Activities aimed at abusing marketplaces and their users for fraud, money laundering, or even terrorist financing tend to follow certain patterns. In the world of cybersecurity, these are known as ‘tactics, techniques, and procedures’ – or ‘TTPs,’ for short.
Having a Trust and Safety team with insights into these behaviors can go a long way toward protecting a marketplace – including both its users and its employees – from nefarious activities.
This piece will give a tactics, techniques, and procedures definition that explains each separate component of the term. We’ll also outline why TTPs are important to know about, as well as some best practices to counter TTPs commonly used for cyberattacks and other marketplace abuse.
TTPs – or tactics, techniques, and procedures – refer to people’s behavioral patterns, usually in the context of threat actors. From a Trust and Safety or cybersecurity standpoint, TTPs involve understanding how cybercriminals operate to better detect, identify, and prevent malicious online acts.
The term has its roots in the standardization of how military units conduct themselves. More recently, however, it has come to be associated with analyzing terrorist tactics, techniques, and procedures – studying the behaviors, strategies, and weapons used by terrorists and terrorist organizations to aid counterterrorism efforts.
In relation to Trust and Safety, that refers to knowing how a marketplace could be used to finance terrorists or to launder money that is later used to fund terrorism. It also means understanding cyber fraud tactics, techniques, and procedures in order to stop other types of fraudsters from abusing a marketplace and its legitimate users and employees.
Let’s now break the term down into its component behavior categories.
The “tactics” part of TTPs refers to the general goal a threat actor wants to accomplish by abusing a marketplace. Are they looking to steal sensitive information? Make purchases at someone else’s expense? Harass other users for fun? Evade a ban from the marketplace to continue previous abusive behavior?
Understanding why fraudsters engage in abusive activity is the first step in figuring out what their targets are, and thus how to protect those assets.
The “techniques” part of TTPs refers to the methods and tools a threat actor utilizes in pursuit of a tactic. For example, if a fraudster is looking to steal marketplace users’ sensitive information, they may attempt to simply break into accounts and find it. Or they may impersonate a marketplace representative or other well-known person, and then use social engineering techniques to trick other users or employees into revealing this information.
Knowing what fraudsters are doing to accomplish their objectives allows Trust and Safety teams to monitor for those types of activities and quickly flag them as suspicious.
The “procedures” part of TTPs refers to the precise actions a threat actor takes to abuse a marketplace, from start to finish. This includes any preparatory work, such as gathering information on potential vulnerabilities in the marketplace to exploit. Another example is identifying key personnel within the marketplace to target for impersonation or account takeovers, for the purpose of phishing marketplace users or other employees.
In other words, “procedures” are how a fraudster specifically achieves a form of marketplace abuse towards some fraudulent end. This is the most important component for Trust and Safety teams to understand, for at least two reasons.
One is that it allows them to recognize fraud, money laundering, or terrorist financing as it’s happening on marketplaces in real time, and move quickly to shut it down. The other is that it allows them to identify the most vulnerable parts of a marketplace, so these can be shored up to stop malicious activity from happening in the first place.
Smaller marketplaces may not have the resources to study tactics, techniques, and procedures for cybersecurity extensively. However, there are several best practices they can employ to defend against the most common forms of fraud, money laundering, terrorist financing, and other marketplace abuses. Some suggestions include:
Any marketplace can be a target of fraud or even an unwitting staging ground for money laundering or terrorist financing. The good news is that these abusive activities are easier to spot, stop, and block if your Trust and Safety team members – and even other marketplace employees and users – know how they work.
Of course, having the right Trust and Safety tools to monitor and detect abusive activity patterns automatically doesn’t hurt, either. Contact Unit21 to schedule a demo of how our solution can help defend your marketplace, its employees, and its users from abusive TTPs.