Skip to content
Log in

TTP (Tactics, Techniques, Procedures)

Definition

The three levels of specificity used to describe attacker behaviour. Tactics are the goal (e.g., persistence). Techniques are the method (e.g., scheduled task creation). Procedures are the specific implementation used by a particular threat actor or malware family.

Related terms

Cyber Kill Chain
A seven-phase linear model of an intrusion developed by Lockheed Martin in 2011. The phases are: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
MITRE ATT&CK
A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
Unified Kill Chain
An 18-phase model by Paul Pols (2017, updated 2021) that extends the Cyber Kill Chain by integrating MITRE ATT&CK and adding coverage...

Explained in

  • The Cyber Attack LifecycleThe three levels of specificity used to describe attacker behaviour. Tactics are the goal (e.g., persistence). Techniques are the method (e.g., scheduled task...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account