In our earlier blogs, we spoke about threat actors and their motivation, the attack surfaces they will use to mount an attack. But how will they gain an entry and what will they gain and/or achieve ? And most importantly how will the good guys (read Cybersecurity professionals) figure out the modus operandi and stop them. Here comes a concept that Cybersecurity borrowed from the military ; TTPs (Tactics, Techniques and Procedures)
In a military context, TTPs encompass a wide range of operational aspects, including offensive and defensive tactics, maneuvering formations, communication protocols, intelligence gathering and analysis techniques, equipment usage, and more.
They serve as a guide for commanders and units to achieve their mission objectives efficiently and safely. TTPs are developed based on experience, lessons learned, and best practices, and they provide a standardized framework for executing operations effectively.
In the context of cybersecurity, Tactics, Techniques, and Procedures (TTPs) refer to the methods, strategies, and procedures used by threat actors or cybersecurity professionals to carry out or defend against cyber attacks. TTPs are valuable for understanding and analyzing the behavior of attackers, identifying patterns, and developing effective defense mechanisms.
Lets break these concepts up :
Tactics
Tactics refer to the high-level objectives and goals of a cyber attack. They represent the overarching strategies employed by threat actors to achieve their desired outcomes.
As for example, gaining unauthorized access to systems, exfiltrating sensitive data, disrupting services through denial-of-service attacks, or spreading malware would be a tactic.
Techniques
Techniques are the specific methods and tools utilized to execute the tactics.
They encompass the technical aspects of the attack, such as exploiting software vulnerabilities, social engineering, phishing, brute-forcing passwords, network reconnaissance, or using command and control infrastructure.
Techniques often evolve as new vulnerabilities are discovered or new attack vectors emerge.
Procedures
Procedures outline the step-by-step processes and sequences followed during an attack or defense. They provide a detailed breakdown of how threat actors or cybersecurity professionals carry out specific actions.
For example, an attack procedure might include reconnaissance, initial access, privilege escalation, lateral movement, and data exfiltration.
On the defensive side, procedures might involve incident response workflows, vulnerability patching processes, or network monitoring and detection methods.
When we stitch all of them together ,
Let’s take the example of phishing scenario.
As a tactic, an attacker might aim to trick individuals into revealing sensitive information, such as login credentials or financial details. So the attacker might deploy a technique, by sending personalised and highly targeted phishing emails to specific individuals within an organisation to increase the chances of success.
In order to weaponise the technique , the attacker would be resorting to a lot of steps and actions which we term as procedures. First would be reconnaissance like for example, conducting research to gather information about the target individuals, their roles, and the organisation’s structure.
Then attacker might create a convincing and personalized email that appears to be from a trusted source, such as a colleague, a superior, or a reputable company. The email often includes a sense of urgency or a compelling reason to click on a link or open an attachment. And more steps would continue till the information is exfiltrated out of the organisation.
Analysing TTPs helps in identifying indicators of compromise (IOCs), detecting patterns of malicious behaviour, and sharing threat intelligence to enhance overall cybersecurity posture of any organisation.
The cybersecurity professionals aka the defenders must study, analyse and understand TTPs, to develop effective defence strategies, create detection mechanisms, and improve incident response capabilities.
Cybersecurity requires continuous understanding of the attacker and their strategies in form of the TTPs to attack the organisation.
cyber Adventura 
Leave a comment