What are TTPs?
TTP stands for Tactics, Techniques, and Procedures – a classification system that describes how cyber attackers operate. It is widely used in Threat Intelligence and frameworks such as MITRE ATT&CK and MITRE ATT&CK for ICS.
TTPs make it possible to understand, attribute and detect attacks based on their behaviour and modus operandi, rather than only on technical features such as IP addresses or Malware hashes.
🧠 How do TTPs work?
- Tactics – The goal or motive of an attacker (e.g. Initial Access, Lateral Movement)
- Techniques – The way in which that goal is achieved (e.g. Phishing, Valid Accounts)
- Procedures – The specific execution of a technique by a particular threat actor
An example:
- Tactic: Initial Access
- Technique: Exploit Public-Facing Application
- Procedure: Use of a known vulnerability in a SCADA web interface
By analysing TTPs, OT organisations can develop targeted detection rules and adapt their defences.
🏭 Application of TTPs in industrial networks
- Use of ATT&CK for ICS to map TTPs to OT systems such as PLC, HMI, SCADA, Engineering Station
- Threat simulations or Red Team exercises work with real TTPs from known attackers
- OT-specific SIEM rules and SOAR playbooks are aligned with relevant TTPs
- Threat Hunting focuses on traces of techniques such as:
- Abuse of Valid Accounts (T1078)
- Inhibit Response Function (T0829)
- Loss of Control (T0831)
- Modify Alarm Settings (T0855)
Understanding TTPs helps OT teams take proactive security measures.
🔍 TTPs vs. IOCs
| Aspect | TTP (Tactics, Techniques, Procedures) | IOC (Indicator of Compromise) |
|---|---|---|
| Focus | Attacker behaviour | Technical traces (IP, hash, domain) |
| Reusability | High – often remains the same | Low – quickly outdated |
| Use in OT | Recommended for detection, simulation, hunting | Complementary for fast blocking |
🔐 Security aspects
- TTP-based detection is more resilient against attacker adaptation
- Linking TTPs to MITRE D3FEND helps prioritise defensive measures
- Essential in Threat Intelligence, SOC, SIEM and Incident Response
- Ensure continuous attacker analysis and updating of TTPs
Good knowledge of TTPs helps in predictively designing detection and mitigation, including in industrial networks.
📌 In summary
TTPs are a powerful means to understand, simulate and detect attacks at the behavioural level. For OT environments, they form the bridge between strategy, threat and defence.