Using Mitre ATT&CK for Cyber Threat Intelligence Training
https://attack.mitre.org/resources/training/cti/
Module 1: Introducing training and understanding ATT&CK
Module 2 with Exercise 2: Mapping to ATT&CK from finished reporting
Exercise 2: Mapping from finished reporting
Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.
- Cybereason Cobalt Kitty Report: Highlights Only
Identifies the highlighted behaviors you should map to tactics and techniques – choose this for a more challenging exercise. - Cybereason Cobalt Kitty Report: Tactic Hints
Identifies the tactics for the highlighted behaviors so you just fill in the technique – choose this for a less challenging exercise. - Cybereason Cobalt Kitty Report: Answers
Provides one set of answers for the exercise. - Cybereason Cobalt Kitty Report: Original Report
For reference only if you would like to see the report in totality.
FireEye APT39 Report: we do not walk through this exercise in the video and slides, but if you would like more practice mapping finished reporting to ATT&CK, we recommend you do this exercise on your own.
- FireEye APT39 Report: Highlights Only
Identifies the highlighted behaviors you should map to tactics and techniques. - FireEye APT39 Report: Answers
Provides one set of answers for the exercise. - FireEye APT39 Report: Original Report
For reference only if you would like to see the report in totality.
Module 3 with Exercise 3: Mapping to ATT&CK from raw data
Exercise 3: Working with raw data
Ticket 473822: we walk through this exercise in the video and slides
- Ticket 473822 Rich Text File
Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques. - Ticket 473822 Answers
Provides one set of answers for the exercise.
Ticket 4473845: we walk through this exercise in the video and slides
- Ticket 4473845 Rich Text File
Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques. - Ticket 4473845 Answers
Provides one set of answers for the exercise.
Module 4 with Exercise 4: Storing and analyzing ATT&CK-mapped intel
Exercise 4: Comparing layers in ATT&CK Navigator
- Comparing Layers in Navigator
Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen. - APT39 and Cobalt Kitty techniques
A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.
Module 5 with Exercise 5: Making ATT&CK-mapped data actionable with defensive recommendations
Exercise 5: Making defensive recommendations
Guided Exercise: we walk through this exercise in the video and slides.
Guides you though steps for making defensive recommendations from ATT&CK techniques with specific questions and assumptions provided for each step.Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.
Provides steps for making defensive recommendations from ATT&CK techniques.
