Threat Actor TTPs & Cyber Threat Intelligence

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Threat Actor TTPs & Cyber Threat Intelligence." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

Intelligence-driven cybersecurity is proactive. And proactive cybersecurity drives better defenses by improving the ability to anticipate threats, increase situational awareness, and reduce attack surfaces. 

Today’s cyber threat landscape sees more complex and diverse threats than ever. Delving into the tactics, techniques, and procedures (TTPs) that adversaries use is a valuable source of cyber threat intelligence for any business. Find out how to get more proactive with threat actor TTPs and cyber threat intelligence. 

TTPs in Cybersecurity: A Brief Primer 

TTPs essentially describe the modus operandi of a particular threat actor or threat group. But it’s worth clarifying what each part of the acronym actually means and clearly differentiating between them:

  • Tactics—these are the higher-level descriptions of behaviors associated with cyber attackers. Tactics are often quite general statements, such as “performing lateral movement in a network” or “exfiltrating sensitive data for the purposes of holding victims to ransom.”
  • Techniques—these are the different actions that describe how hackers achieve their tactical aims. Think of techniques as providing more detailed data about behavior within the context of a specific tactic. Examples of techniques include manipulating access tokens or registering hacker-controlled devices on a network.   
  • Procedures—think of procedures as documented series of steps that describe behavior in a more detailed manner within the context of a particular technique and tactic. It’s when these steps become characteristic of how hackers achieve specific tactics or implement techniques that they get referred to as procedures. A procedure might involve using Wireshark to sniff network traffic and compromise a user account and then Cobalt Strike to exfiltrate data. 

Each element in TTPs is important, but where their real power lies is in studying them together to form a solid understanding of threat actor behavior. This understanding (threat intelligence) can enable you to better hunt for threats without feeling like you’re on a wild goose chase.

How TTPs Help Cybersecurity 

TTPs have the potential to deliver enormous benefits in terms of improving the detection of threats lurking in your network. Threat hunting activities that revolve around solely searching for static, signature-based indicators of compromise (IoCs) fail to capture novel or adaptable threats. Searching for mere anomalies from a given baseline comes with the problem of high-false positives that overwhelm security teams. 

TTP-based threat hunting involves searching for the common techniques used by adversaries in their attacks. This is arguably a more robust approach because techniques tend to be common across different adversaries due to the constraints of the targeted system. For example, there are only so many ways to elevate privileges on Windows systems, and searching for them can improve threat detection versus other methods. 

What Are Some Useful Sources of TTPs? 

Since the goal with TTPs is to identify patterns of behavior, it’s worth highlighting some sources that could provide useful data on how threat actors operate.


Honeypots are valuable and underused tools in cybersecurity for examining how hackers operate. These decoy environments lure attackers away from your legitimate systems and towards specific network-attached systems that you can observe their behavior from. Usually, the honeypot contains some sort of obvious flaw that draws potential intruders who tend to look for the path of least resistance when carrying out attacks. 

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

Clear and dark web forums

Online forums are chock-full of information about attacker TTPs. In particular, shady forums on the dark web see lone wolf actors and threat groups congregate to discuss tactics and techniques for achieving their goals. While monitoring these sources manually takes up a lot of security resources, new automated solutions are emerging that can scan them automatically. 

Vendor sources

Commercially available sources of TTPs come from pre-built vendor solutions in which a third party pours its own resources into collecting intelligence and re-selling it. One potential source is customer telemetry, which vendors collect anonymously from customers of various services, from antivirus solutions to cloud infrastructure. The large-scale visibility across thousands or even millions of host devices makes telemetry a good source of TTPs.  

Malware processing

While malware tends to fall more in the realm of generating indicators of compromise via file hashes and other signatures, it is also possible to obtain actionable TTP intelligence from malware processing. One method for deriving TTPs from malware is to use sandboxed virtual environments and generate large numbers of malicious files inside those environments. 

You can collect metadata from this malware processing and use various analytics techniques to query the data and uncover new TTPs. For example, searching for strings within such a database has the potential to reveal a technique or information about a procedure.

Mining unstructured data

A huge chunk of information on TTPs exists in the form of unstructured threat data from PDF reports, security websites, and other sources. Manually converting these natural language descriptions to recognizable TTPs was traditionally a somewhat daunting task. However, advances in Big Data analytics have made it feasible to mine these unstructured threat data sources for actionable intelligence in the form of TTPs. To get a feel for how you might implement such a mining framework, read this interesting paper.

Human networking

Word of mouth from human relationships remains a valuable source of all types of cyber threat intelligence. In the opposite vein of open source information freely available on the web, networking with other people in the security community is a closed source of information that usually requires both trust and valuable contributions. While TTPs can be shared informally between people in phone calls and emails, there are also dedicated networking communities where trusted individuals gather and share their knowledge and observations.

Bolster Your Defenses Today with Cyber Threat Intelligence

Numerous sources, including industry experts, MITRE researchers, and government experiments, have amassed a large body of evidence that validates the effectiveness of using adversary tactics, techniques, and procedures (TTPs) as a foundation for collecting and filtering data to detect malicious activity, reduce attack surfaces, and drive more intelligence-driven security improvements. 

It’s important to leverage a wide range of sources to discover threat actor TTPs. Threat intelligence from the dark web is an excellent source of data, but it’s often inaccessible due to security resource constraints that prevent the manual collection of this data. 

Flare powers cyber threat intelligence and helps uncover TTPs by automatically scanning dark & clear web sources. You get monitoring across dark web forums, Telegram channels, ransomware blogs, paste sites, and more. Flare is a simple, flexible, and powerful solution deployed as a SaaS system. 

Get your free trial here. 

Share This Article

Related Content