1. Home
  2. Resources
  3. Learn More about ATT&CK
  4. Training
  5. CTI Training
Jump to Section

CTI Training

The goal of this training is for students to understand the following:

  • Why ATT&CK is useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

Note:This training assumes an existing knowledge of ATT&CK and its primary concepts. We recommend reviewing the content from our ATT&CK Fundamentals Training before taking this training.

Note: The exercises in this training are based on a previous version of ATT&CK. We suggest using ATT&CK v8 and ATT&CK Navigator with ATT&CK v8 if you want exercise results to exactly match the training.

Modules

Introducing MITRE ATT&CK for Cyber Threat Intelligence Training
MODULE 0
Mapping to ATT&CK from narrative reporting
MODULE 1
Exercise 1: Mapping to a narrative report

  • Note: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v8 if you want to match the training.

Cybereason Cobalt Kitty Report (Guided)
  • Highlights Only Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
  • Tactic Hints Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
FireEye APT39 Report (Unguided)
  • Highlights Only Identifies the highlighted behaviors you should map to tactics and techniques for a more challenging exercise.
  • Answers One set of answers for the exercise
Mapping to ATT&CK from raw data
MODULE 2
Exercise 2: Working with raw data

  • Note: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v8 if you want to match the training.

Ticket 473822 (Guided)
  • Ticket 473822 Rich Text File Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.
Ticket 473845 (Guided)
  • Ticket 473845 Rich Text File Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.
Storing and analyzing ATT&CK-mapped intelligence
MODULE 3
Exercise 3: Comparing layers in ATT&CK Navigator

  • Note: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK Navigator v2 if you want to match the training.

  • Comparing Layers in Navigator Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.
  • APT39 and Cobalt Kitty techniques A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.
Making ATT&CK-mapped data actionable with defensive recommendations
MODULE 4
Exercise 4: Making defensive recommendations

  • Note: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v8 if you want to match the training.

  • Making Defensive Recommendations (Unguided) If you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own. Provides steps for making defensive recommendations from ATT&CK techniques.