Understanding Tactics, Techniques, and Procedures (TTPs): Categories and Examples

Introduction

Tactics, Techniques, and Procedures (TTPs) are fundamental concepts in the field of cybersecurity that describe how threat actors operate to achieve their objectives. These components are widely used in threat intelligence to analyze, classify, and combat cyber threats, providing a structured approach to understanding adversary behavior. Understanding TTPs is essential for organizations aiming to strengthen their security posture, as it enables them to anticipate, detect, and respond to cyberattacks more effectively. This blog explores the definition of TTPs, their categorization, and real-world examples to illuminate their critical role in modern cybersecurity.

1. What Are Tactics, Techniques, and Procedures?

TTPs can be broken down into three distinct but interconnected elements: tactics, techniques, and procedures. Each element plays a crucial role in defining the overall behavior of threat actors.

Tactics represent the high-level goals or objectives of an attacker, essentially answering the "why" behind their actions. These overarching goals drive every stage of an attack. For instance, attackers might aim to gain unauthorized access to a network, maintain persistence within a compromised system, escalate privileges to gain greater control, or exfiltrate sensitive data for financial or strategic gain. Each tactic reflects the strategic intent of an adversary, setting the stage for their methods and processes.

Techniques describe the specific methods used by attackers to achieve their tactical objectives. These are the "how" of an attack, detailing the approaches that adversaries leverage to breach defenses and fulfill their goals. For example, phishing emails that trick users into revealing credentials, exploiting software vulnerabilities to gain unauthorized access, or performing lateral movement to navigate through a network are all examples of techniques. Understanding these methods helps defenders pinpoint how attackers bypass security controls.

Procedures delve into the detailed steps or processes that attackers use to implement their techniques. These are the "what" of an attack and often include the exact tools, scripts, or configurations attackers employ. For instance, an attacker might use a phishing kit to automate the creation and distribution of fraudulent emails or deploy a specific malware payload through an exploit kit targeting known vulnerabilities. Procedures often reflect the operational capabilities and resources of an attacker, making them vital for incident response and forensic investigations.

In cybersecurity, TTPs are indispensable for understanding attacker behavior. They provide a structured framework for analyzing and anticipating threats. Frameworks like MITRE ATT&CK further enhance this understanding by systematically categorizing and tracking TTPs across various attack scenarios and stages.

2. How Do We Categorize Tactics, Techniques, and Procedures?

TTPs are systematically categorized using established frameworks that provide a common language for understanding and combating cyber threats. This structured approach ensures consistency in analyzing and communicating the behavior of adversaries.

MITRE ATT&CK is a widely adopted framework that focuses on mapping tactics and techniques to various stages of an attack. This comprehensive knowledge base identifies key attacker objectives, categorized under tactics, and the corresponding techniques used to achieve them. Examples of tactics in this framework include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, and Exfiltration. Each tactic is further subdivided into techniques, which are granular actions or methods, such as phishing or exploiting public-facing applications. For even more specificity, techniques may include sub-techniques, such as spear-phishing as a variant of phishing.

Lockheed Martin’s Cyber Kill Chain is another influential framework that breaks down attacks into a sequential model. The stages include reconnaissance (gathering information about a target), weaponization (creating a payload or exploit), delivery (transmitting the payload to the target), exploitation (activating the payload), installation (deploying malware or backdoors), command and control (establishing communication with the compromised system), and actions on objectives (achieving the attacker’s end goal). This model emphasizes opportunities for detecting and disrupting an attack at each stage.

Categorization also occurs across several levels. At the highest level, tactics represent overarching goals. Techniques are grouped under these tactics based on their role in achieving specific objectives. Sub-techniques provide even greater granularity, distinguishing between variations of a technique, such as mass phishing versus spear-phishing. Procedures represent the most detailed level, focusing on the specific tools or processes used by attackers. For example, an attacker might use the Cobalt Strike tool for lateral movement, highlighting the procedural aspect of their operations.

Mapping TTPs to known threat actors adds another layer of utility. By analyzing patterns of behavior, organizations can attribute attacks to specific groups, such as APT29 or FIN7. For example, APT29 is known for leveraging spear-phishing as a means of Initial Access and deploying custom malware during the Execution phase. This attribution aids in developing targeted defense strategies, enabling organizations to prioritize mitigations against the TTPs most commonly used by specific adversaries.

3. Examples of Tactics, Techniques, and Procedures

Real-world examples bring the concept of TTPs to life, demonstrating how they manifest during cyberattacks. Below are detailed examples categorized by tactic, technique, and procedure:

Tactic: Initial Access Initial Access tactics involve the methods attackers use to gain their first foothold within a target system or network. A common technique under this tactic is phishing, where attackers send emails containing malicious links or attachments. For instance, an attacker might craft a realistic-looking invoice attachment embedded with malware. Another technique is exploiting public-facing applications, such as using SQL injection to breach a web application. An attacker might leverage this vulnerability to extract sensitive data or establish a backdoor for later use.

Tactic: Persistence Persistence ensures that attackers can maintain their presence within a compromised environment despite reboots or user interventions. One common technique is using registry run keys or startup folders. For example, attackers might add a malicious executable to the Windows startup folder, ensuring that their malware runs each time the system starts. Another technique is leveraging scheduled tasks, where attackers use tools like schtasks to create recurring jobs that execute malicious payloads at specific intervals.

Tactic: Privilege Escalation Privilege Escalation tactics involve gaining higher-level permissions on a system. A typical technique is exploiting vulnerabilities, such as leveraging privilege escalation flaws like CVE-2021-40449. Another prevalent technique is credential dumping, where attackers use tools like Mimikatz to extract sensitive credentials from system memory. These escalated privileges enable attackers to expand their control and access sensitive resources.

Tactic: Lateral Movement Lateral Movement allows attackers to traverse a network, accessing additional systems and resources. A common technique is using remote services. For example, attackers might employ PsExec to execute commands on remote systems, moving laterally across the network. Another technique is Pass the Hash, which involves leveraging stolen NTLM hashes to authenticate to other systems without requiring plaintext credentials.

Tactic: Exfiltration Exfiltration involves removing sensitive data from a target environment. Attackers might use the Exfiltration Over Web Services technique by uploading stolen data to cloud storage platforms like Dropbox. Alternatively, they might use encrypted channels, such as HTTPS, to exfiltrate data while evading detection by network monitoring tools.

Conclusion

Understanding Tactics, Techniques, and Procedures (TTPs) is crucial in the ever-evolving landscape of cybersecurity. By analyzing TTPs, organizations gain deep insights into attacker behavior, enabling them to strengthen defenses and enhance incident response capabilities. Familiarity with frameworks like MITRE ATT&CK empowers security teams to systematically map and counteract TTPs, staying ahead of evolving threats. Readers are encouraged to explore these frameworks further, share their experiences with leveraging TTPs in threat detection, and ask questions about their practical application in diverse environments.