TTP stands for tactics, techniques, and procedures and it is simply a framework in how one operates. Tactics is how one carry out an attack like moving laterally while technique is a specific method like SQL injection. Most of the time, a single tactic will require numerous techniques. Procedures is simply a step by step instruction to do all this, for example, to do SQL injection you need to first scan the target for vulnerabilities then write a malicious code, and submit it to the most vulnerable form on the website.
MITRE ATT&CK matrix helps identify and address TTPS as they come and it is a great way to detect abnormal behaviors. If you have a data capturing tool like security information and event management, you can use MITRE ATT&CK framework to define what TTP attacker may be using. It helps security analysts better understand attacker’s end goal and help define severity threat levels, different attack vectors, support incident response and mitigation, and much more.
HansITAcademy 