Tactics, Techniques, and Procedures (TTP): How the Language of Military and Threat Analysts Was Born from Carder Analysis

[Professor]

The idea: To explain how the need to systematize and classify thousands of carder schemes led to the adoption and adaptation of the military TTP approach, which has become the standard in cybersecurity.

Introduction: From the Chaos of Attacks to a Dictionary of Threats​

In the early 2000s, information security specialists faced a digital deluge. A wave of phishing, skimming, and hacking — thousands of incidents, each with its own unique signature, yet clearly interconnected. Analysts were drowning in disparate data: the same fraudster was called "Actor-112" in a European report, "Group-G" in a US report, and simply "skimmer from Rostov" in a Russian bank's logs. There was no common language for describing the enemy. There was no system for understanding their plans, beyond simply acknowledging the fact of a hack. Paradoxically, the key to solving this problem came not from IT labs, but from military strategy and... from the chaotic yet method-rich world of carding. The analysis of thousands of their schemes became the testing ground where a universal adversary description language — TTP (Tactics, Techniques, and Procedures) — was honed and implemented into cybersecurity. This is the story of how the chaos of criminal creativity gave birth to a sophisticated science of cyberthreats.

Chapter 1: The Age of Nameless Ghosts: Why a New Language Was Needed​

Before the advent of the systems approach, defenses responded to symptoms rather than the disease.

• Reacting to indicators of compromise (IoC): "Blocking IP address 192.168.XX! Delete virus.exe!" It was like putting out a fire, scattering sand on individual flames, without understanding where or how the fire started. Carders easily changed IP addresses, renamed files, and the defenses were once again playing catch-up.
• Lack of forecasting. It was impossible to answer questions like: What will this group do after phishing? Where will their activity shift if we block this method? What is their ultimate goal?

Analysts understood that to win, they needed to study not just "what broke," but the enemy's logic, habits, and "pattern". And the best textbook on "pattern" at the time were the countless, meticulously documented schemes of carders. Their forums, leaked databases, and investigation reports became an inexhaustible source of data on how attacks were carried out.

Chapter 2: Borrowing from the Military Arsenal: What is TTP?​

The military has long used the TTP concept to analyze the enemy:

• Tactics — WHY? High-level objective. Seizing a beachhead, destabilizing the rear, gathering intelligence. In cyberspace: financial gain (carding), data theft, sabotage.
• Technique — HOW? A specific method for achieving a tactical goal. In military affairs: night attacks, drone use. In carding: email phishing, installing a skimmer on an ATM, SQL injection into a payment form.
• Procedure — IN WHAT DETAILS? The unique implementation of the technique, the "signature" of a specific group. What dictionaries do these particular carders use in their phishing emails ? What specific script do they use to verify cards? What is the template of the fake website?

Example TTP for a carding group:

• Tactics: Financial gain through theft of funds from bank cards.
• Technique: Phishing to collect card data.
• Procedure:
  1. Acquisition of an email database of users of a specific regional bank.
  2. Email with the subject "Card Blocked" sent from a fake domain similar to the bank's domain.
  3. Using a letter template with typical grammatical errors in the words "security" and "confirmation".
  4. Redirection to a phishing page that imitates the mobile version of online banking, with fields for entering the card number, expiration date, CVV, and SMS code.

Chapter 3: The Birth of a Language: How Carding Became a TTP Tutorial​

It was in the world of carding that the TTP concept took on flesh and blood, because here everything was clear, consistent, and motivated by profit.

1. Perfect observability. Carding leaves a clear trace: phishing emails, checker logs, website templates, skimmer designs. Every element could be collected, classified, and linked.
2. A clear tactical goal. The goal was always the same — money. This simplified the analysis: all techniques and procedures were assessed through the prism of their effectiveness for financial gain.
3. Evolution is evident. One could observe how one successful procedure (for example, a specific phishing pattern) is copied by other groups, becoming a technique. And how phishing techniques displace skimming — this is a shift in tactical preference.

How it worked in practice: An analyst investigating a new phishing campaign no longer simply said, "It's phishing." He looked at:

• Tactics: Profit by stealing cards (standard).
• Technique: Phishing via SMS (smishing) with a fake number.
• Procedure (unique signature): Use of a short link with a .ru domain, leading to an IP in the Netherlands; message text with a characteristic error "card" instead of "card account".

By comparing this procedure to the database, he could predict with high certainty: "This is the Cupid group; they typically target clients of Ural banks, and two weeks after collecting the data, they will attempt to purchase airline tickets through a specific intermediary website." Now the defense could act proactively.

Chapter 4: From Artisanal Analysis to Global Standards: MITRE ATT&CK​

The TTP methodology, tested and honed in carding, proved so powerful that it formed the basis of global threat classification standards. The most famous of these is the MITRE ATT&CK matrix.

MITRE ATT&CK is a gigantic taxonomy, an encyclopedia of TTPs for cyberspace. And its sections dedicated to financial motives (for example, the "Initial Access" or "Credential Access" tactics) are imprinted, like solidified lava, with all the sophisticated methods born during the heyday of carding.

• Technique T1189: Drive-by Compromise – How carders infected online stores to steal data.
• Technique T1566: Phishing – with dozens of sub-techniques describing all the nuances that analysts have uncovered while studying carder emails.
• The procedures in the matrix are already real examples from reports on carding groups such as Carbanak or Fin7.

Carding provided the ideal model for fleshing out this matrix. It was complex enough to demonstrate a variety of techniques, and large enough to allow these techniques to be verified and categorized.

Chapter 5: Legacy: How TTPs Changed Security Today​

Thanks to the language honed by carder analysis, cybersecurity has made a quantum leap.

• From reactive to proactive defense. Knowing a group's TTP allows you to build defenses not against past attacks, but against their next moves. If a group uses technique X to gain access, then you need to be prepared to use technique Y to move within the network.
• A common language for the global community. Now, when discussing the T1546.003 (Windows Management Instrumentation Event Subscription) technique, an analyst from Japan and a specialist from Brazil understand each other without translation. This accelerates information sharing and joint countermeasures.
• The Development of Threat Intelligence. The profession of threat intelligence analyst essentially emerged from the need to systematically study and describe the TTPs of groups like carders. Their reports today are detailed dossiers, where every procedure is dissected in detail.

Conclusion: From Shadow to Structure: How Chaos Created Order​

The history of TTP is the story of how the chaotic digital folklore of carding schemes transformed into a rigorous, scientific discipline. Those who once devised thousands of ways to bypass defenses unknowingly provided the raw material for the most powerful tool against themselves.

They became the unwitting co-authors of a new science—the science of cyberthreats. Their "creativity" forced defenders to stop thinking of hacking as an accident and start seeing it as a strategy, methodology, and process that can be studied, classified, and predicted.

Thus, the language of TTP is a bridge. A bridge from the era when we feared invisible and nameless "hackers" to an era when we deal with known adversaries whose habits, methods, and weaknesses are meticulously documented. And the first stone in the foundation of this bridge was laid thanks to the painstaking analysis of those who once thought only of short-term profit, unaware that they were writing a textbook for their future victors.