The behavior patterns and methodologies used by threat actors to plan, execute, and manage attacks against target systems or organizations.
Insider TTPs differ significantly from external attackers as they leverage legitimate access and institutional knowledge. Common insider TTPs include gradual data collection over time, use of legitimate tools for illegitimate purposes, exploitation of trust relationships, and timing attacks around business events. The MITRE ATT&CK framework documents many insider-specific TTPs that organizations can use for detection and prevention.