Terrorist Tactics, Techniques, and Procedures

Last updated

Tactics, Techniques, and Procedures (TTPs) is an essential concept in terrorism and cyber security studies. [1] The role of TTPs in terrorism analysis is to identify individual patterns of behavior of a particular terrorist activity, or a particular terrorist organisation, and to examine and categorize more general tactics and weapons used by a particular terrorist activity, or a particular terrorist organisation.


Requirement to identify individual terrorism TTPs

The current approach to terrorism analysis involves an examination of individual terrorist, or terrorist organisations use of particular weapons, used in specific ways, and different tactics and strategies being exhibited. [1] Broadly, a wide range of TTPs have been exhibited historically by individual terrorist, or terrorist organisations worldwide. [2]

Key concepts

Evolution of TTPs

All terrorists, or terrorist organisations, worldwide historically have exhibited an evolution in TTPs. This can be as a result of:

In the case of the Taliban, their tactics have consisted primarily of guerrilla-style improvised explosive device (IED) attacks and small-arms ambushes against international and state-level security forces and interests, such as police checkpoints and military supply convoys. However, more recently Taliban TTPs have expanded to include mass casualty attacks by suicide bombers and other suicide attacks in order to undermine the current government.

Kill-chain model

The kill-chain model, and kill-chain model variations Flaherty Model of Terrorism Analysis Tactics, Techniques, and Procedures Kill Chain Model.jpg
The kill-chain model, and kill-chain model variations

The kill-chain model (KCM) is a conceptual tool used in terrorism analysis and studies. [1] All terrorists' or terrorist organisations' TTPs form part of understanding the terrorist kill chain, which is the pattern of transactional activities, link together in order for a terrorist act to take place. Broadly, this involves describing the 'hierarchy of tasks and sub-tasks that may be involved in the execution', or in making a terrorist act happen. [1] These can include the arrangement and sequence of activities a terrorist or terrorist organisation uses in planning, organizing, mobilizing, training, equipping and staging resources and operatives. These activities make up the terrorist or terrorist organisations' modus operandi or 'attack system'. [1] Four sets of steps make-up the full KCM:

The KCM “sequence of activities” [1] is not linear, but discontinuous. Three additional KCM scenarios can be identified: [3]

Transfer of Terrorist Tactics, Techniques and Procedures

Terrorist TTPs are often transferred between various terrorists, or terrorist organisations, and they often learn from each other. [4] The degree to which the transfer of TTPs occurs depends on their relative success when transferred to a different conflict, and a different environment. The similarities in TTPs between various terrorists, or terrorist organisations, across conflicts and periods suggest a transfer of information.

Several key tactical concepts can be related to TTPs, which are typically used in terrorism or insurgency operations.

Related Research Articles

Counter-terrorism Activity to defend against or prevent terrorist actions

Counter-terrorism, also known as anti-terrorism, incorporates the practice, military tactics, techniques, and strategy that government, military, law enforcement, business, and intelligence agencies use to combat or prevent terrorism. Counter-terrorism strategy is a government's plan to use the instruments of national power to neutralize terrorists, their organizations, and their networks in order to render them incapable of using violence to instill fear and to coerce the government or its citizens to react in accordance with the terrorists' goals.

Military intelligence Information about military opponents

Military intelligence is a military discipline that uses information collection and analysis approaches to provide guidance and direction to assist commanders in their decisions. This aim is achieved by providing an assessment of data from a range of sources, directed towards the commanders' mission requirements or responding to questions as part of operational or campaign planning. To provide an analysis, the commander's information requirements are first identified, which are then incorporated into intelligence collection, analysis, and dissemination.


Counterintelligence is an activity aimed at protecting an agency's intelligence program from an opposition's intelligence service. It includes gathering information and conducting activities to prevent espionage, sabotage, assassinations or other intelligence activities conducted for or on behalf of foreign powers, organizations or persons.

A lone actor, lone-actor terrorist, or lone wolf is someone who prepares and commits violent acts alone, outside of any command structure and without material assistance from any group. They may be influenced or motivated by the ideology and beliefs of an external group and may act in support of such a group. In its original sense, a "lone wolf" is an animal or person that generally lives or spends time alone instead of with a group.

Terrorism Research Center

The Terrorism Research Center (TRC) is non-profit think tank focused on investigating and researching global terrorism issues through multi-disciplinary collaboration amongst a group of international experts.

Terrorism in Pakistan according to Ministry of Interior, poses a significant threat to the people of Pakistan. The current wave of terrorism is believed to have started in 2000 and peaked during 2009. Since then it has drastically declined as result of military operations conducted by the Pakistan Army. According to South Asian Terrorism Portal Index (SATP), terrorism in Pakistan has declined by 89% in 2017 since 2009.

Terrorism financing is the provision of funds or providing financial support to individual terrorists or non-state actors.

Financial intelligence (FININT) is the gathering of information about the financial affairs of entities of interest, to understand their nature and capabilities, and predict their intentions. Generally the term applies in the context of law enforcement and related activities. One of the main purposes of financial intelligence is to identify financial transactions that may involve tax evasion, money laundering or some other criminal activity. FININT may also be involved in identifying financing of criminal and terrorist organisations. Financial intelligence can be broken down into two main areas, collection and analysis. Collection is normally done by a government agency, known as a financial intelligence organisation or Financial Intelligence Unit (FIU). The agency will collect raw transactional information and Suspicious activity reports (SAR) usually provided by banks and other entities as part of regulatory requirements. Data may be shared with other countries through intergovernmental networks. Analysis, may consist of scrutinizing a large volume of transactional data using data mining or data-matching techniques to identify persons potentially engaged in a particular activity. SARs can also be scrutinized and linked with other data to try to identify specific activity.

Police Tactical Group (PTG) is the generic term used to refer to highly trained Australian police tactical units that tactically manage and resolves high-risk incidents, including sieges, armed offender situations and terrorist incidents. Each State and Territory maintain a PTG able to respond and resolve high-risk incidents across their jurisdiction, and inter-State when required. Police Tactical Groups are fundamental to the Federal government's National Counter-Terrorism Plan (NCTP) to respond to major terrorist incidents in Australia. The Plan initially developed in 1980, then known as the National Anti-Terrorism Plan, is overseen by the Australia-New Zealand Counter-Terrorism Committee (ANZCTC). The Plan requires each state and territory police to maintain a police tactical unit designated as a Police Tactical Group which is jointly funded by the federal government and the respective state or territory government.

International counter-terrorism activities of the CIA

After the Central Intelligence Agency lost its role as the coordinator of the entire Intelligence Community (IC), special coordinating structures were created by each president to fit his administrative style and the perceived level of threat from terrorists during his term.

A surgically implanted improvised explosive device (SIIED) is an explosive device hidden inside the body of a person in order to commit a suicide attack. This type of terrorist weapon, more commonly known as Body Cavity Bomb (BCB), is only known to have been used once, in a failed assassination attempt.

Counter-IED efforts

Counter-IED efforts are done primarily by military and law enforcement with the assistance of the diplomatic and financial communities. It involves a comprehensive approach of countering the threat networks that employ improvised explosive devices (IEDs), defeating the devices themselves, and training others. Counter-IED, or C-IED, is usually part of a broader counter-terrorism, counter-insurgency, or law enforcement effort. Because IEDs are a subset of a number of forms of asymmetric warfare used by insurgents and terrorists, C-IED activities are principally against adversaries and not only against IEDs. C-IED treats the IED as a systemic problem and aims to defeat the IED threat networks themselves.

Interposing Tactics is tactical concept, developed under Terrorist Tactics, Techniques, and Procedures, to explain a tactical action where a small-scale action takes place between two combatants, where one manoeuvres into interposition or interjection within a tactical situation, and disrupts the action or activity, of the opponent.

Rhizome Manoeuvre is a key concept in contemporary warfare tactics, techniques, and procedures.

Three-Dimensional (3D) Tactics Analysis, is a tactical analysis methodology under the concept of Terrorist Tactics, Techniques, and Procedures, and is related to Rhizome Manoeuvre. The approach is applicable to urban combat, and takes into account mass gatherings of people located in highly complex urban structures, incorporating features such as multi-level buildings, open spaces between buildings, crowd congregation points, and transport hubs.

Mimicking operations is a tactical concept, developed under Terrorist Tactics, Techniques, and Procedures, to explain a form of deception, commonly used by terrorists in their attacks. The concept is commonly used in military tactical modelling and scientific simulation; and is connected to the idea of shielding friendly forces from detection and deception.

Command and influence is a component of Military C2 and is a key aspect of Terrorist Tactics, Techniques, and Procedures.

Dynamic defence, is a key concept in Rhizome Manoeuvre, and Three-Dimensional (3D) Tactics Analysis, and is a key concept in contemporary Terrorist Tactics, Techniques, and Procedures.

Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

<i>Terrorist Recognition Handbook</i>

Terrorist Recognition Handbook: A Practitioner's Manual for Predicting and Identifying Terrorist Activities is a non-fiction book about counterterrorism strategies, written by U.S. Navy retired cryptology analyst Malcolm Nance. The book is intended to help law enforcement and intelligence officials with the professional practice of behavior analysis and criminal psychology of anticipating potential terrorists before they commit criminal acts. Nance draws from the field of traditional criminal analysis to posit that detecting domestic criminals is similar to determining which individuals are likely to commit acts of terrorism. The book provides resources for the law enforcement official including descriptions of devices used for possible bombs, a database of terrorist networks, and a list of references used. Nance gives the reader background on Al-Qaeda tactics, clandestine cell systems and sleeper agents, and terrorist communication methods.


  1. 1 2 3 4 5 6 Sullivan, J.P., Bauer, A. eds (2008). Terrorism Early Warning: 10 Years of Achievement in Fighting Terrorism and Crime. Los Angeles, CA: Los Angeles Sheriff’s Department.
  2. Flaherty, C. (2012) Dangerous Minds: Attps://eccp.poste.dككك Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/
  3. 1 2 Flaherty, C. (2012) Dangerous Minds: A Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/
  4. Hedges, M. Karasik, T. Evolving Terrorist Tactics, Techniques, and Procedures (TTP) Migration Across South Asia, Caucasus, and the Middle East. INEGMA Special Report No. 7. URL: "Archived copy" (PDF). Archived from the original (PDF) on 2012-09-04. Retrieved 2014-02-20.CS1 maint: archived copy as title (link)
  5. Flaherty, C. (2009) Interposing Tactics. Red Team Journal.com URL: https://redteamjournal.com/archive-blog/2009/12/04/interposing-tactics
  6. Flaherty, C.J. (December 2003) Mimicking Operations, Australian Army Journal. (1)2: 11-14. URL: http://www.army.gov.au/Our-future/LWSC/Our-publications/Australian-Army-Journal/Past-issues/~/media/Files/Our%20future/LWSC%20Publications/AAJ/2003Summer/02-InformationWarfareAndMi.pdf
  7. 1 2 Flaherty, C. (2009) 2D Verses 3D Tactical Supremacy in Urban Operations. Journal of Information Warfare. (8)2: 13-24.