Create your own TTP Framework

January 2, 2025

When studying new cybersecurity content, it's essential to find effective ways to retain information and easily access it when needed.

To address this, I created my "Personal TTP Framework" on Obsidian during my preparation for the CPTS (Certified Penetration Tester Specialist) certification, establishing a layered structure similar to the MITRE ATT&CK framework.

The information is categorized into different layers: Tactics, Techniques, and Procedures.

1. Tactics

Tactics refer to a set of general goals during an attack. Mine are primarily based on the MITRE Enterprise tactics, which include:

These layers remain relevant today.

2. Techniques

A technique is the "how" to achieve the related tactic. My techniques are ever expanding or re-grouped as I learn new material. Start by creating your first technique based on the content you are studying.

3. Procedures

Procedures are specific implementations of a related technique. The difference between Mitre framework and mine relies on the Procedures definition. On Mitre, here is what they say:

"The two important aspects to note about procedures in ATT&CK are that it is how an adversary uses techniques and sub-techniques and that a procedure can span multiple techniques and sub-techniques."

MITRE ATT&CK: Design and Philosophy

On my end, I create one procedure for each specific workflow needed to perform my technique. The common denominator between Mitre's framework and mine is that "Procedures may also include use of specific tools in how they’re performed".

I now use this TTP framework daily (on HTB boxes and during internal assessments), and as I continue learning in the field, I expand my personal framework accordingly.