In depth
Tactics, Techniques and Procedures (TTPs) is the framework defenders use to describe how an adversary operates at a behavioural level, as opposed to the atomic indicators (hashes, IPs, domains) that describe what artefacts the adversary leaves behind. Tactics are the high-level objectives (initial access, persistence, lateral movement, exfiltration); Techniques are the specific methods used to achieve a tactic (spearphishing attachment, scheduled task, pass-the-hash, exfiltration over an encrypted DNS tunnel); Procedures are the granular implementation choices — the specific tool, the specific configuration, the specific sequence — that distinguish one operator from another.
The MITRE ATT&CK matrix is now the de-facto vocabulary for TTPs. Every cell in the matrix is a Tactic-Technique pair (e.g., TA0008 Lateral Movement, T1021 Remote Services, T1021.002 SMB/Windows Admin Shares); the procedure layer is captured in the technique pages as documented adversary use. Defenders write detections per technique, structure threat-intelligence reports around the techniques observed, plan red team engagements as a chain of techniques, and measure SOC maturity as ATT&CK coverage percentage on a Navigator heatmap.
The reason TTPs matter more than IOCs is that they are expensive to change. An adversary can rotate a C2 domain in five minutes; switching from using scheduled tasks for persistence to using WMI event subscriptions requires retooling, retesting and retraining the operator. The Pyramid of Pain (David Bianco) formalises this: detections built on TTPs impose far more friction on the attacker than detections built on atomic indicators. A detection programme that has moved most of its rules up the pyramid has materially better resilience against an adversary who notices the detection.
The practical workflow: CTI consumes a campaign report (Mandiant APT writeup, government advisory, vendor blog), extracts the techniques and procedures, maps them to ATT&CK, hands the list to detection engineering, who write or tune rules to cover the techniques that the SOC's current rule set misses. Purple Team validates the rules with atomic tests. ATT&CK Navigator coverage matrices are reviewed in monthly Blue Team retros. See red team services.
The MITRE ATT&CK matrix is now the de-facto vocabulary for TTPs. Every cell in the matrix is a Tactic-Technique pair (e.g., TA0008 Lateral Movement, T1021 Remote Services, T1021.002 SMB/Windows Admin Shares); the procedure layer is captured in the technique pages as documented adversary use. Defenders write detections per technique, structure threat-intelligence reports around the techniques observed, plan red team engagements as a chain of techniques, and measure SOC maturity as ATT&CK coverage percentage on a Navigator heatmap.
The reason TTPs matter more than IOCs is that they are expensive to change. An adversary can rotate a C2 domain in five minutes; switching from using scheduled tasks for persistence to using WMI event subscriptions requires retooling, retesting and retraining the operator. The Pyramid of Pain (David Bianco) formalises this: detections built on TTPs impose far more friction on the attacker than detections built on atomic indicators. A detection programme that has moved most of its rules up the pyramid has materially better resilience against an adversary who notices the detection.
The practical workflow: CTI consumes a campaign report (Mandiant APT writeup, government advisory, vendor blog), extracts the techniques and procedures, maps them to ATT&CK, hands the list to detection engineering, who write or tune rules to cover the techniques that the SOC's current rule set misses. Purple Team validates the rules with atomic tests. ATT&CK Navigator coverage matrices are reviewed in monthly Blue Team retros. See red team services.