Tactics, Techniques, and Procedures (TTP)

Tactics, Techniques, and Procedures (TTP) is the method used by IT and military professionals to determine the behavior of a threat actor (hacker). These three elements help you understand your adversaries better. While each element is important by itself, by studying all three elements, attacks can more easily be hunted down, identified, and neutralized. Knowing a hacker’s TTP’s can help you identify attacks early enabling you to neutralize them before significant damage is done. Read on for detailed descriptions of each component: 

• Tactics – Generic, beginning-to-end strategies hackers follow to accomplish their goals. This is the “what” a cyberattack’s goal is. Hackers often steal critical data to monetize via online dark web forums.
• Techniques – Non-specific, common methods or tools that a criminal will use to compromise your information. This is “how” cyberattacks are conducted. An example would be phishing users via email attachments or malicious links. 
• Procedures – Step-by-step orchestration of an attack. Procedures are often the best way to profile an attacker. Various hacking groups follow common procedures such as reconnaissance, then enumeration, then attack.

What does this mean for an SMB?

Few SMBs have security staff or IT staff with time to study TTP’s. The reality is you have to prepare for the worst and hope for the best.  Follow the best practices below to prepare for the worst.  However, if you really want to understand TTP’s and learn how to leverage this methodology to protect yourself read on.

Studying TTP’s helps your IT organization understand how hackers plan and execute their attacks. According to TrustNetInc, as a TTP goes through its life cycle, your IT staff should take the following actions: 

• Upon recognizing a possible attack, prioritize its risk level and decide if it’s similar to other incidents that IT has seen before and is already aware of.
• Using this knowledge focus your actions appropriately.
• Identify possible attack vectors.
• Supplied with this intelligence, determine which systems are most likely to be attacked.
• Defend against the expected attacks using monitoring, mitigation, and neutralization procedures of your own.

I don’t have time to study Hacker TTP’s, what should I do instead?

It may be easier and more effective to simply adopt the following best practices to protect your business.  Doing these things will reduce your chances of being a victim of cyberattacks. CyberHoot recommends every business:

• Adopt two-factor authentication on all critical Internet-accessible services
• Adopt a password manager for better personal/work password hygiene
• Require 14+ character Passwords in your Governance Policies
• Follow a 3-2-1 backup method for all critical and sensitive data
• Train employees to spot and avoid email-based phishing attacks
• Check that employees can spot and avoid phishing emails by testing them
• Document and test Business Continuity Disaster Recovery (BCDR) plans
• Perform a risk assessment every two to three years

Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.

For a deeper dive into TTP, watch this short 5-minute video:

Sources: 

NIST

TrustNetInc

Additional Reading:

Operations in Ukraine, Other Countries Help US Army Develop Cyber Teams

Related Terms:

Hackers

Risk Management

Risk Assessment

CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like: 

• Blog
• Cybrary (Cyber Library)
• Infographics
• Newsletters
• Press Releases
• Instructional Videos (HowTo) – very helpful for our SuperUsers!

Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.

Find out how CyberHoot can secure your business.

Schedule a demo