Extended Slovník

Tactics

Cybersecurity tactics are the specific methods, approaches, and actions employed by individuals, teams, or systems to achieve a particular security objective, whether it's defending against attacks, responding to incidents, or executing an offensive operation.

In cybersecurity, tactics refer to the detailed, actionable steps and techniques utilized to implement a broader security strategy. These can range from defensive measures like firewall rule configurations and intrusion detection system tuning, to offensive maneuvers used by ethical hackers in red teaming or by malicious actors to compromise systems. Tactics are granular and often involve the practical application of tools and procedures, forming the how-to component of cybersecurity. They are crucial for effective security operations, enabling teams to detect, prevent, and respond to cyber threats efficiently, and are often categorized and documented within frameworks like MITRE ATT&CK to standardize understanding of adversary behavior.

What are tactics in cybersecurity?

Tactics in cybersecurity represent the specific methods and actions taken to achieve a defined security objective. Unlike strategies, which outline high-level goals and overarching plans, tactics are the concrete, operational steps that bring those strategies to life. They answer the question: "How exactly do we accomplish this?"

Tactics can be broadly categorized into two domains:

  • Defensive tactics: Actions taken to protect systems, networks, and data. Examples include implementing network micro-segmentation to limit lateral movement of threats, configuring intrusion detection systems (IDS), deploying endpoint detection and response (EDR) tools, and hardening system configurations.
  • Offensive tactics: Techniques used during penetration testing, red team exercises, or adversary simulation to identify vulnerabilities. For instance, using a phishing campaign to gain initial access credentials for an internal network during a red team exercise is a common offensive tactic.

The MITRE ATT&CK Framework is one of the most widely referenced resources that organizes adversary tactics into categories such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact.

Why are cybersecurity tactics important?

Cybersecurity tactics are essential for several reasons:

  • Operational effectiveness: Without clearly defined tactics, security teams lack the actionable guidance needed to respond swiftly and effectively to threats.
  • Standardization: Frameworks such as MITRE ATT&CK and the NIST Cybersecurity Framework (CSF) provide a common language for describing adversary behavior and defensive responses, enabling better collaboration across organizations and industries.
  • Threat intelligence alignment: Understanding adversary tactics allows defenders to map threat intelligence to specific defensive actions, improving detection and response capabilities.
  • Compliance and governance: Many regulatory frameworks and standards, guided by organizations like CISA and ENISA, require organizations to demonstrate specific tactical security measures are in place.
  • Proactive defense: By studying offensive tactics, defenders can anticipate attack vectors and preemptively strengthen their security posture.

How to develop effective cybersecurity tactics?

Developing effective cybersecurity tactics requires a methodical approach that aligns operational actions with strategic objectives:

  1. Understand your threat landscape: Conduct thorough threat assessments and leverage threat intelligence feeds to identify the most relevant adversary tactics targeting your industry and infrastructure.
  2. Map to established frameworks: Use the MITRE ATT&CK matrix to map known adversary behaviors to your current defensive capabilities, identifying gaps.
  3. Prioritize based on risk: Not all tactics require equal investment. Perform risk assessments aligned with the NIST CSF to prioritize tactical measures that address the highest-impact threats.
  4. Invest in training: Leverage resources from institutions like the SANS Institute to ensure your security team is proficient in both defensive and offensive tactics.
  5. Test and validate: Regularly conduct red team/blue team exercises and penetration tests to validate the effectiveness of your tactics under realistic conditions.
  6. Iterate and improve: Tactics should evolve continuously based on lessons learned from incidents, exercises, and the changing threat landscape.

When to employ specific defensive tactics?

The timing and selection of defensive tactics depend on the phase of the security lifecycle and the nature of the threat:

  • Prevention phase: Deploy tactics such as network segmentation, access control hardening, patch management, and security awareness training before incidents occur.
  • Detection phase: Employ tactics like SIEM rule tuning, anomaly-based detection, log correlation, and threat hunting when monitoring for indicators of compromise (IOCs).
  • Response phase: Activate incident response tactics including containment (isolating affected systems), eradication (removing malicious artifacts), and recovery (restoring from clean backups) when a breach is confirmed.
  • Post-incident phase: Conduct forensic analysis, update detection rules, and revise playbooks based on lessons learned from the incident.

Organizations should also align their tactical deployment with guidance from CISA advisories and alerts, which often provide timely, actionable recommendations for specific emerging threats.

Which tactics are most effective against ransomware?

Ransomware remains one of the most impactful cyber threats. The following tactics have proven most effective in defending against it:

  • Network micro-segmentation: Limiting lateral movement prevents ransomware from spreading across the entire network once it gains initial access.
  • Robust backup and recovery: Maintaining offline, immutable backups ensures that organizations can restore data without paying ransoms.
  • Email security and phishing defense: Since many ransomware campaigns begin with phishing emails, deploying advanced email filtering, sandboxing, and user awareness training are critical front-line tactics.
  • Endpoint detection and response (EDR): EDR solutions can detect and block ransomware behavior patterns such as mass file encryption in real time.
  • Privilege management: Implementing the principle of least privilege and securing administrative credentials reduces the blast radius of a ransomware infection.
  • Patch management: Promptly patching known vulnerabilities, particularly those listed in CISA's Known Exploited Vulnerabilities Catalog, eliminates common entry points for ransomware operators.
  • Threat intelligence integration: Staying informed about emerging ransomware variants and their specific tactics, techniques, and procedures (TTPs) through the MITRE ATT&CK framework enables proactive defense adjustments.

By combining these tactics into a layered, defense-in-depth approach, organizations can significantly reduce their risk exposure to ransomware and other sophisticated cyber threats.

← Back to Glossary