Sat. Jul 2nd, 2022







Planning Security? You must know TTP

In this new year of 2017 it is good to know your past so as not create the same situation in the future.

But what is TTP you say?

TTP – Tactics, Techniques, and Procedures.

By that I mean the tactics and procedures of you and your IT team of course.

Some call this acronym Tools, Techniques, and Procedures. Which is very close if not the same thing, as your IT team must have some tools to use within their tactics of defending the network and computer devices.

Interesting to note that TTP is not just in Cybersecurity, but also Terrorist security as well:

Oodaloop discusses a form of TTP,

OODA stands for Observe, Orient, Decide, and Act and this was originally developed by Col Boyd during the Korean war for use in Air-to-Air combat.

Image above from webpage

The OODA loop can apply to Cybersecurity with a small amount of tweaking.

The above image equates Observe with looking at network traffic and logs on the firewall and computer systems.

Orient is  where we analyze the logs and network traffic with a certain time delay, as it takes time and manpower to review these items. (this is also a place to do pentest or vulnerability analysis)

Decide is next where we have to decide what to do with the data we are analyzing. Of course Analyzing and deciding what to do can take time especially in large environments.

The final point in the process is to Act – Test, patch, and reconfigure .

As this video from Derbycon last year mentions we have to find ways to reduce our time to detection – use new methods, learn new methods.

As Marines say – Adapt, Overcome, Improvise, and get the job done.

So we need to continue to learn new methods of detecting threats into our environments.


The devil is in the details… as we have to find actual new threats to detect.  Testing those threats is a good idea and time is actually on the attackers side. As they only have to get in once and then the game changes. Once attackers are in your network now it is harder to deny more information and access to the data we are defending.

TTP is Tactics, Techniques and Procedure, and if the IT department is not aware of the new attacks the bad guys are coming in with, then the current actions are not good enough.  Knowing your TTP means understanding the OODA loop and it’s weaknesses.  Knowing your weaknesses should also allow you to review the areas where we need to review the most.

Notice the time delay in Boyd’s rule OODA and how I specifically added it in my drawing to signify our lack of forthright ability sometimes and general malaise. Especially when we don’t know the baseline for example (what is good and bad traffic?).

Is it enough to go about your day to entrust your network to a blue team (a blue team is the combined efforts to defend your network)

If we knew all the exact ways the attackers would attack we would never be breached. But we have to find new ways to find the new attacks that we don’t know about yet.

Remember more military axioms:

  1. Your best plans will change contact with the enemy
  2. What you really need to worry about is the unknown unknown… i.e. the breach that you cant see in any logs.


You don’t want to see your company in lights, in the papers, the online journals that explain how companies get breached.

Contact Us to help you with the process of improving detection of attackers, and improving your security policy.



By zafirt

One thought on “Planning Security? You must know TTP”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.