Tactics, Techniques, and Procedures (TTPs)

Best Practices for Protection

Click on the bookmark to view chapters of this webpage

Subscribe to our newsletter!

Please fill out the form below:

Click on the bookmark to view chapters of this webpage

Activities aimed at abusing marketplaces and their users for fraud, money laundering, or even terrorist financing tend to follow certain patterns. In the world of cybersecurity, these are known as ‘tactics, techniques, and procedures’ – or ‘TTPs,’ for short. 

Having a Trust and Safety team with insights into these behaviors can go a long way toward protecting a marketplace – including both its users and its employees – from nefarious activities.

This piece will give a tactics, techniques, and procedures definition that explains each separate component of the term. We’ll also outline why TTPs are important to know about, as well as some best practices to counter TTPs commonly used for cyberattacks and other marketplace abuse.

Access the State of Fraud and AML 2022 Report Now

What is ‘Tactics, Techniques, and Procedures (TTPs)’?

TTPs – or tactics, techniques, and procedures – refer to people’s behavioral patterns, usually in the context of threat actors. From a Trust and Safety or cybersecurity standpoint, TTPs involve understanding how cybercriminals operate to better detect, identify, and prevent malicious online acts.

The term has its roots in the standardization of how military units conduct themselves. More recently, however, it has come to be associated with analyzing terrorist tactics, techniques, and procedures – studying the behaviors, strategies, and weapons used by terrorists and terrorist organizations to aid counterterrorism efforts.

In relation to Trust and Safety, that refers to knowing how a marketplace could be used to finance terrorists or to launder money that is later used to fund terrorism. It also means understanding cyber fraud tactics, techniques, and procedures in order to stop other types of fraudsters from abusing a marketplace and its legitimate users and employees.

Let’s now break the term down into its component behavior categories.


The “tactics” part of TTPs refers to the general goal a threat actor wants to accomplish by abusing a marketplace. Are they looking to steal sensitive information? Make purchases at someone else’s expense? Harass other users for fun? Evade a ban from the marketplace to continue previous abusive behavior?

Understanding why fraudsters engage in abusive activity is the first step in figuring out what their targets are, and thus how to protect those assets.


The “techniques” part of TTPs refers to the methods and tools a threat actor utilizes in pursuit of a tactic. For example, if a fraudster is looking to steal marketplace users’ sensitive information, they may attempt to simply break into accounts and find it. Or they may impersonate a marketplace representative or other well-known person, and then use social engineering techniques to trick other users or employees into revealing this information.

Knowing what fraudsters are doing to accomplish their objectives allows Trust and Safety teams to monitor for those types of activities and quickly flag them as suspicious.


The “procedures” part of TTPs refers to the precise actions a threat actor takes to abuse a marketplace, from start to finish. This includes any preparatory work, such as gathering information on potential vulnerabilities in the marketplace to exploit. Another example is identifying key personnel within the marketplace to target for impersonation or account takeovers, for the purpose of phishing marketplace users or other employees.

In other words, “procedures” are how a fraudster specifically achieves a form of marketplace abuse towards some fraudulent end. This is the most important component for Trust and Safety teams to understand, for at least two reasons.

One is that it allows them to recognize fraud, money laundering, or terrorist financing as it’s happening on marketplaces in real time, and move quickly to shut it down. The other is that it allows them to identify the most vulnerable parts of a marketplace, so these can be shored up to stop malicious activity from happening in the first place.

How to Protect Against Commonly Used TTPs

Smaller marketplaces may not have the resources to study tactics, techniques, and procedures for cybersecurity extensively. However, there are several best practices they can employ to defend against the most common forms of fraud, money laundering, terrorist financing, and other marketplace abuses. Some suggestions include:

  • Adopt multi-factor authentication: Multi-factor authentication adds a layer of security to accounts by requiring more than one credential. So even if a threat actor manages to guess an account password, they may still need access to a specific device or email account in order to input another password or click an authentication link.
  • Require strong passwords: Marketplace employees and users should be required to create significantly complex account passwords. These should have a minimum length of 14 characters and contain a mix of letters, numbers, and symbols.
  • Require (or at least recommend) password managers: In addition to making account access more efficient, password managers also often improve security by pointing out vulnerable passwords that are insufficiently complex or used for more than one account. 
  • Educate employees and users about phishing: Marketplace users and employees should be taught how to identify and handle fake communications that pretend to be from the marketplace. Employees, especially, should undergo practical training with dummy phishing attempts.
  • Keep software up-to-date: Cybercriminals continually work to find vulnerabilities in software to exploit. So software developers are continually working to find these weaknesses first and patch them. Don’t let marketplace abuse happen because threat actors take advantage of a problem in the system that the developers had already fixed.
  • Use the 3-2-1 backup method: A marketplace should make at least 3 copies of all sensitive data, store them on at least 2 different storage devices, and ensure that at least 1 of these devices is offsite (which can include a cloud storage service). This makes it easier to recover data and keep the marketplace running in the event that a cyberattack does happen. 
  • Create, document, and test a BCDR plan: Backing up data should be part of a broader Business Continuity, and Disaster Recovery (BCDR) plan to ensure the marketplace can restore and maintain the platform’s functionality after a cyberattack. This plan should also be tested to determine how far back the marketplace can restore data, as well as how fast it can resume operation.
  • Perform risk assessments regularly: Every two to three years (if not more often), do an assessment of how vulnerable the marketplace is to abusive behaviors. This will reveal which parts of the marketplace’s risk management strategy need improvement.

Download Transaction Monitoring Product Guide

Secure Your Marketplace Against Threat Actor TTPs with Unit21

Any marketplace can be a target of fraud or even an unwitting staging ground for money laundering or terrorist financing. The good news is that these abusive activities are easier to spot, stop, and block if your Trust and Safety team members – and even other marketplace employees and users – know how they work.

Of course, having the right Trust and Safety tools to monitor and detect abusive activity patterns automatically doesn’t hurt, either. Contact Unit21 to schedule a demo of how our solution can help defend your marketplace, its employees, and its users from abusive TTPs.