TTP — Tactics, Techniques, and Procedures

Tactics, Techniques, and Procedures (TTPs) describe adversary behavior across three layers of abstraction. Tactics represent the strategic objectives an attacker pursues, techniques describe the methods used to achieve those objectives, and procedures detail the specific implementation of each technique. TTPs are the foundation of threat intelligence and detection engineering.

The Three Layers

• Tactics answer "why" -- the adversary's goal at each phase of an attack. Examples include initial access, persistence, privilege escalation, lateral movement, exfiltration, and impact.
• Techniques answer "how" -- the method used to accomplish the tactic. For example, under the initial access tactic, techniques include phishing, exploiting public-facing applications, and supply chain compromise.
• Procedures answer "what exactly" -- the specific implementation a particular threat group uses. For example, APT29 may use a specific spearphishing attachment format with a particular macro chain to achieve the phishing technique.

MITRE ATT&CK Framework

The MITRE ATT&CK framework is the industry-standard knowledge base that catalogs known adversary TTPs across enterprise, mobile, and cloud environments. It organizes techniques under tactical categories and maps them to specific threat groups and software. Security teams use ATT&CK to evaluate detection coverage, design hunting hypotheses, and communicate about threats using a shared vocabulary. During incident response, mapping observed adversary activity to ATT&CK techniques helps predict the attacker's next moves and prioritize containment actions.

Why TTPs Are More Valuable Than IOCs

IOCs like IP addresses and file hashes are easy for adversaries to change. A threat group can rotate infrastructure and recompile tooling in minutes. TTPs, by contrast, represent the adversary's tradecraft -- their operational habits, preferred tools, and established workflows. Changing TTPs requires retraining operators and rebuilding toolchains, which is expensive and slow. Detection rules built around TTPs remain effective even as the adversary rotates their infrastructure, making TTP-based detection more durable than IOC-based detection alone.

TTPs in Incident Response

During an active incident, identifying the adversary's TTPs helps the response team anticipate next steps. If forensic analysis reveals that the attacker used a specific initial access technique associated with a known threat group, the team can proactively hunt for that group's typical persistence and lateral movement techniques before they are executed. This predictive capability dramatically reduces containment time.