loading
Loading content
loading
Also known as TTPs
Tactics, techniques, and procedures (TTPs) describe adversary behavior at three levels of detail. A tactic is the goal for a phase of an attack, such as credential access or lateral movement. A technique is the method used to reach it, like dumping LSASS memory or abusing valid accounts. A procedure is the exact way one actor carries out the technique, down to the specific tool, command, and sequence they favor.
TTPs matter because behavior is harder to change than infrastructure. An attacker rotates domains and IPs cheaply, but the habits in how they move through a network persist across campaigns. Defenders who detect on TTPs catch the actor even after the obvious indicators change, which is why the analyst's pyramid puts behavior above artifacts.
The mitre att&ck framework catalogs tactics and techniques in a shared taxonomy, so teams describe a threat actor and its procedures in common terms. TTPs sit at the top of threat intelligence reporting, above the lower-level indicator of compromise that ages out quickly.
In Trickest you can map detection and validation workflows to specific techniques, then rerun them to confirm your controls still catch the behavior an actor relies on.
Related terms