Indicator components have a close and interactive relationship but each component serves its own distinct function within that relationship and within the broader STIX language.
TTPs are “descriptive” in nature and are for characterizing the how and what of adversary behavior (what they are doing and how they are doing it). They are abstracted from specific observed instances within individual specific Incidents so that they may be more generally applicable in developing contextual understanding across Incidents, Campaign and Threat Actors.
Some simple examples of TTPs:
characterization of a particular malware family (e.g. Poison Ivy)
characterization of particular attack patterns (e.g. Subverting Environment Variable Values (CAPEC-13) for exploitation)
Indicators are “detective” in nature and are for specifying particular conditions that may exist to indicate the presence of a particular TTP along with relevant contextual information. Indicators are not used to characterize the particulars of any given adversary behavior, only how to detect it.
Some simple examples of Indicators:
specification of a pattern for a particular set of static or dynamic characteristics (e.g. specific activity patterns in logs) that indicate the execution of a particular attack pattern
Some simple examples of information you may have and guidance around which component (TTP or Indicator) you would use based on what you are looking to convey:
TTPs describe what and how an adversary acts and Indicators describe how to recognize what those actions might look like.
Using a non-cyber analogy, a specific approach to counterfeiting $100 dollar bills can be thought of as a TTP while the specific guidance for detecting bills (wrong color, bad watermark, etc.) using this approach can be thought of as Indicators.
Hopefully, when thought of this way it should be clear that each serves its own role and that you would never use one in place of the other.