There are many types of hackers, from highly disciplined, well-funded nation-state attackers to ransomware gang members in their teens. While the media often portrays bad actors as unpredictable and volatile, in most cases, they are actually very predictable when it comes to their TTPs (Tactics, Techniques and Procedures).
In fact, according to our recent report, Ransomware 2025: A Resilient and Persistent Threat, ransomware families may come and go, but TTPs change less frequently. Attackers have refined their toolset, relying on the TTPs that work. And since there are plenty of victims to target, if they hit a hurdle with one victim they can easily roll on to the next. Attackers only change their TTPs when they are forced to do so.
Our research has found that a large number of attackers use legitimate software, in an approach known as living off the land (LOTL) techniques, to carry out their attacks. Malware tends to be deployed sparingly and may only appear at the conclusion of an attack (such as when a ransomware payload is deployed). In addition to using predictable TTPs, the attackers’ objectives also remain consistent: access the victim’s network, obtain sufficient privileges to move laterally across that network, exfiltrate the data and deploy an encrypting payload on the maximum number of machines within the network.
By coupling this learned predictability of the attackers’ tools and objectives with the capabilities of AI, organizations can take a more granular approach to identify, mitigate and recover from cyberattacks.