Threat Actors and TTPs
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
A network intrusion is not a spontaneous event of digital nature; it is a calculated, human-engineered campaign operating within the strict confines of system architecture. Just as a physicist understands that energy must move through a system according to fundamental laws, a security operations center (SOC) analyst must understand that an adversary can only manipulate a network by exploiting its logical rules. To defend a network, you cannot merely chase blinking alerts. You must understand the specific adversary generating those alerts, the exact mechanics of their attack, and the structural models that allow us to predict their next move.
To defeat an adversary, you must understand their motive, their capability, and their resources. Not all alerts in your SIEM are generated by the same class of attacker. We categorize threat actors precisely because their motives dictate their behavior on your network.

Nation-States and APTs
At the highest end of the sophistication spectrum, we find Advanced Persistent Threats (APTs). These are highly skilled and well-resourced threat actors that maintain long-term covert access to a target network. APT groups are frequently sponsored by or affiliated with nation-state governments. Because they possess immense funding and time, nation-state actors primarily engage in cyber espionage, intellectual property theft, or destructive attacks to advance geopolitical goals. If an APT compromises your environment, they are not looking for a quick payout; they are looking to embed themselves quietly for months or years.

Cybercriminal Syndicates
Contrasting the geopolitical goals of APTs, cybercriminal syndicates are highly organized groups motivated primarily by financial gain. They operate with corporate-level efficiency, complete with HR departments and customer support for their victims. To generate revenue, cybercriminals frequently use ransomware, data extortion, and business email compromise (BEC). When you are dealing with a cybercriminal, the attack will almost always culminate in a monetization event.

Hacktivists and Script Kiddies
Not all external attackers operate with high-level funding. Hacktivists conduct cyberattacks to promote a political agenda, social cause, or ideological belief. Their goal is visibility and disruption rather than stealth. Consequently, common hacktivist attack methods include website defacement, distributed denial-of-service (DDoS) campaigns, and doxing.

At the absolute bottom of the capability spectrum are script kiddies. These are unsophisticated threat actors who lack deep technical knowledge of computer systems. They rely entirely on pre-packaged exploitation tools and scripts created by more advanced hackers. While their capability is low, their volume is high, and they often cause accidental damage by deploying tools they do not fully understand.
The Threat From Within
Your perimeter defenses are completely irrelevant if the adversary is already inside. Insider threats possess legitimate, authorized access to an organization's network, facilities, or data. We divide these into three distinct categories:
- Malicious insiders: These individuals intentionally misuse legitimate access to steal data, commit fraud, or sabotage organizational systems. They are extraordinarily difficult to detect because their initial access is authorized.
- Negligent insiders: These users unintentionally compromise security through carelessness, such as falling for phishing scams or misconfiguring systems.
- Shadow IT: This occurs when employees use unauthorized applications or devices to perform work duties. Because it bypasses organizational security controls and monitoring, Shadow IT creates an unintentional insider threat, leaving the SOC completely blind to the data residing on those unauthorized systems.
When we analyze how these threat actors operate, we use a specific taxonomy. If you want to understand an attacker's behavior, you must learn to speak in TTPs.
- Tactics represent the high-level operational goals or objectives an adversary aims to achieve during a network intrusion. (The Why).
- Techniques describe the specific methods or mechanisms an adversary uses to achieve a tactical goal. (The How).
- Procedures represent the exact, granular steps, commands, or tools an adversary uses to execute a specific attack technique. (The What).
Let’s apply this to a real-world intrusion. Suppose an attacker wants to gain a foothold in your network.
- Tactic: The MITRE ATT&CK framework uses tactics such as Initial Access, Persistence, and Lateral Movement to categorize adversary goals. The goal here is Initial Access.
- Technique: To achieve this, the attacker might decide that spearphishing with a malicious attachment is a specific MITRE ATT&CK technique used to achieve the Initial Access tactic.
- Procedure: The attacker then uses a specific tool to harvest passwords once inside. An adversary using the Mimikatz tool to dump credentials from memory is an example of a specific attack procedure.
The Professor's Note: TTPs are the behavioral fingerprint of an adversary. Two completely different threat actors might use the same Technique (spearphishing), but their Procedures (the specific malware payloads and commands they type) will often betray their true identity.
To make sense of the infinite complexity of cyberattacks, the security industry has developed structural models. These frameworks allow us to categorize, predict, and disrupt adversary behavior.
The Lockheed Martin Cyber Kill Chain
Intrusions are not magic; they are mechanical. The Lockheed Martin Cyber Kill Chain outlines the sequential phases an adversary must complete to achieve a successful cyberattack. If you break the chain at any step, the attack fails. The seven phases of the Cyber Kill Chain are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

MITRE ATT&CK
While the Kill Chain gives us the chronological sequence, MITRE ATT&CK gives us the encyclopedia of attacker behavior. The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It maps out exactly how adversaries operate across different environments; specifically, the MITRE ATT&CK Enterprise matrix categorizes attack techniques used against Windows, macOS, Linux, and cloud environments.
In the real world, Security Operations Center (SOC) analysts map observed threat actor behaviors to the MITRE ATT&CK framework to develop robust behavioral detection rules. Instead of writing a rule to catch a specific virus, you write a rule to catch the technique the virus relies on.
The Diamond Model of Intrusion Analysis
When a SOC analyst steps back to look at the larger campaign, they use a different geometric construct. The Diamond Model of Intrusion Analysis focuses on the relationship between four core features: adversary, capability, infrastructure, and victim.
If you identify a specific piece of malware (Capability) communicating with a specific IP address (Infrastructure), the Diamond Model allows you to pivot and uncover who is behind the attack. Therefore, the Diamond Model of Intrusion Analysis is primarily used to track threat actor campaigns and attribute attacks to specific groups based on observed TTPs.
Let's walk through the physics of a modern breach. Threat actors continuously evolve to bypass your perimeter and internal defenses.
Infiltration and Evasion
Often, attackers bypass perimeter defenses entirely by targeting the weakest link in the trust chain. Supply chain attacks target vulnerabilities in third-party vendors, software updates, or hardware components to indirectly compromise a primary target.
Once inside, adversaries face a problem: how do they operate without triggering antivirus software? The answer is Living off the Land (LotL), an attack technique where adversaries use legitimate, pre-installed administrative tools to conduct malicious activities. By using tools that already belong on the system, Living off the Land techniques help adversaries evade signature-based detection mechanisms by blending in with normal administrative traffic. In modern SOC environments, you will find that PowerShell, Windows Management Instrumentation (WMI), and PsExec are frequently used in Living off the Land attacks.
Movement and Escalation
An attacker rarely lands exactly where the valuable data is stored. To find the data, they must expand their reach. Lateral movement involves an attacker expanding access from an initially compromised system to other systems within the same network.
However, they often land as a standard, unprivileged user. To disable security software or dump credentials, they require administrative rights. Privilege escalation occurs when an attacker obtains higher-level system permissions than were initially granted. To accomplish this, attackers frequently exploit unpatched software vulnerabilities or misconfigurations to achieve local system privilege escalation.

Communication and Exfiltration
The adversary must maintain an invisible tether to the compromised network to send instructions. Command and Control (C2) infrastructure allows threat actors to maintain communication with compromised systems inside a victim network.
Defenders naturally try to block the IP addresses and domain names associated with these C2 servers. In response, threat actors often use domain generation algorithms (DGAs) to dynamically create new C2 domains and evade static blocklists. A DGA acts like a cryptographic slot machine, generating thousands of random domain names a day, only one of which the attacker will actually register and use.
Ultimately, the intrusion culminates in the attacker's primary objective. Often, this is data exfiltration—the unauthorized transfer of sensitive information from a compromised network to an external location controlled by the attacker.
How do we actually stop these adversaries? We rely on forensic evidence and intelligence. Indicators of Compromise (IoCs) are forensic artifacts that signal a potential computer intrusion. As a defender, you will rely on threat intelligence feeds, which provide security teams with updated, actionable information on the latest adversary TTPs and associated IoCs.
However, not all IoCs are created equal. Common Indicators of Compromise include malicious IP addresses, known bad domain names, and file hash signatures. These are easy for a SOC to block, but they are also trivial for an attacker to change.
This brings us to the most vital concept in incident response: The Pyramid of Pain model illustrates the relationship between indicators of compromise and the difficulty adversaries face when those indicators are blocked.
| Level of the Pyramid | Indicator Type | Pain Caused to the Attacker when Blocked |
|---|---|---|
| Bottom (Trivial) | Hash Values | None. Attackers can flip a single bit to change a file's hash. |
| Middle (Moderate) | IP Addresses / Domain Names | Annoying. Attackers must register new domains or rent new servers. |
| Top (Tough) | Tactics, Techniques, and Procedures (TTPs) | Devastating. Forces the attacker to learn a completely new way to compromise systems. |

Notice what sits at the apex of the pyramid. Tactics, Techniques, and Procedures (TTPs) reside at the very top of the Pyramid of Pain. If you block a malware hash, the attacker recompiles the code in seconds. But blocking adversary TTPs forces attackers to completely reinvent their attack methodologies. If you strip an attacker of their ability to use PowerShell (a TTP), they must fundamentally redesign how they move through your network.
The Complexity of Attribution
When you have collected the IoCs and mapped the TTPs, the final question is: Who did this?
Threat attribution is the process of identifying the specific actor or group responsible for a cyberattack based on collected forensic evidence and TTPs. But attribution in cyberspace is incredibly difficult. Threat actors know you are watching, and they frequently engage in deception. False flag operations are deliberate attempts by threat actors to misdirect attribution by leaving artifacts typically associated with a different group. An APT operating out of Asia might intentionally compile their malware during Moscow business hours and leave Russian text strings in the code to deceive your analysts.
As an incident responder, your job is not merely to react to alerts. Your job is to understand the physics of the attack, map the TTPs to frameworks like MITRE ATT&CK, trace the steps along the Kill Chain, and push your defenses to the very top of the Pyramid of Pain.