Virtual Armour Blue Logo

Making Sense of TTPs, Cybersecurity, & What That Means for Your Business

Andrew Douthwaite

July 5, 2021

Last updated August 19, 2022


  • TTPs are tactics, tools, & procedures that threat actors to orchestrate cyber attacks.
  • Analyzing TTPs helps organizations identify who is responsible for attacks or breaches. It can also improve triage, identify probable vectors and sources, investigate which systems may have been compromised, and create threat modeling exercises to improve cybersecurity training.
  • Using VirtualArmor to monitor your network for suspicious activity can help address your current security posture’s vulnerabilities and update your defensive capabilities to repel new attacks.

Once considered a nice-to-have, cybersecurity has become essential for organizations in all verticals. Even before COVID-19 made remote work the norm for many office workers (leading to a marked increase in social engineering attacks), cybercrime was already on the rise, with global losses skyrocketing to nearly $1 trillion in 2020 alone

No matter how large or small your organization is, investing in your cybersecurity posture is vital for safeguarding your digital assets, your business, and your customers. To improve your cybersecurity posture, you need to get inside the mind of a cybercriminal and figure out how to stay one step ahead in this endless game of cat and mouse. 

See also:

What are TTPs?

TTPs refers to the tactics (or tools), techniques, and procedures used by a specific threat actor (the bad guy) or threat actors. TTPs refer to distinct patterns of activities or behaviors associated with a particular person or group of people and describe how threat actors orchestrate, execute, and manage their cyber attacks. 


Tactics, generally speaking, refer to the vectors used by attackers. This could include accessing and using confidential information, gaining access to a website, or making lateral movements (moving sideways between devices and apps to better map your system and look for vulnerabilities in less protected areas that they can exploit). 


Techniques refer to the methods attackers use to achieve their goals. For example, if the immediate goal (the tactic) is to gain unauthorized access to your system, then the technique could be using social engineering (such as a phishing scam) to trick employees into sharing their login credentials. A single tactic can involve multiple techniques. 

Techniques act like stepping stones towards the attacker’s overarching goal, which could include damaging your systems, infecting your network with ransomware, or stealing sensitive files.


Procedures refer to specific, actionable, preconfigured steps used by cybercriminals to achieve their overarching goals. So, for example, if the goal is to use a phishing scam to gather login credentials from employees, the procedure could involve determining what the email should say and configuring the email to download malware when a user opens the attachment included with the email.

Why are TTPs Important for My Business?

Analyzing TTPs is vital for your cybersecurity posture since the clues threat actors leave behind can be used to help identify who is responsible for an attack or breach. By analyzing TTPs, your cybersecurity team or cybersecurity partner can:

  1. Rapidly triage and contextualize the event taking place by comparing the TTPs of the current attack with TTPs of known threat actors or groups (such as hostile foreign governments, lone criminals, criminal groups, or rival corporations) who may have launched the attack. Based on who may be behind the attack, your cybersecurity experts can try to predict what may happen next and redeploy resources to better safeguard your most critical digital assets, such as your server. 
  2. Review probable paths for research and further exploration based on what TTPs were used in the attack. This allows your cybersecurity experts to potentially identify who was behind the attack so criminal charges can be laid.
  3. Identify potential sources or vectors of the attack. This step involves identifying how the threat actors were able to gain unauthorized access to your systems so those vulnerabilities can be addressed as soon as possible so that other threat actors can’t exploit them in the future.
  4. Identify and investigate all systems that may have been compromised. This step is part of your incident response process and is critical for preventing further damage and rooting out potential back doors left by the attackers. 
  5. Create threat modeling exercises and improve your cybersecurity training so that your team won’t be caught unaware again should a similar or related event occur in the future. 

How Can VirtualArmour Help?

Security experts like the VirtualArmour team use TTPs to help identify potentially suspicious activities. When a company like VirtualArmour is monitoring your network 24/7/365, one of the things our experts look for are TTPs. TTPs act like fingerprints: Our experts know what sort of patterns to look for and use that vast wealth of knowledge to help sift out potentially suspicious network activity from ordinary, harmless network activity. 

Should an incident occur, our experts can use TTPs to narrow down the list of suspects, potentially identify third parties that may be impacted (for example, if the phishing attack came from a Gmail email address that may mean Gmail has been compromised), and allow our team to trace the route of the attack back through your network, flagging potentially compromised systems for further investigation and identifying how the attacker was able to gain access.

Once we have that information, we can work with you to address your security posture’s current shortcomings and help you update your cybersecurity training so your employees are better able to identify potentially suspicious activities such as phishing emails. 

To help keep organizations like yours safe, we offer a variety of managed services and consulting services, including SOCaaS (security operations center as a service). Most SMBs don’t have the budget to maintain a full, in-house security team.

Virtual Armour SOC as a service offers a cost-effective solution: Our full team of cybersecurity experts and analysts act like an extension of your existing security team or can be used to supplement staff in IT light environments, managing and monitoring your network, devices, and digital assets.

VirtualArmour’s SOCaaS Premium Includes:

  • Managed Detection & Response
  • Enforcing Sanctioned Enterprise Applications
  • Endpoint Security Policies
  • Firewall Rule Management
  • Firewall Configuration
  • Security Incident Investigations
  • Regular Cadence Reporting
  • Identification of Vulnerable
  • Software/Hardware
  • Configuration Auditing for Security Gaps
  • Data Enrichment and Context for Alert

For more information about TTPs and their importance, or to get started improving your cybersecurity posture, please contact our team today. 

Post Categories

Related Posts