What are Tactics, Techniques and Procedures?
Tactics, Techniques and Procedures (TTPs) describes three components in a process used to develop threats and plan cyberattacks. Tactics represent the “why” of an attack technique and the reason for performing an action. Techniques represent “how” an adversary achieves a tactical goal by performing an action. Procedures are the specific implementation the adversary uses for techniques.
Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.
For example: an adversary may want to achieve credential access.
Techniques represent “how” an adversary achieves a tactical goal by performing an action.
For example: an adversary may dump credentials to achieve credential access.
Procedures are the specific implementation the adversary uses for techniques or sub-techniques.
For example: a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.
Should an incident occur in your organization, forensic analysis of the TTPs employed in the attack will help you establish attribution, identify the attack vector, implement the appropriate incident response, and move to protect yourself from further attacks.
Cybersecurity Incident Response Template
Resources for protecting your organization from threat actors:
Blog
7 Steps to Recognize and Combat Cybercrime
Incident response lifecycle for identity-related attacks
Whitepaper
How to Build Your Incident Response Plan
Free eBook
Webinars
Anatomy of a Privileged Account Hack: How to Know the Risks and Keep them Contained
Free Tools