Glossary

What Are TTPs?

TTPs — tactics, techniques, and procedures — describe how a threat actor operates: the goals they pursue (tactics), the methods they use (techniques), and the specific way they execute them (procedures). Because TTPs are harder to change than tools or domains, they are the most durable way to track an adversary.

The three levels

Tactics are the adversary's objectives at each stage of an intrusion. Techniques are the general methods used to meet those objectives. Procedures are the precise, observed implementations — the exact commands, sequences, and tooling a specific actor favours. Together they form a fingerprint of behaviour rather than of artefacts.

Why TTPs beat indicators

An attacker can rotate a domain in minutes and a malware hash in hours, but changing how they operate is expensive and slow. The Pyramid of Pain captures this: detecting on TTPs hurts an adversary far more than blocking an IP, because it forces them to relearn their craft.

From behaviour to hunting

Tracking an actor by TTPs means recognising the same behaviour across campaigns even when the infrastructure changes — then pivoting from that recognition into the new infrastructure the behaviour reveals.

Recipes that use this

Runnable queries where this concept does the work.

Map a named actor to its ATT&CK techniques

Ask the graph directly which MITRE ATT&CK techniques a named adversary uses — the actor-layer traversal no fixed-verb tool ships.

SharePostLinkedInEmail