CINXE.COM

Using ATT&CK for CTI Training | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Using ATT&CK for CTI Training | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TRAINING</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/resources/training/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="cti-cti"> <a href="/versions/v9/resources/training/cti/"> CTI Training </a> </div> </div> </div> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <!--stopindex--> <div class="px-3"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/resources">Resources</a></li> <li class="breadcrumb-item"><a href="/versions/v9/resources/training">ATT&CK Training</a></li> <li class="breadcrumb-item">CTI Training</li> </ol> </div> <div class="row pl-5 uniform-block"> <div class="col-10"> <div class="clearfix pb-3"> <div class="clearfix"> <h2>Using ATT&CK for Cyber Threat Intelligence Training</h2> <p> The goal of this training is for students to understand the following: </p> <ul> <li>What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)</li> <li>How to map to ATT&CK from both finished reporting and raw data</li> <li>Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that</li> <li>How to perform CTI analysis using ATT&CK-mapped data</li> <li>How to make defensive recommendations based on CTI analysis</li> </ul> <p> The training contains five modules that consist of videos and exercises that are linked below. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked below and complete the exercises, then proceed with viewing the video to go over the exercise. A copy of all slides from the training are <a href="/docs/training-cti/CTI%20Workshop%20Full%20Slides.pdf" target="_blank">here</a>. </p> <p> The exercises in this training are based on a previous version of ATT&CK. We recommend using <a href="https://attack.mitre.org/versions/v6/">ATT&CK v6</a> and <a href="https://mitre-attack.github.io/attack-navigator/v2/enterprise/">ATT&CK Navigator v2</a> if you want to match the training. </p> </div> <div class="clearfix training pb-3"> <h2 >Training Modules</h2> <div class="card-block w-100"> <!-- module 1 --> <div class="card w-100"> <div class="card-header collapsed" id="module-one-header" data-toggle="collapse" data-target="#module-one-body" aria-expanded="false" aria-controls="module-one-body"> <h5 class="mb-0"> Module 1: Introducing training and understanding ATT&CK </h5> </div> <div id="module-one-body" class="collapse" aria-labelledby="module-one-header"> <div class="card-body"> <ul class="mb-0"> <li> <div class="mb-2"><a href="https://www.youtube.com/watch?v=mm4j4g3NL-Q&list=PLkTApXQou_8IlkPDzY8vroxBLLhbZbqqC&index=1" target="_blank">Module 1 Video <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a></div> </li> <li> <div><a href="/docs/training-cti/Module%201%20Slides.pdf" target="_blank">Module 1 Slides</a></div> </li> </ul> </div> </div> </div> <!-- module 2 --> <div class="card w-100 mt-1"> <div class="card-header collapsed" id="module-two-header" data-toggle="collapse" data-target="#module-two-body" aria-expanded="false" aria-controls="module-one-body"> <h5 class="mb-0"> Module 2 with Exercise 2: Mapping to ATT&CK from finished reporting </h5> </div> <div id="module-two-body" class="collapse" aria-labelledby="module-two-header"> <div class="card-body"> <ul> <li> <div class="mb-2"><a href="https://www.youtube.com/watch?v=VUqdytInxRg&list=PLkTApXQou_8IlkPDzY8vroxBLLhbZbqqC&index=2" target="_blank">Module 2 Video <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a></div> </li> <li> <div class="mb-2"><a href="/docs/training-cti/Module%202%20Slides.pdf" target="_blank">Module 2 Slides</a></div> </li> </ul> <h4>Exercise 2: Mapping from finished reporting </h4> <p class="card-text border border-danger p-3 mb-2 rounded"> <span class="font-weight-bold text-danger">Warning:</span> This exercise is based on a previous version of ATT&CK. We recommend using <a href="https://attack.mitre.org/versions/v6/">ATT&CK v6</a> if you want to match the training. </p> <div class="exercise p-3"> <strong>Cybereason Cobalt Kitty Report</strong>: we walk through this exercise in the video and slides. <ul> <li> <a href="/docs/training-cti/Cybereason%20Cobalt%20Kitty%20-%20highlights%20only.pdf" target="_blank">Cybereason Cobalt Kitty Report: Highlights Only</a> <br> <em>Identifies the highlighted behaviors you should map to tactics and techniques – choose this for a more challenging exercise.</em> </li> <li> <a href="/docs/training-cti/Cybereason%20Cobalt%20Kitty%20-%20tactic%20hints.pdf" target="_blank">Cybereason Cobalt Kitty Report: Tactic Hints</a> <br> <em>Identifies the tactics for the highlighted behaviors so you just fill in the technique – choose this for a less challenging exercise.</em> </li> <li> <a href="/docs/training-cti/Cybereason%20Cobalt%20Kitty%20-%20answers.pdf" target="_blank">Cybereason Cobalt Kitty Report: Answers</a> <br> <em>Provides one set of answers for the exercise.</em> </li> <li> <a href="/docs/training-cti/Cybereason%20Cobalt%20Kitty%20-%20original%20report.pdf" target="_blank">Cybereason Cobalt Kitty Report: Original Report</a> <br> <em>For reference only if you would like to see the report in totality.</em> </li> </ul> <strong>FireEye APT39 Report</strong>: we do not walk through this exercise in the video and slides, but if you would like more practice mapping finished reporting to ATT&CK, we recommend you do this exercise on your own. <ul> <li> <a href="/docs/training-cti/FireEye%20APT39%20-%20highlights%20only.pdf" target="_blank">FireEye APT39 Report: Highlights Only</a> <br> <em>Identifies the highlighted behaviors you should map to tactics and techniques.</em> </li> <li> <a href="/docs/training-cti/FireEye%20APT39%20-%20answers.pdf" target="_blank">FireEye APT39 Report: Answers</a> <br> <em>Provides one set of answers for the exercise.</em> </li> <li> <a href="/docs/training-cti/FireEye%20APT39%20-%20original%20report.pdf" target="_blank">FireEye APT39 Report: Original Report</a> <br> <em>For reference only if you would like to see the report in totality.</em> </li> </ul> </div> </div> </div> </div> <!-- module 3 --> <div class="card w-100 mt-1"> <div class="card-header collapsed" id="module-three-header" data-toggle="collapse" data-target="#module-three-body" aria-expanded="false" aria-controls="module-one-body"> <h5 class="mb-0"> Module 3 with Exercise 3: Mapping to ATT&CK from raw data </h5> </div> <div id="module-three-body" class="collapse" aria-labelledby="module-three-header"> <div class="card-body"> <ul> <li> <div class="mb-2"><a href="https://www.youtube.com/watch?v=0p1UFnBWgj8&list=PLkTApXQou_8IlkPDzY8vroxBLLhbZbqqC&index=3" target="_blank">Module 3 Video <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a></div> </li> <li> <div class="mb-2"><a href="/docs/training-cti/Module%203%20Slides.pdf" target="_blank">Module 3 Slides</a></div> </li> </ul> <h4>Exercise 3: Working with raw data </h4> <p class="card-text border border-danger p-3 mb-2 rounded"> <span class="font-weight-bold text-danger">Warning:</span> This exercise is based on a previous version of ATT&CK. We recommend using <a href="https://attack.mitre.org/versions/v6/">ATT&CK v6</a> if you want to match the training. </p> <div class="exercise p-3"> <strong>Ticket 473822</strong>: we walk through this exercise in the video and slides <ul> <li> <a href="/versions/v9/docs/training-cti/ticket-473822.rtf" target="_blank">Ticket 473822 Rich Text File</a> <br> <em>Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.</em> </li> <li> <a href="/docs/training-cti/ticket-473822%20answers.pdf" target="_blank">Ticket 473822 Answers</a> <br> <em>Provides one set of answers for the exercise.</em> </li> </ul> <strong>Ticket 473845</strong>: we walk through this exercise in the video and slides <ul> <li> <a href="/versions/v9/docs/training-cti/ticket-473845.rtf" target="_blank">Ticket 473845 Rich Text File</a> <br> <em>Provides raw data from a simulated incident for you to use to annotate applicable ATT&CK tactics and techniques.</em> </li> <li> <a href="/docs/training-cti/ticket-473845%20answers.pdf" target="_blank">Ticket 473845 Answers</a> <br> <em>Provides one set of answers for the exercise.</em> </li> </ul> </div> </div> </div> </div> <!-- module 4 --> <div class="card w-100 mt-1"> <div class="card-header collapsed" id="module-four-header" data-toggle="collapse" data-target="#module-four-body" aria-expanded="false" aria-controls="module-one-body"> <h5 class="mb-0"> Module 4 with Exercise 4: Storing and analyzing ATT&CK-mapped intel </h5> </div> <div id="module-four-body" class="collapse" aria-labelledby="module-four-header"> <div class="card-body"> <ul> <li> <div class="mb-2"><a href="https://www.youtube.com/watch?v=8wLGeMPx7Qw&list=PLkTApXQou_8IlkPDzY8vroxBLLhbZbqqC&index=4" target="_blank">Module 4 Video <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a></div> </li> <li> <div class="mb-2"><a href="/docs/training-cti/Module%204%20Slides.pdf" target="_blank">Module 4 Slides</a></div> </li> </ul> <h4>Exercise 4: Comparing layers in ATT&CK Navigator </h4> <p class="card-text border border-danger p-3 mb-2 rounded"> <span class="font-weight-bold text-danger">Warning:</span> This exercise is based on a previous version of ATT&CK. We recommend using <a href=" https://mitre-attack.github.io/attack-navigator/v2/enterprise/">ATT&CK Navigator v2</a> if you want to match the training. </p> <div class="exercise p-3"> <ul> <li> <a href="/docs/training-cti/Comparing%20Layers%20in%20Navigator.pdf" target="_blank">Comparing Layers in Navigator</a> <br> <em>Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.</em> </li> <li> <a href="/docs/training-cti/APT39%20and%20Cobalt%20Kitty%20techniques.pdf" target="_blank">APT39 and Cobalt Kitty techniques</a> <br> <em>A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.</em> </li> </ul> </div> </div> </div> </div> <!-- module 5 --> <div class="card w-100 mt-1"> <div class="card-header collapsed" id="module-five-header" data-toggle="collapse" data-target="#module-five-body" aria-expanded="false" aria-controls="module-one-body"> <h5 class="mb-0"> Module 5 with Exercise 5: Making ATT&CK-mapped data actionable with defensive recommendations </h5> </div> <div id="module-five-body" class="collapse" aria-labelledby="module-five-header"> <div class="card-body"> <ul> <li> <div class="mb-2"><a href="https://www.youtube.com/watch?v=RpCpKc4m3gI&list=PLkTApXQou_8IlkPDzY8vroxBLLhbZbqqC&index=5" target="_blank">Module 5 Video <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a></div> </li> <li> <div class="mb-2"><a href="/docs/training-cti/Module%205%20Slides.pdf" target="_blank">Module 5 Slides</a></div> </li> </ul> <h4>Exercise 5: Making defensive recommendations </h4> <p class="card-text border border-danger p-3 mb-2 rounded"> <span class="font-weight-bold text-danger">Warning:</span> This exercise is based on a previous version of ATT&CK. We recommend using <a href="https://attack.mitre.org/versions/v6/">ATT&CK v6</a> if you want to match the training. </p> <div class="exercise p-3"> <strong>Guided Exercise</strong>: we walk through this exercise in the video and slides. <ul> <li><a href="/docs/training-cti/Making%20Defensive%20Recommendations%20Guided%20Exercise.rtf" target="_blank">Making Defensive Recommendations Guided Exercise Rich Text Document</a> </li> <em>Guides you though steps for making defensive recommendations from ATT&CK techniques with specific questions and assumptions provided for each step. </em> </ul> <strong>Unguided Exercise</strong>: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own. <ul> <li><a href="/docs/training-cti/Making%20Defensive%20Recommendations%20Unguided%20Exercise.rtf" target="_blank">Making Defensive Recommendations Unguided Exercise</a> </li> <em>Provides steps for making defensive recommendations from ATT&CK techniques. </em> </ul> </div> </div> </div> </div> </div> </div> <!-- end use cases --> </div> </div> </div> <!--startindex--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?4975"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10