1. Home
  2. Resources
  3. Learn More about ATT&CK
  4. Training
  5. CTI Training
Jump to Section

CTI Trainings

The goal of this training is for students to understand the following:

  • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

Warning: The exercises in this training are based on a previous version of ATT&CK. We recommend using ATT&CK v6 and ATT&CK Navigator v2 if you want to match the training.

Modules

Introducing training and understanding ATT&CK
MODULE 1
Mapping to ATT&CK from finished reporting
MODULE 2
Exercise 2: Mapping from finished reporting

  • Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

Cybereason Cobalt Kitty Report (Guided)
  • Highlights Only Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
  • Tactic Hints Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
FireEye APT39 Report (Unguided)
  • Highlights Only Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
  • Answers One set of answers for the exercise
Mapping to ATT&CK from raw data
MODULE 3
Exercise 3: Working with raw data

  • Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

Ticket 473822 (Guided)
  • Ticket 473822 Rich Text File Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.
Ticket 473845 (Guided)
  • Ticket 473845 Rich Text File Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.
Storing and analyzing ATT&CK-mapped intel
MODULE 4
Exercise 4: Comparing layers in ATT&CK Navigator

  • Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK Navigator v2 if you want to match the training.

  • Comparing Layers in Navigator Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.
  • APT39 and Cobalt Kitty techniques A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.
Making ATT&CK-mapped data actionable with defensive recommendations
MODULE 5
Exercise 5: Making defensive recommendations

  • Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

  • Making Defensive Recommendations (Unguided) If you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own. Provides steps for making defensive recommendations from ATT&CK techniques.