--- title: "What are TTPs? MITRE ATT&CK Tactics, Techniques & Procedures" page_name: "Tactics techniques and procedures (TTPs)" type: "glossary" slug: "tactics-techniques-procedures" published_at: "2025-02-17" modified_at: "2025-10-30" url: "https://www.sumologic.com/glossary/tactics-techniques-procedures" canonical: "https://www.sumologic.com/glossary/tactics-techniques-procedures" markdown_url: "https://www.sumologic.com/glossary/tactics-techniques-procedures.md" lang: "en" excerpt: "Learn what TTPs are in cybersecurity and how MITRE ATT&CK tactics, techniques, and procedures improve threat detection, defense evasion, and incident response." --- [Glossary](/glossary)# Tactics techniques and procedures (TTPs) [A](/glossary#A) [B](/glossary#B) [C](/glossary#C) [D](/glossary#D) [E](/glossary#E) [F](/glossary#F) [G](/glossary#G) [H](/glossary#H) [I](/glossary#I) [J](/glossary#J) [K](/glossary#K) [L](/glossary#L) [M](/glossary#M) [N](/glossary#N) [O](/glossary#O) [P](/glossary#P) [Q](/glossary#Q) [R](/glossary#R) [S](/glossary#S) [T](/glossary#T) [U](/glossary#U) [V](/glossary#V) [W](/glossary#W) [X](/glossary#X) [Y](/glossary#Y) [Z](/glossary#Z) ##### Table of contents ## What are TTPs? Tactics, techniques, and procedures (TTPs) are fundamental components used in the field of [cybersecurity](http://www.sumologic.com/glossary/cyber-security), [threat intelligence](http://www.sumologic.com/glossary/threat-intelligence) and incident response. TTPs describe how cyber adversaries operate and execute cyberattacks. These three elements provide a structured way to understand the methods and behaviors of a threat group and a specific threat actor. TTPs also help organizations map real-world observations of threat actors to known patterns in the MITRE ATT&CK framework, providing a standardized way to categorize adversary tactics and techniques across the cyber kill chain. Key takeaways - TTPs in the MITRE ATT&CK framework are used in various ways to enhance cybersecurity practices and defense against cyber threats. - TTP analysis enables defenders to identify malicious code, credential access attempts, defense evasion, and data exfiltration actions earlier in an attack. - Using [Sumo Logic Cloud SIEM](https://www.sumologic.com/guides/siem), you can integrate the MITRE ATT&CK framework for precise threat identification and response by categorizing attacks based on their TTPs. ## Understanding TTPS within MITRE ATT&CK TTPs are key components of [MITRE ATT&CK](http://www.sumologic.com/glossary/mitre-attack), a knowledge base, framework and methodology for [cybersecurity](http://www.sumologic.com/glossary/cyber-security) professionals to understand, categorize and respond to cyber threats and attacks. Within the MITRE ATT&CK framework: - **Tactics** answer the “*what*” question by defining the high-level objectives of an attack. - **Techniques** answer the “*how*” question by describing the methods adversaries use to achieve those objectives. - **Procedures** answer the “*how exactly*” question by providing concrete examples and implementation details of techniques. This hierarchical structure within the MITRE ATT&CK framework helps security professionals understand and respond to cyber threats effectively. The TTPs in the MITRE ATT&CK framework are utilized in various ways to enhance cybersecurity practices and defense against emerging threats, as well as potential threats, including advanced persistent threats. ## How MITRE ATT&CK TTPs improve cybersecurity TTPs within the **ATT&CK framework** are used to strengthen cybersecurity in several ways: **Tactics** Security professionals and threat hunters can use tactics to understand the overarching goals of an attacker, helping them anticipate potential [attack vectors](http://www.sumologic.com/glossary/attack-vector). Your organization can assess their security posture by considering the relevance of tactics. By understanding which tactics are most likely to be targeted, they can prioritize security measures accordingly to prevent cyberattacks. **Techniques** Security teams can map known adversary techniques to their environment’s [logs](http://www.sumologic.com/glossary/log-file) and data sources to create custom detection rules and alerts. During and after a security incident, security professionals can also refer to techniques to understand how adversaries have executed their attacks at various stages of the cyber kill chain. This information helps in scoping the incident, identifying compromised systems and planning an effective response. **Procedures** [Security analysts](http://www.sumologic.com/blog/security-analyst-faq-career-cybersecurity) can use procedures to gain insights into the practical application of techniques. Procedures can also sometimes provide clues about the identity or origin of a malicious attacker based on unique characteristics or artifacts left behind during an attack. ## Examples of tactics, techniques and procedures Here’s how tactics, techniques and procedures relate to one another in some common examples: **Tactic**: Initial access **Technique**: Spearphishing email **Procedures**: The specific email templates used by attackers, the file types they commonly attach and the social engineering tactics used. **Tactic**: Credential access **Technique**: Credential dumping **Procedure**s: The specific tools, commands and techniques used to extract passwords and hashes. **Tactic**: Data exfiltration **Technique**: Command and control channels **Procedure**: The data exfiltration method, encryption used and the destination for stolen data. ### What are the benefits of identifying TTPs? Analyzing adversary TTPs helps organizations: - **Enhance threat detection** with finely tuned signatures and behavioral analytics - **Enable proactive defense** against advanced persistent threats (APTs) - **Customize threat intelligence** aligned to relevant threat actors - **Improve incident response** by identifying attacker goals and impacted systems - **Support adversary attribution** using unique procedural artifacts - **Strengthen security awareness training** with real-world attack patterns - **Prioritize security measures** based on industry-specific risks - **Improve collaboration** by sharing indicators of compromise (IOCs), resources, and attack patterns across teams TTP analysis is a valuable approach for defending against cyber attackers. It involves studying and understanding the behavior and methods used by cybercriminals and threat actors. TTP analysis is also critical to proactive threat detection, response and defense against cybercrime. By understanding how cybercriminals operate, organizations can better prepare for and mitigate the risks associated with today’s evolving threat landscape. Identifying TTPs used by cyber adversaries offers several benefits for organizations and their cybersecurity efforts: - **Enhanced threat detection** By identifying threat actors’ specific methods and behaviors, a security team can create custom detection rules and finely tuned signatures to spot malicious activities. - **Proactive defense** By focusing on the tactics and techniques used by adversaries, organizations can implement security controls and measures that directly address these attack methods. - **Customize threat intelligence** Organizations can create custom threat intelligence that aligns with the TTPs relevant to their specific environment. - **Incident response preparedness** When a security incident occurs, a security team can quickly recognize the tactics and techniques used and respond more effectively, potentially minimizing the impact of an attack on their systems. - **Adversary attribution** Analyzing TTPs can contribute to attributing threat actors, helping organizations understand who they are dealing with. - **Security awareness and training** Security awareness programs can use examples of TTPs to help employees recognize and respond to adversary behavior. - **Prioritization of security measures** By understanding which tactics and techniques are most likely to be used in their industry or environment, organizations can allocate resources to the most critical security measures. - **Improve collaboration** By sharing data about observed TTPs with peers, organizations may engage in joint tactics by sharing resources, threat intelligence, [indicators of compromise](http://www.sumologic.com/glossary/indicators-of-compromise) (IOCs), and attack patterns with one another. ## TTP insights with Sumo Logic Analyzing the right data with your security tools is the first step to building a healthy security posture. By aligning [log management](http://www.sumologic.com/glossary/log-management) with MITRE ATT&CK TTPs, organizations can fine-tune their security rules for optimal performance. This ensures that security alerts are both accurate and relevant. For enhanced cybersecurity, security analysts need to be able to harness TTPs effectively. Using Sumo Logic Cloud SIEM, your security operations center can integrate the [MITRE ATT&CK](http://www.sumologic.com/blog/cloud-siem-mitre-attack) framework for precise cyber threat intelligence and response by categorizing attacks based on their TTPs. Identifying the TTPs that are most important enables Sumo Logic customers to ensure they are ingesting the correct log data. See how it works in our [ultimate guide to modern SIEM](http://www.sumologic.com/resources/siem). ### FAQs How can a SIEM solution enhance threat detection through log analysis?+A SIEM solution can enhance [threat detection and response](https://www.sumologic.com/glossary/threat-detection-response) by consolidating and analyzing log data from various sources, such as application logs, system logs, security logs and endpoint logs. This unified view of log data allows for real-time monitoring of security events, anomaly detection and correlation of incidents across the network. How do SIEM tools work?+SIEM delivers superior incident response and enterprise security outcomes through several key capabilities, including: **Data collection** – SIEM tools aggregate event and system logs and security data from various sources and applications in one place. **Correlation** – SIEM tools use various correlation techniques to link bits of data with common attributes and help turn that data into actionable information for SecOps teams. **Alerting** – SIEM tools can be configured to automatically alert SecOps or IT teams when predefined signals or patterns are detected that might indicate a security event. **Data retention** – SIEM tools are designed to store large volumes of log data, ensuring that security teams can correlate data over time and enabling forensic investigations into threats or cyber-attacks that may have initially gone undetected. **Parsing, log normalization and categorization** – SIEM tools make it easier for organizations to parse through logs that might have been created weeks or even months ago. Parsing, log normalization and categorization are additional features of SIEM tools that make logs more searchable and help to enable forensic analysis, even with millions of log entries to sift through. How does Sumo Logic enhance threat detection in cloud environments?+Sumo Logic helps organizations aggregate data, analyze patterns, and configure real-time alerts, allowing for automated response and faster recovery. Its platform leverages advanced machine learning and data protection to strengthen threat detection across cloud infrastructures [AI Instructions](https://www.sumologic.com/ai-instructions.md)