CTI Trainings

The goal of this training is for students to understand the following:

  • Why ATT&CK is useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

Note:This training assumes an existing knowledge of ATT&CK and its primary concepts. We recommend reviewing the content from our ATT&CK Fundimentals Training before taking this training.

Note: The exercises in this training are based on a previous version of ATT&CK. We suggest using ATT&CK v8 and ATT&CK Navigator with ATT&CK v8 if you want exercise results to exactly match the training.


Introducing MITRE ATT&CK for Cyber Threat Intelligence Training
Mapping to ATT&CK from narrative reporting
Exercise 1: Mapping to a narrative report
Cybereason Cobalt Kitty Report (Guided)
FireEye APT39 Report (Unguided)
Mapping to ATT&CK from raw data
Exercise 2: Working with raw data
Ticket 473822 (Guided)
Ticket 473845 (Guided)
Storing and analyzing ATT&CK-mapped intelligence
Exercise 3: Comparing layers in ATT&CK Navigator
Making ATT&CK-mapped data actionable with defensive recommendations
Exercise 4: Making defensive recommendations