JUST RELEASED: ATT&CK for Industrial Control Systems

Using ATT&CK for Cyber Threat Intelligence Training

The goal of this training is for students to understand the following:

  • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

Training Modules

Exercise 2: Mapping from finished reporting

Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides. FireEye APT39 Report: we do not walk through this exercise in the video and slides, but if you would like more practice mapping finished reporting to ATT&CK, we recommend you do this exercise on your own.

Exercise 3: Working with raw data

Ticket 473822: we walk through this exercise in the video and slides Ticket 4473845: we walk through this exercise in the video and slides

Exercise 4: Comparing layers in ATT&CK Navigator

  • Comparing Layers in Navigator
    Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.
  • APT39 and Cobalt Kitty techniques
    A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.

Exercise 5: Making defensive recommendations

Guided Exercise: we walk through this exercise in the video and slides. Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.