were done to get the end goal. How an attacker executes a tactics. A tactics may have more than one techniques. Mitre techniques
| Tactic | Techniques (examples) |
|---|---|
| Reconnaissance |
|
| Initial Access |
|
| Execution |
|
Procedures
Procedures represents the steps involved in the techniques. The exact step by step detailing of the attack. The actual scripts or instruction which are used for attacks.
Example :
Powershell script to download ransomware.
Fake email with malicious link.
Frequently Asked Questions
What are Tactics Techniques and Procedures (TTPs) in cybersecurity?➕
TTPs are a framework used in cybersecurity to understand and categorize attacks. Tactics represent the end goal of an attack (why), Techniques describe the methods used to achieve that goal (how), and Procedures are the specific steps and tools employed (the exact execution). This framework helps security teams detect, defend against, and respond to attacks more effectively.
What is the difference between tactics and techniques in cybersecurity?➕
Tactics represent the end goal or objective of an attack, such as reconnaissance or data exfiltration. Techniques, on the other hand, describe the general methods and approaches used to achieve those tactical goals. A single tactic can be accomplished using multiple different techniques.
How do TTPs help in identifying attacker groups?➕
Most attacker groups tend to use similar TTPs or upgraded versions of their previous techniques. By analyzing and tracking the specific Tactics, Techniques, and Procedures used in attacks, security teams can identify patterns that help attribute attacks to specific threat actors and predict their future behavior.
What are examples of MITRE tactics and techniques?➕
Common MITRE tactics include Reconnaissance, Initial Access, Execution, and Persistence. Techniques are the specific methods used within these tactics, such as using PowerShell scripts to download ransomware or sending fake emails with malicious links as part of an initial access tactic.
Why is understanding TTPs important for cybersecurity defense?➕
Understanding TTPs is crucial because it enables security teams to detect attacks more easily, develop better defense strategies, and respond faster to threats. By knowing the typical tactics, techniques, and procedures used by attackers, organizations can implement targeted security measures and stay ahead of evolving threats.