There’s no shortage of confusing terminology and acronyms in the cybersecurity field. In this article, we’re looking at TTP. It’s not reserved for those who make a living defending against cybersecurity threats. It’s an acronym that everyone should know.
What Does TTP Mean in Cybersecurity?
TTP stands for tactics, techniques, and procedures. This acronym describes the behavior of a threat actor in three levels – the “how,” the “what,” and the “why.”
What are Tactics in Cybersecurity?
Tactics are the high-level plans of what cybercriminals plan to achieve. They are the general strategies threat actors use to gain access to systems and information. It’s the “why.” Why they are trying a technique and what the attack will achieve.
Why do they want access in the first place? A few examples might be:
- To gather your personal data to sell on the Dark Web.
- To remove your access to important resources to damage your finances or reputation. To use your confidential information for fraud, espionage, blackmail, etc.
What Are Techniques in Cybersecurity?
Techniques are the intermediate methods or tools a cybercriminal uses to breach your defenses. They provide a more detailed description in the context of the tactic. It answers the “what” of their behavior.
They correspond to the major cyber threats, such as:
What Are Procedures in Cybersecurity?
Procedures are the lower-level, highly detailed steps cybercriminals follow to achieve their goals. It describes “how” they will achieve their desired result.
The steps may correspond to specific software vulnerabilities. An example of this type of exploitation is the Microsoft Exchange server elevation of privilege vulnerability. Another procedure might detail how they will take advantage of the gaps in your defenses.
MITRE is a not-for-profit organization that provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. They report collecting and filtering data based on TTPs is an effective method for detecting malicious activity.
“This approach is effective because the technology on which adversaries operate (e.g., Microsoft Windows) constrains the number and types of techniques they can use to accomplish their goals post-compromise,” explains MITRE.
What is TTP Hunting?
In the world of cybersecurity being proactive is a must to stay ahead of threat actors. Traditional security solutions involve firewalls, endpoint detection, SIEMs, etc. To get ahead, proactive tactics are used.
Cyber threat hunting involves security analysts looking for potential cyber attacks by searching through networks or datasets to detect and respond to threats that avoid traditional security solutions.
Once identified, a security plan is created to protect against them. Their manual labor helps to develop auto alerts.
TTP hunting is a form of cyber threat hunting. Analysts focus on threat actor behaviors, attack patterns, and techniques. This process assists in predicting attacks by evaluating the trends of past cyber attacks to identify potential sources.
Tactics, Techniques, and Procedures (TTP) vs Indicators of Compromise (IoC)
TTPs shouldn’t be confused with Indicators of Compromise (IoC). TTPs describe what threat actors do and how they will do it. This offers the opportunity to proactively develop contextual understanding across incidents, threat actors, and campaigns.
TTPs define instances such as victim targeting (e.g., HR representatives of finance companies), attack patterns, and much more.
IoCs are reactive in nature. They are the breadcrumbs cybersecurity professionals see on a network or operating system that indicates an intrusion is occurring. They provide the opportunity for detection early in an attack sequence.
If cybercriminals were bank robbers, TTPs would be the strategies used to get inside the vault. IoCs are the things you can see that indicate they are there – such as a smashed lock or missing money.
Let’s demonstrate the difference between IoCs and TTPs during a phishing attack – where their goal is to steal login credentials.
When detected, IoCs begin incident response activities to protect valuable systems from threat actors. TTPs give the security team the information they need to protect all possible attack paths.
Should SMBs Study TTPs?
Small and medium-sized businesses (SMBs) rarely employ a cybersecurity team. They need to be larger to dedicate resources to studying current and emerging TTPs.
SMBs benefit from outsourcing this activity to a managed security service provider (MSSP). They can provide you with threat intelligence and threat detection services.
You will profit from a partnership with an experienced MSSP if you have yet to implement beginning-to-end strategies to improve your cybersecurity defenses. Use its experience to implement cybersecurity best practices, such as:
Many TTPs used by today’s cybercriminals target weak authentication and login mechanisms. MFA strengthens the authentication process by adding one or more extra layers of protection. This can block as much as 99.9 percent of identity attacks.
If your business is not considering outsourcing, you must ensure that essential cybersecurity solutions are in place.
Use this free guide to boost your business’s cybersecurity resilience. Set up a system that works today with solutions that can adapt to whatever tomorrow has in store.
Download your free guide for future-proof advice on what to consider when choosing an IT provider and how to obtain the services you need within your budget.