TTPs (Tactics, Techniques and Procedures)
A framework for describing attacker behavior: Tactics (What is the goal?), Techniques (How is it achieved?), and Procedures (Specific steps). TTPs are more consistent than IoCs—attackers change IP addresses, but rarely change their approach.
TTPs (Tactics, Techniques, and Procedures) describe an attacker’s behavior across three levels of abstraction. The concept originates from military intelligence and has been adapted for cybersecurity.
The Three Levels
Tactics – The “Why”
Tactics are an attacker’s immediate objectives during a specific phase:
| ID | Tactic | Description |
|---|---|---|
| TA0001 | Initial Access | How does the attacker gain access to the system? |
| TA0002 | Execution | How does the attacker execute code? |
| TA0003 | Persistence | How does the attacker maintain a foothold? |
| TA0004 | Privilege Escalation | How does the attacker elevate privileges? |
| TA0005 | Defense Evasion | How does the attacker bypass security? |
| TA0006 | Credential Access | How does the attacker steal credentials? |
| TA0007 | Discovery | What does the attacker find on the network? |
| TA0008 | Lateral Movement | How does the attacker spread? |
| TA0009 | Collection | What does it collect? |
| TA0010 | Exfiltration | How does it exfiltrate data? |
| TA0011 | Command and Control | How does it control? |
| TA0040 | Impact | What is the final damage? |
Techniques - The "How"
Techniques describe the methods used to achieve a tactic.
Example: Credential Access Tactic (TA0006)
- T1003: OS Credential Dumping
- .001: LSASS Memory → Mimikatz
- .002: Security Account Manager (SAM)
- .006: DCSync → Golden Ticket
- T1110: Brute Force
- .001: Password Guessing
- .002: Password Cracking
- .003: Password Spraying
- .004: Credential Stuffing
- T1558: Steal or Forge Kerberos Tickets
- .003: Kerberoasting
- .004: AS-REP Roasting
Procedures - The "How Exactly"
Procedures are concrete implementations of a technique by a specific actor.
APT29 (Cozy Bear, Russian) - Procedure for Credential Dumping:
- Load Mimikatz as a DLL into lsass.exe reflectively
- Execute sekurlsa::wdigest (if WDigest is enabled)
- Exfiltrate credentials via an encrypted DNS tunnel
- Save Mimikatz artifacts in the TEMP folder with random names
- After exfiltration: Securely delete artifacts (secure delete)
Differences from other APTs:
- APT28 (Fancy Bear): uses Cobalt Strike + Mimikatz
- Lazarus Group: uses its own custom malware instead of commodity tools
Why TTPs are more valuable than IoCs
The Pyramid of Pain (David Bianco):
/ Hash Values \ ← Trivial for attackers to change
/ IP Addresses \
/ Domain Names \
/ Network/Host Artifacts \
/ Tools \ ← More difficult
/ TTPs \ ← Very painful for attackersIoC (Hash, IP, Domain):
- Attacker changes hash → new build → IoC useless
- Attacker switches C2 server → new IP → IoC useless
- Timeframe: Hours to days
TTPs:
- Attacker must change fundamental approach
- This costs time, money, and impairs efficiency
- Timeframe: Months to years, often never
MITRE ATT&CK; as a TTP database
MITRE ATT&CK; is the most comprehensive public TTP database:
Structure: attack.mitre.org → 14 tactics → 200+ techniques → 1000+ procedures
Usage:
- SIEM rules against ATT&CK techniques instead of IoCs
- Red Team: "Test whether we detect T1558.003 (Kerberoasting)"
- Threat Hunting: Search for T1003.001 (LSASS Dump) in logs
- Coverage Gap Analysis: Which techniques lack detection?
MITRE ATT&CK Navigator:
- Visualization of coverage
- Which ATT&CK techniques does my SIEM rule set cover?
- Red (no detection) → Blue (full detection)
TTP-based detection
Poor SIEM rule (IoC-based):
source_ip: 185.234.xx.xx → Alert
→ Next day: new IP → MissGood SIEM rule (TTP-based):
Process powershell.exe
Parent: winword.exe
→ Alert: "Macro Malware - T1204.002"
→ Works against any new malware with this patternEven better (TTP + context):
LSASS (lsass.exe) is accessed
by a process that is NOT on the whitelist (AV, EDR)
→ Alert: "Credential Dumping attempt - T1003.001"Threat Intelligence Reports and TTPs
Good TI reports include TTPs:
Example: Mandiant APT28 Report (simplified)
- Actor: APT28 (Fancy Bear, GRU, Russia)
- Targets: Military, government, energy (NATO countries)
TTPs:
Initial Access:
- T1566.001: Spear-phishing with .lnk files
- T1190: Exploiting public-facing applications (Exchange CVEs)
Privilege Escalation:
- T1078: Valid accounts (stolen credentials)
- T1558.003: Kerberoasting
C2:
- T1071.004: DNS tunneling
- T1090.003: Domain fronting via Cloudflare
> Detection rules can be derived directly.
