Using ATT&CK for Cyber Threat Intelligence Training

The goal of this training is for students to understand the following:

  • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are here.

The exercises in this training are based on a previous version of ATT&CK. We recommend using ATT&CK v6 and ATT&CK Navigator v2 if you want to match the training.

Training Modules

Exercise 2: Mapping from finished reporting

Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides. FireEye APT39 Report: we do not walk through this exercise in the video and slides, but if you would like more practice mapping finished reporting to ATT&CK, we recommend you do this exercise on your own.

Exercise 3: Working with raw data

Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

Ticket 473822: we walk through this exercise in the video and slides Ticket 4473845: we walk through this exercise in the video and slides

Exercise 4: Comparing layers in ATT&CK Navigator

Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK Navigator v2 if you want to match the training.

  • Comparing Layers in Navigator
    Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.
  • APT39 and Cobalt Kitty techniques
    A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.

Exercise 5: Making defensive recommendations

Warning: This exercise is based on a previous version of ATT&CK. We recommend using ATT&CK v6 if you want to match the training.

Guided Exercise: we walk through this exercise in the video and slides. Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.