Using ATT&CK for Cyber Threat Intelligence Training
The goal of this training is for students to understand the following:
- What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
- How to map to ATT&CK from both finished reporting and raw data
- Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
- How to perform CTI analysis using ATT&CK-mapped data
- How to make defensive recommendations based on CTI analysis
The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.
Training Modules
Module 1: Introducing training and understanding ATT&CK
Module 2 with Exercise 2: Mapping to ATT&CK from finished reporting
Exercise 2: Mapping from finished reporting
Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.
-
Cybereason Cobalt Kitty Report: Highlights Only
Identifies the highlighted behaviors you should map to tactics and techniques – choose this for a more challenging exercise. -
Cybereason Cobalt Kitty Report: Tactic Hints
Identifies the tactics for the highlighted behaviors so you just fill in the technique – choose this for a less challenging exercise. -
Cybereason Cobalt Kitty Report: Answers
Provides one set of answers for the exercise. -
Cybereason Cobalt Kitty Report: Original Report
For reference only if you would like to see the report in totality.
-
FireEye APT39 Report: Highlights Only
Identifies the highlighted behaviors you should map to tactics and techniques. -
FireEye APT39 Report: Answers
Provides one set of answers for the exercise. -
FireEye APT39 Report: Original Report
For reference only if you would like to see the report in totality.
Module 3 with Exercise 3: Mapping to ATT&CK from raw data
Exercise 3: Working with raw data
Ticket 473822: we walk through this exercise in the video and slides
-
Ticket 473822 Rich Text File
Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques. -
Ticket 473822 Answers
Provides one set of answers for the exercise.
-
Ticket 4473845 Rich Text File
Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques. -
Ticket 4473845 Answers
Provides one set of answers for the exercise.
Module 4 with Exercise 4: Storing and analyzing ATT&CK-mapped intel
Exercise 4: Comparing layers in ATT&CK Navigator
-
Comparing Layers in Navigator
Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen. -
APT39 and Cobalt Kitty techniques
A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.
Module 5 with Exercise 5: Making ATT&CK-mapped data actionable with defensive recommendations
Exercise 5: Making defensive recommendations
Guided Exercise: we walk through this exercise in the video and slides.
- Making Defensive Recommendations Guided Exercise Rich Text Document Guides you though steps for making defensive recommendations from ATT&CK techniques with specific questions and assumptions provided for each step.
- Making Defensive Recommendations Unguided Exercise Provides steps for making defensive recommendations from ATT&CK techniques.