How To Choose Your Tactics, Techniques, And Procedures (TTPs) In Cyber?

ttp cyber
Share article
twitter linkedin medium facebook

The concept of ‘Tactics, Techniques, and Procedures’ has become a useful way of framing the overall approach that a cyber attacker takes when they are attempting to breach your systems. The military first came up with the concept of TTP to describe the behaviors and methods that an adversary uses in warfare, and with cybersecurity being an ongoing battle, TTP cyber seems like an appropriate way of describing the behaviors and methods that bad actors take, too.

What’s the point of yet another abbreviation?

Good question! There are already so many of them aren’t there? The point with this one is that grouping the behaviors of adversaries helps us to identify the threat actor or group responsible and also create better defenses.

What does TTP mean?

The National Institute of Standards and Technology (NIST) breaks down TTP cyber like this:

  • Tactic: The highest-level description of the behavior.
  • Technique: Provides a more detailed description of the behavior in the context of a tactic.
  • Procedure: Provides a lower-level, highly detailed description of the behavior in the context of a technique.

Since that still sounds a bit vague, let’s look closer.

TTP Cyber: Tactics

One general definition of the word ‘tactic’ is:

An action or strategy that is carefully planned to achieve a specific end. In a TTP cyber context, tactics are the general, high-level goals or objectives that an adversary seeks to achieve by using specific techniques.

These could be things like:

  • stealing your customers’ personal data to commit fraud or damage your reputation.
  • stealing your proprietary business information to benefit a competitor.  
  • disrupting your systems until you pay the attacker a ransom.
  • disrupting your systems for ideological or political reasons.

TTP Cyber: Techniques

If tactics describe what the threat actor wants to do and why they want to do it, TTP cyber techniques refer to the technological methods that they use to achieve that aim. For instance, to take the first example from the list above, when the tactic is stealing your customers’ personal data to defraud them, a specific technique used could be web skimming.

TTP Cyber: Procedures

At the level of the procedures, the descriptions become step-by-step guides to how an attack is carried out.

Example: web skimming

Here’s how we can describe a web skimming attack in terms of TTP Cyber:


The attacker’s overall goal is to steal the sensitive data that customers enter into your web forms when they make a purchase. They focus on capturing payment details like credit card numbers, CVV codes, billing addresses, personal information like names, addresses, email addresses, phone numbers, and login credentials such as usernames and passwords.


The techniques part of their TTP cyber security profile could involve injecting malicious scripts into the website’s code. They might use a form-jacking script to capture data submitted through website forms, disguising it as legitimate code. They might leverage a compromised 404 error page (shown when a requested resource can’t be found) to inject the skimming code and hide their activity or use an invisible iFrame to trick users into entering their details.

Another approach would be to exploit vulnerabilities in the third-party apps, scripts, or libraries that the website relies on for functionality, in other words, launch a supply chain attack. These involve compromising legitimate software or service providers to inject malicious code into the website that’s using them.

In each case, the attacker stealthily collects sensitive user data entered in form fields and transmits it to a server they control.


Breaking this down further, the step-by-step procedures that attackers use might include:

Breach: Attackers gain access to a website’s server, or third-party applications used by the site. This can be achieved through vulnerabilities, configuration errors, or brute-force attacks.

Injection: Malicious code, often JavaScript (JS), is inserted into the website’s payment or checkout page, either directly or through compromised third-party applications.

Data Collection: The malicious script captures sensitive information entered by users in website forms. This could include credit card details, personal information, and login credentials.

Data Exfiltration: The stolen data is then sent to a server controlled by the attacker. This can happen in various ways, like directly transmitting the data or storing it temporarily on the compromised server for later retrieval.

We could obviously go into detail to explain exactly how the malicious scripts are injected or how the exfiltrated data is hidden within legitimate traffic, but that would probably be too granular for this kind of general overview. Suffice it to say that detailed TTP cyber analysis can help to identify a particular attacker, and not only that but also help you with developing more effective defensive strategies, detecting and responding to attacks, and improving your overall cybersecurity posture.

What to do with TTP intelligence

TTP analysis is an ongoing process because threat actors’ tactics, techniques, and procedures for penetrating defenses and evading detection keep evolving. Because TTPs change and adapt, various frameworks and methodologies, such as MITRE ATT&CK, have been developed to standardize and structure TTP cyber analysis, and anyone can use them.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base that provides a comprehensive overview of the TTPs used by various cyber adversaries.

It serves as a comprehensive repository of threat intelligence, cataloging the known TTPs employed by various threat actors. This helps security teams understand the modus operandi of different adversaries and stay informed about the latest attack trends and methodologies.

It provides a structured framework for mapping adversary behaviors to specific phases of the cyber-attack lifecycle for better detection and response strategies.

It also serves as a valuable resource for those hunting threats and responding to incidents. By understanding the TTPs associated with different threat groups, they can better identify and analyze potential indicators of compromise (IOCs) and develop targeted hunting techniques.

How Reflectiz Can Help

Reflectiz can help you to gather information about such attacks and enhance your own security posture. Once you have our continuous monitoring platform up and running, it constantly looks for actions and behaviors that deviate from the acceptable norms which you will have helped to establish during the discovery phase. This is when the Reflectiz solution maps your entire digital ecosystem and works with you to establish a baseline for which behaviors are acceptable and which are not, according to your risk appetite.

Thereafter, each time Reflectiz records suspicious behaviors and events like data exfiltration attempts, web skimming attempts, key logging attempts, and so on, it doesn’t just protect your systems. It also provides you with the kind of valuable information that will take your TTP analysis efforts to the next level. For complete visibility and protection of your entire digital ecosystem, sign up with Reflectiz today.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free