Top of the pyramid, TTPs are attacker behaviors like spear-phishing or lateral movement. Disrupting these forces major strategy changes, making it highly impactful but challenging.
Software like Metasploit or custom malware. Blocking tools forces attackers to find or build new ones, which is resource-heavy.
Traces like registry keys or network beacons. Tied to attacker infrastructure, these are harder to change.
Used for C2 or phishing. Blocking domains disrupts operations, though attackers can switch, incurring costs.
Malicious infrastructure IPs. Easier to change than domains but still disruptive when blocked.
File hashes (MD5, SHA) of malicious files. Easiest to detect and block but simple for attackers to alter.