CTI Trainings

The goal of this training is for students to understand the following:

  • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

Warning: The exercises in this training are based on a previous version of ATT&CK. We recommend using ATT&CK v6 and ATT&CK Navigator v2 if you want to match the training.


Introducing training and understanding ATT&CK
Mapping to ATT&CK from finished reporting
Exercise 2: Mapping from finished reporting
Cybereason Cobalt Kitty Report (Guided)
FireEye APT39 Report (Unguided)
Mapping to ATT&CK from raw data
Exercise 3: Working with raw data
Ticket 473822 (Guided)
Ticket 473845 (Guided)
Storing and analyzing ATT&CK-mapped intel
Exercise 4: Comparing layers in ATT&CK Navigator
Making ATT&CK-mapped data actionable with defensive recommendations
Exercise 5: Making defensive recommendations