Terrorist tactics, techniques, and procedures

Last updated July 23, 2024

Tactics, techniques, and procedures (TTPs) is an essential concept in terrorism and cyber security studies.^[1] The role of TTPs in terrorism analysis is to identify individual patterns of behavior of a particular terrorist activity, or a particular terrorist organisation, and to examine and categorize more general tactics and weapons used by a particular terrorist activity, or a particular terrorist organisation.

Requirement to identify individual terrorism TTPs

The current approach to terrorism analysis involves an examination of individual terrorist's, or terrorist organisations' use of particular weapons, used in specific ways, and different tactics and strategies being exhibited.^[1] Broadly, a wide range of TTPs have been exhibited historically by individual terrorists, or terrorist organisations worldwide.^[2]

Key concepts

Evolution of TTPs

All terrorists, or terrorist organisations, worldwide historically have exhibited an evolution in TTPs. This can be as a result of:

changing circumstances
resource availability
changing ideologies, or "war-focus"

In the case of the Taliban, their tactics have consisted primarily of guerrilla-style improvised explosive device (IED) attacks and small-arms ambushes against international and state-level security forces and interests, such as police checkpoints and military supply convoys. However, more recently Taliban TTPs have expanded to include mass casualty attacks by suicide bombers and other suicide attacks in order to undermine the current government.

Kill-chain model

The kill-chain model (KCM) is a conceptual tool used in terrorism analysis and studies.^[1] All terrorists' or terrorist organisations' TTPs form part of understanding the terrorist kill chain, which is the pattern of transactional activities, link together in order for a terrorist act to take place. Broadly, this involves describing the "hierarchy of tasks and sub-tasks that may be involved in the execution", or in making a terrorist act happen.^[1] These can include the arrangement and sequence of activities a terrorist or terrorist organisation uses in planning, organizing, mobilizing, training, equipping and staging resources and operatives. These activities make up the terrorist's or terrorist organisations' modus operandi or "attack system".^[1] Four sets of steps make-up the full KCM:

The first set of activities are the "attack preparation steps". In terms of terrorism analysis, individual transactions, such as acquiring finances, acquiring expertise, acquiring materiel, munitions or capability, recruiting members, conducting reconnaissance, mission rehearsal, conducting an attack, have signatures that identify them as terrorist or criminal acts or are consistent with the operations of a specific individual, cell or group.
The second set of activities are called the "execution timeline". This identifies the timeline, along which the terrorist, or terrorist organisations various activities, leading up to an attack process flows time-wise.
The third set of activities are identified as "targeting". An individual or group would carry out some form of dedicated reconnaissance with the aim of identifying weaknesses in the site or operation; and with that information determine the best method of attack.
The fourth set of activities are identified as the "planning stages". These involve some type of planning activity embedded into the "kill chain", and are part of the process of organizing, mobilizing, training, equipping, staging, collecting resources and operatives. These make up the terrorist's or terrorist organisations' modus operandi, or its system of attack.

The KCM "sequence of activities"^[1] is not linear, but discontinuous. Three additional KCM scenarios can be identified:^[3]

An individual or group actively promotes a terrorist or extremist ideology on the internet, in books, pamphlets, etc. This is then picked up by another terrorist, or terrorist organisation, who then act on this.
Two or more parallel kill chain sequences of activities (by various individuals or groups) which are only indirectly connected by intermediary individuals or groups. Sharing similar beliefs, but as well crossing over into complementary beliefs or ideologies. Many such intermediaries can operate in this space, passing ideas and resources, even recruiting between the various terrorists, or terrorist organisations, groups and cells.
A terrorist or terrorist organisations picks up ideas, knowledge, etc., and jump-starts into various places along the "standard" concept of the KCM.

Transfer of TTPs

Terrorist TTPs are often transferred between various terrorists, or terrorist organisations, and they often learn from each other.^[4] The degree to which the transfer of TTPs occurs depends on their relative success when transferred to a different conflict, and a different environment. The similarities in TTPs between various terrorists, or terrorist organisations, across conflicts and periods suggest a transfer of information.

Explicit knowledge: This is the theoretical information which is often stored in hard copies, such as textbooks, manuals and on computers through PDF and video files. These are extremely easy to get a hold of, but without the appropriate teaching or experience, this easy access information is commonly not effectively used.
Tactical knowledge: Most commonly taught or learnt through experience and hands-on teaching. This requires training establishments to be organised. For terrorists, or terrorist organisations, acquiring this information is harder; however, it is seen as a more effective transfer of knowledge.

Key tactical concepts related to TTPs

Several key tactical concepts can be related to TTPs, which are typically used in terrorism or insurgency operations.

Related Research Articles

Counterterrorism, also known as anti-terrorism, relates to the practices, military tactics, techniques, and strategies that governments, law enforcement, businesses, and intelligence agencies use to combat or eliminate terrorism.

A lone wolf attack, or lone actor attack, is a particular kind of mass murder, committed in a public setting by an individual who plans and commits the act on their own. In the United States, such attacks are usually committed with firearms. In other countries, knives are sometimes used to commit mass stabbings. Although definitions vary, most databases require a minimum of four victims for the event to be considered a mass murder.

Terrorism and mass attacks in Canada includes acts of terrorism, as well as mass shootings, vehicle-ramming attacks, mass stabbings, and other such acts committed in Canada that people may associate with terroristic tactics but have not been classified as terrorism by the Canadian legal system.

The Terrorism Research Center (TRC) is a non-profit think tank focused on investigating and researching global terrorism issues through multi-disciplinary collaboration amongst a group of international experts.

Terrorism in Pakistan, according to the Ministry of Interior, poses a significant threat to the people of Pakistan. The wave of terrorism in Pakistan is believed to have started in 2000. Attacks and fatalities in Pakistan were on a "declining trend" between 2015 and 2019, but has gone back up from 2020-2022, with 971 fatalities in 2022.

Financial intelligence (FININT) is the gathering of information about the financial affairs of entities of interest, to understand their nature and capabilities, and predict their intentions. Generally the term applies in the context of law enforcement and related activities. One of the main purposes of financial intelligence is to identify financial transactions that may involve tax evasion, money laundering or some other criminal activity. FININT may also be involved in identifying financing of criminal and terrorist organisations. Financial intelligence can be broken down into two main areas, collection and analysis. Collection is normally done by a government agency, known as a financial intelligence organisation or Financial Intelligence Unit (FIU). The agency will collect raw transactional information and Suspicious activity reports (SAR) usually provided by banks and other entities as part of regulatory requirements. Data may be shared with other countries through intergovernmental networks. Analysis, may consist of scrutinizing a large volume of transactional data using data mining or data-matching techniques to identify persons potentially engaged in a particular activity. SARs can also be scrutinized and linked with other data to try to identify specific activity.

The counter-terrorism page primarily deals with special police or military organizations that carry out arrest or direct combat with terrorists.

<span class="mw-page-title-main">International counter-terrorism activities of the CIA</span>

After the Central Intelligence Agency lost its role as the coordinator of the entire United States Intelligence Community (IC), special coordinating structures were created by each president to fit his administrative style and the perceived level of threat from terrorists during his term.

Lashkar-e-Islam, also written as Laskhar-i-Islam, is a Deobandi jihadist terrorist group operating in Khyber District, Khyber-Pakhtunkhwa Province, Pakistan and the neighboring Nangarhar Province, Afghanistan.

CONTEST is the United Kingdom's counter-terrorism strategy, first developed by Sir David Omand and the Home Office in early 2003 as the immediate response to 9/11, and a revised version was made public in 2006. Further revisions were published on 24 March 2009, 11 July 2011 and June 2018. An Annual Report on the implementation of CONTEST was released in March 2010 and in April 2014. The aim of the strategy is "to reduce the risk to the UK and its interests overseas from terrorism so that people can go about their lives freely and with confidence." The success of this strategy is not linked to total elimination of the terrorist threat, but to reducing the threat sufficiently to allow the citizens a normal life free from fear.

Counter-IED efforts are done primarily by military and law enforcement with the assistance of the diplomatic and financial communities. It involves a comprehensive approach of countering the threat networks that employ improvised explosive devices (IEDs), defeating the devices themselves, and training others. Counter-IED, or C-IED, is usually part of a broader counter-terrorism, counter-insurgency, or law enforcement effort. Because IEDs are a subset of a number of forms of asymmetric warfare used by insurgents and terrorists, C-IED activities are principally against adversaries and not only against IEDs. C-IED treats the IED as a systemic problem and aims to defeat the IED threat networks themselves.

Interposing Tactics is tactical concept, developed under Terrorist Tactics, Techniques, and Procedures, to explain a tactical action where a small-scale action takes place between two combatants, where one manoeuvres into interposition or interjection within a tactical situation, and disrupts the action or activity, of the opponent.

A rhizome manoeuvre is a surprise attack in a built environment, made from an unexpected direction, such as through a wall or floor. It is a key concept in contemporary warfare tactics, techniques, and procedures.

Three-dimensional (3D) tactics analysis, is a tactical analysis methodology under the concept of terrorist tactics, techniques, and procedures, and is related to the rhizome manoeuvre. The approach is applicable to urban combat, and takes into account mass gatherings of people located in highly complex urban structures, incorporating features such as multi-level buildings, open spaces between buildings, crowd congregation points, and transport hubs.

Mimicking operations is a tactical concept, developed under Terrorist Tactics, Techniques, and Procedures, to explain a form of deception, commonly used by terrorists in their attacks. The concept is commonly used in military tactical modelling and scientific simulation; and is connected to the idea of shielding friendly forces from detection and deception.

Command and influence is a component of Military C2 and is a key aspect of Terrorist Tactics, Techniques, and Procedures.

Dynamic defence, is a key concept in Rhizome Manoeuvre, and Three-Dimensional (3D) Tactics Analysis, and is a key concept in contemporary Terrorist Tactics, Techniques, and Procedures.

The Counter Terrorism Department (Urdu: سررشتہِ تحقیقاتِ جرائم ، پاکستان; CTD) formerly known as the Crime Investigation Department (CID), are crime scene investigation, interrogation, anti-terrorism, and intelligence bureaus of the provincial police services of Pakistan.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

<i>Terrorist Recognition Handbook</i> Book by Malcolm Nance

Terrorist Recognition Handbook: A Practitioner's Manual for Predicting and Identifying Terrorist Activities is a non-fiction book about counterterrorism strategies, written by U.S. Navy retired cryptology analyst Malcolm Nance. The book is intended to help law enforcement and intelligence officials with the professional practice of behavior analysis and criminal psychology of anticipating potential terrorists before they commit criminal acts. Nance draws from the field of traditional criminal analysis to posit that detecting domestic criminals is similar to determining which individuals are likely to commit acts of terrorism. The book provides resources for the law enforcement official including descriptions of devices used for possible bombs, a database of terrorist networks, and a list of references used. Nance gives the reader background on Al-Qaeda tactics, clandestine cell systems and sleeper agents, and terrorist communication methods.

References

1 2 3 4 5 6 Sullivan, J.P., Bauer, A. eds (2008). Terrorism Early Warning: 10 Years of Achievement in Fighting Terrorism and Crime. Los Angeles, CA: Los Angeles Sheriff’s Department.
↑ Flaherty, C. (2012) Dangerous Minds: Attps://eccp.poste.dككك Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/
1 2 Flaherty, C. (2012) Dangerous Minds: A Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/
↑ Hedges, M. Karasik, T. Evolving Terrorist Tactics, Techniques, and Procedures (TTP) Migration Across South Asia, Caucasus, and the Middle East. INEGMA Special Report No. 7. URL: "Archived copy" (PDF). Archived from the original (PDF) on 2012-09-04. Retrieved 2014-02-20.{{cite web}}: CS1 maint: archived copy as title (link)
↑ Flaherty, C. (2009) Interposing Tactics. Red Team Journal.com URL: https://redteamjournal.com/archive-blog/2009/12/04/interposing-tactics
↑ Flaherty, C.J. (December 2003) Mimicking Operations, Australian Army Journal. (1)2: 11-14. URL: http://www.army.gov.au/Our-future/LWSC/Our-publications/Australian-Army-Journal/Past-issues/~/media/Files/Our%20future/LWSC%20Publications/AAJ/2003Summer/02-InformationWarfareAndMi.pdf
↑ Flaherty, C. (2009) 2D Verses 3D Tactical Supremacy in Urban Operations. Journal of Information Warfare. (8)2: 13-24.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Sullivan2008-1] 1 2 3 4 5 6 Sullivan, J.P., Bauer, A. eds (2008). Terrorism Early Warning: 10 Years of Achievement in Fighting Terrorism and Crime. Los Angeles, CA: Los Angeles Sheriff’s Department.

[2] Flaherty, C. (2012) Dangerous Minds: Attps://eccp.poste.dككك Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/

[oodaloop.com-3] 1 2 Flaherty, C. (2012) Dangerous Minds: A Monograph on the Relationship Between Beliefs –Behaviours – Tactics. Published by OODA LOOP (7 September 2012).URL: http://www.oodaloop.com/security/2012/09/07/dangerous-minds-the-relationship-between-beliefs-behaviors-and-tactics/

[4] Hedges, M. Karasik, T. Evolving Terrorist Tactics, Techniques, and Procedures (TTP) Migration Across South Asia, Caucasus, and the Middle East. INEGMA Special Report No. 7. URL: "Archived copy" (PDF). Archived from the original (PDF) on 2012-09-04. Retrieved 2014-02-20.{{cite web}}: CS1 maint: archived copy as title (link)

[5] Flaherty, C. (2009) Interposing Tactics. Red Team Journal.com URL: https://redteamjournal.com/archive-blog/2009/12/04/interposing-tactics

[6] Flaherty, C.J. (December 2003) Mimicking Operations, Australian Army Journal. (1)2: 11-14. URL: http://www.army.gov.au/Our-future/LWSC/Our-publications/Australian-Army-Journal/Past-issues/~/media/Files/Our%20future/LWSC%20Publications/AAJ/2003Summer/02-InformationWarfareAndMi.pdf

[Flaherty,_C._2009-7] Flaherty, C. (2009) 2D Verses 3D Tactical Supremacy in Urban Operations. Journal of Information Warfare. (8)2: 13-24.

[1]

[2]

[3]

[4]

[5]

[6]

[7]