A framework for identifying and analyzing the behavior of threat actors. Unlike static indicators of compromise (such as IP addresses or file hashes), TTPs describe an adversary’s operational methodology.
Component Definitions
- Tactics: The high-level strategic objectives of an attacker (e.g., Initial Access, Persistence, or Exfiltration).
- Techniques: The specific methods used to achieve a tactical objective (e.g., Spearphishing or Brute-Force attacks).
- Procedures: The granular, step-by-step sequences of actions and specific tools employed during an engagement.
Analyzing TTPs allows security operations to move toward behavioral detection. By understanding the how and why of an attack, organizations can implement defensive controls that remain effective even when an attacker changes their specific software or infrastructure.