Attack Tactics • Room 3

Mapping TTPs

Tactics, Techniques, and Procedures (TTPs) describe how an adversary operates. The MITRE ATT&CK framework standardizes these descriptions.

Instead of hunting for an ever-changing file hash (Tactical), hunting for the *behavior* of credential dumping (Operational) is much more robust against adversary evasion.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

Why is hunting for TTPs generally considered more effective than hunting for simple IOCs like IP addresses?

ATTPs require less compute power to search.

BIP addresses and file hashes can be changed by the attacker in seconds, but changing their fundamental techniques and tools (TTPs) is difficult and expensive.

CTTPs are automatically blocked by the firewall.

DIOCs are no longer provided by Threat Intel vendors.