TTP

TECHNICAL DEFINITION

TTP (Tactics, Techniques, and Procedures) in cybersecurity and military intelligence delineate an adversary's observable behaviors and methodologies, encompassing their strategic approaches (tactics), specific attack methods (techniques), and detailed step-by-step processes (procedures), which are crucial for threat intelligence, defensive planning, and attribution.

BACKGROUND

A red team is a group that simulates an adversary, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization. Their work is legal, but it can surprise some employees who may not know that red teaming is occurring, or who may be deceived by the red team. Some definitions of red team are broader, and they include any group within an organization that is directed to think outside the box and look at alternative scenarios that are considered less plausible. This directive can be an important defense against false assumptions and groupthink. The term red teaming originated in the 1960s in the United States.

SYNONYMS & ALIASES

• Adversary Playbook
• Attack Methods
• Threat Behavior
• Operational Patterns
• Modus Operandi (MO)
• Attack Lifecycle

USAGE NOTE

Understanding an adversary's TTPs is fundamental for developing effective defensive strategies and proactive threat hunting efforts.

DEVELOPERS

Organizations developing technology related to TTP.

• Mandiant (Google Cloud Security)

  Mandiant specializes in threat intelligence, incident response, and security validation, providing deep insights into adversary tactics, techniques, and procedures (TTPs) and helping organizations defend against sophisticated cyber threats.

• CrowdStrike

  CrowdStrike is a leader in endpoint security, threat intelligence, and incident response, leveraging its Falcon platform and extensive threat research to detect and prevent attacks by understanding and profiling adversary TTPs.

• MITRE Corporation

  MITRE developed and maintains the ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, which serves as a foundational resource for understanding and documenting TTPs in cybersecurity.

• Palo Alto Networks

  Palo Alto Networks provides a comprehensive cybersecurity platform, with its Unit 42 threat intelligence team actively researching and reporting on adversary TTPs, which are integrated into their security products for prevention and detection.

• Recorded Future

  Recorded Future delivers intelligence for security operations, providing insights into adversary TTPs, vulnerabilities, and emerging threats by analyzing a vast array of open, dark web, and technical sources.

• Microsoft Security

  Microsoft's security division offers a broad range of products and services, including Defender and Sentinel, backed by the Microsoft Threat Intelligence Center (MSTIC) which actively tracks, analyzes, and mitigates threats by understanding adversary TTPs.

• AttackIQ

  AttackIQ specializes in breach and attack simulation (BAS) platforms, allowing organizations to validate their security controls against known adversary TTPs mapped to frameworks like MITRE ATT&CK, ensuring continuous defense readiness.

• Splunk

  Splunk provides a security information and event management (SIEM) platform that enables organizations to aggregate, analyze, and act on security data, facilitating the detection and response to adversary TTPs by correlating security events and threat intelligence.