Threat Intel & Defense
What Are TTPs?
Tactics, Techniques, and Procedures (TTPs) describe the methods, strategies, tools, and detailed actions that cyber threat actors use to launch attacks.
Tactics, Techniques, and Procedures (TTPs) describe the methods, strategies, tools, and detailed actions that cyber threat actors use to launch attacks. TTPs provide a structured framework for understanding attacker behavior by breaking down attacks into component parts across three levels of granularity. Tactics are the high-level goals attackers pursue, such as gaining initial access or establishing persistence. Techniques are the specific methods used to achieve those tactical goals, such as phishing or exploiting vulnerabilities. Procedures are the detailed, step-by-step implementations including specific commands, tools, and scripts. According to the MITRE ATT&CK framework—the industry standard for TTPs—there are 14 tactics, 216 techniques, and 475 sub-techniques documented as of October 2025.
How do TTPs work in practice?
TTPs provide hierarchical structure from strategic objectives down to tactical execution details.
Tactics represent high-level goals an attacker pursues during a cyber attack. MITRE ATT&CK defines 14 tactics covering all phases: Reconnaissance to gather information before attack, Resource Development to establish infrastructure and resources, Initial Access to gain foothold in target environment, Execution to run malicious code, Persistence to maintain presence in environment, Privilege Escalation to obtain higher system privileges, Defense Evasion to avoid or bypass security controls, Credential Access to steal or compromise credentials, Discovery to gather information about target environment, Lateral Movement to move deeper into network, Collection to gather data before exfiltration, Command and Control to maintain C2 infrastructure, Exfiltration to extract stolen data, and Impact to disrupt or destroy target systems.
Techniques represent specific methods attackers use to implement tactics. Each technique has a detailed description, affected platforms including Windows, macOS, Linux, Cloud, and ICS, documented procedures used by known threat actors, detection methods, mitigation strategies, and data sources for detection. Examples include Phishing (Initial Access tactic) to trick users into revealing credentials, Scheduled Task/Job (Persistence tactic) using OS task scheduler for malware reactivation, Lateral Tool Transfer (Lateral Movement tactic) to move legitimate tools across network, Data Staged (Collection tactic) to prepare data for exfiltration, and HTTP(S) for C2 using web protocols for command and control communication.
Sub-techniques provide variations and specific implementations of techniques with different characteristics or tools. The MITRE ATT&CK framework includes 475 sub-techniques as of October 2025. Examples include Phishing technique subdivided into Malicious Link, Malicious Attachment, and other sub-techniques, and Command and Scripting Interpreter technique broken into PowerShell, Bash, Python, and other platform-specific sub-techniques.
Procedures represent detailed steps attackers follow, including specific commands executed, tools and malware used, scripts and code deployed, timing and sequencing of actions, and specific systems or protocols targeted. Procedures are the most specific level, documenting exactly how threat actors implement techniques in real attacks.
Attack chain mapping shows how TTPs relate to broader attack frameworks. The Cyber Kill Chain phases map to MITRE ATT&CK tactics: Reconnaissance maps to Reconnaissance tactic, Weaponization to Resource Development, Delivery to Initial Access, Exploitation to Execution and Privilege Escalation, Installation to Persistence, Command and Control to Command and Control, and Actions on Objectives to Exfiltration and Impact tactics.
How do TTPs differ from other threat intelligence concepts?
Feature | TTPs | IOCs (Indicators of Compromise) | Threat Signatures |
|---|---|---|---|
Nature | Behavioral patterns and methods | Static, specific indicators | Detection rules for specific threats |
Longevity | Long-term value—attackers reuse tactics | Short shelf life—infrastructure changes frequently | Limited to known malware variants |
Scope | Applicable across multiple campaigns | Specific to individual incidents | Specific malware families |
Application | Help predict and understand attack patterns | Help identify known attacks | Help detect known threats |
Example | Using Scheduled Tasks for persistence (T1053.005) | Malicious IP address 192.168.1.100 | Signature for specific malware hash |
Adaptability | Techniques persist across tool changes | Must be updated constantly | Requires updates for variants |
Ideal for | Understanding attacker behavior and strategic defense | Detecting specific compromises | Blocking known malware |
The strategic difference between TTPs and IOCs: IOCs help detect specific attacks and provide forensic evidence, but TTPs help understand attacker behavior and predict future attacks. Threat actors change IOCs frequently—switching IP addresses, domains, and malware variants—but reuse tactics and techniques across campaigns. This makes TTPs more valuable for long-term threat intelligence and strategic security planning.
TTPs versus threat signatures represents behavior-based versus pattern-based detection. Signatures are static rules matching specific malware or attack patterns, requiring updates for variants and generating many false positives. TTPs describe behavior-based approaches to understanding attacks, remain applicable to variants and new attacks using same tactics, help organizations understand adversary goals, and enable proactive threat hunting beyond signature-based detection.
Why do TTPs matter for cybersecurity?
TTPs transformed how organizations approach threat intelligence and defense planning.
MITRE ATT&CK framework adoption made TTPs the industry standard. The framework contains 14 tactics covering all attack phases, 216 techniques with comprehensive documentation, 475 sub-techniques providing specific implementation details, 172 threat actor groups documented, 784 pieces of malware and tools cataloged, 52 notable campaigns documented, 691 detection strategies provided, 1,739 analytics (detection rules), and 106 data components for detection. This comprehensive documentation enables organizations to understand threat actor behavior systematically.
Industry adoption is universal. MITRE ATT&CK is adopted by US government including CISA, NSA, and military. It's integrated into critical infrastructure protection programs. It serves as de facto standard for threat intelligence across all sectors. SOCs, red teams, and incident responders globally use the framework. Security tool vendors integrate ATT&CK into their platforms.
2025 top TTPs reflect evolving threats. Data exfiltration via trusted services shows attackers using legitimate cloud platforms including Dropbox, Google Drive, and AWS to exfiltrate data and avoid detection. Ransomware and wiper operations involve encrypting or destroying data to extort victims and disrupt operations. Paste and Run attacks using ClickFix and FakeCAPTCHA tricks users into copying and pasting malicious commands. User Execution: Malicious Copy and Paste (T1204.004) was added in March 2025, reflecting this emerging threat.
Threat hunting shifts from IOC-centric to behavior-centric approaches. Security teams are moving from static IOC-based hunting to MITRE ATT&CK-based hunting focused on behavior patterns. Behavior patterns are more enduring than specific indicators like IP addresses. This enables hunting for variants and novel attacks using known tactics. More effective detection of advanced persistent threats becomes possible when hunting for TTPs rather than just IOCs.
Detection engineering uses TTPs as foundation. Organizations create detection rules aligned to MITRE ATT&CK techniques. MITRE provides detection recommendations as starting points for custom rules. Detection coverage maps to techniques, revealing gaps in organizational defenses. Security teams prioritize closing gaps in detection of high-priority techniques relevant to their threat landscape.
What are the limitations of TTP-based approaches?
Despite significant advantages over IOC-based approaches, TTPs face practical constraints.
Framework limitations affect utility. Breadth versus specificity creates tension—MITRE ATT&CK covers broad techniques, but specific attacker tools and malware still require IOC-based detection. Update lag means new attack methods may emerge faster than MITRE ATT&CK updates can document them. Complexity overwhelms teams—216 techniques and 475 sub-techniques create overwhelming amounts of information to master. Organizational variation means techniques may manifest differently depending on organization, industry, and target systems.
Detection and response challenges complicate implementation. Many attack paths exist—same TTP can be implemented multiple ways, so single technique definition doesn't cover all variations. False positive risk occurs because many legitimate activities mimic attacker TTPs including running tasks and process execution. Tuning is required—organizations must customize TTP-based detection to their specific environment. Attacker adaptation means threat actors deliberately use techniques that blend with legitimate activity to evade detection.
Threat intelligence integration faces obstacles. Low confidence attribution—TTPs alone may not provide sufficient confidence for threat actor attribution. Regional and sector variation means techniques vary by threat actor, sector, and geography, so not all techniques apply to all organizations. Incomplete documentation occurs because some threat actor procedures are not fully documented in public sources. Emerging techniques take time to be classified and added to frameworks, creating temporary blind spots.
Operational implementation requires resources. Training requirements mean security teams need training to effectively use MITRE ATT&CK framework. Tool integration varies—not all security tools deeply integrate with MITRE ATT&CK. Resource intensive analysis—comprehensive TTP-based threat hunting requires skilled analysts. Constant change means threat landscape evolves faster than detection capabilities can be updated.
How should organizations use TTPs?
Effective TTP utilization requires framework adoption, detection engineering, and threat hunting programs.
TTP-based detection program
Implement MITRE ATT&CK as organizational standard for describing and analyzing TTPs. Train security team on framework structure, tactics, and techniques. Map organizational threats to MITRE ATT&CK tactics and techniques relevant to your environment. Maintain mapping between threat intelligence and framework, updating as threat landscape evolves.
Collect threat intelligence on relevant threat actors targeting your industry and geography. Document techniques used by threat actors in your threat model. Track TTP changes and evolution over time to adapt defenses. Share TTP-based intelligence with entire organization for coordinated defense.
Create detection rules aligned to MITRE ATT&CK techniques rather than only IOCs. Use MITRE ATT&CK detection recommendations as starting point for custom rules. Customize detection for organizational context—same technique may manifest differently in your environment. Prioritize detection of high-impact techniques including lateral movement and exfiltration.
Structure threat hunts around MITRE ATT&CK tactics and techniques. Develop hunt hypotheses based on relevant threat actors targeting your sector. Search for technique variants and implementation variations. Use detection recommendations in MITRE ATT&CK as hunt guidance. Document hunt results and create permanent detections from successful hunts.
Security control mapping to TTPs
Identify techniques that should be prevented or made difficult to execute through preventive controls. Examples include MFA preventing credential access exploitation, network segmentation preventing lateral movement. Map security controls to MITRE ATT&CK techniques they address to identify gaps.
Create detection rules for each high-risk technique relevant to your threat landscape. Monitor for technique execution with appropriate logging and visibility. Examples include monitoring for Scheduled Task creation, Registry modifications, and network connections matching C2 patterns.
Develop incident response procedures for key TTPs including containment, remediation, and hunting procedures. Include specific guidance for techniques commonly used by threat actors in your industry. Train teams on response to relevant techniques.
Tools and integration
Use MITRE ATT&CK Navigator to visualize threat actor TTPs and organizational detection capabilities. Map organizational detection to techniques, revealing coverage gaps. Prioritize gap remediation based on threat relevance and business impact.
Integrate threat actor TTP information into threat intelligence platforms. Map indicators to techniques for context—knowing the technique provides insight into attacker objectives. Track TTP evolution over time to adapt defenses as threat actors evolve.
Build detection rules aligned to MITRE ATT&CK in SIEM and EDR platforms. Use detection recommendations as foundation for custom rules. Customize for organizational environment and threat landscape. Test and tune detection rules to minimize false positives while maintaining coverage.
FAQs
What's the difference between TTPs and IOCs?
IOCs (Indicators of Compromise) are specific, static indicators like malicious IP addresses or file hashes that identify known attacks. TTPs are behavioral patterns and methods attackers use that persist across campaigns. IOCs help detect specific attacks but change frequently as attackers switch infrastructure. TTPs have longer shelf life and help predict and understand attack patterns across multiple incidents. Use both approaches: IOCs for immediate detection of known threats, TTPs for strategic understanding and proactive threat hunting.
Why should we use MITRE ATT&CK?
MITRE ATT&CK provides standardized language for discussing threats across teams and organizations. It helps organizations prioritize detection efforts based on relevant threat actors. It enables better threat hunting by focusing on attacker behaviors rather than just signatures. It facilitates communication between security teams, with vendors, and across organizations. It's become the industry standard—learning it once applies across all organizations and tools.
How do we use TTPs for threat hunting?
Map relevant threat actors to their documented TTPs in MITRE ATT&CK. Search for indicators of those techniques in your environment using SIEM, EDR, and log data. For example, if a threat actor commonly uses Scheduled Tasks for persistence (T1053), hunt for suspicious scheduled task creation in your environment. Use MITRE ATT&CK detection recommendations to guide your search queries. Create permanent detections from successful hunts to prevent future need to re-hunt same pattern.
Can we prevent all TTPs?
No, but you can make high-impact techniques difficult to execute successfully. Focus on preventing techniques attackers must use including initial access, persistence, and C2. Some techniques may require detection-focused approach because prevention isn't feasible without impacting business operations. Prioritize based on your organizational risk and specific threat actors targeting you. Use defense-in-depth—combine prevention where possible with detection for techniques you cannot prevent.
How often should we update our TTP-based detections?
MITRE ATT&CK updates regularly with new techniques and threat actor documentation. Review framework updates quarterly and assess impact on your organization. Update detections when new techniques relevant to your threats emerge, threat actor TTPs change based on intelligence, your environment changes in ways affecting technique manifestation, or detection gaps are discovered through incidents or threat hunting. Maintain continuous improvement cycle rather than treating TTP detection as one-time implementation.
