***TEST***MITRE ATT&CK Framework***TEST***

***TEST***MITRE ATT&CK Framework***TEST***

Using ATT&CK for Cyber Threat Intelligence Training

About this course

The goal of this training is for students to understand the following:

    • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
    • How to map to ATT&CK from both finished reporting and raw data
    • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
    • How to perform CTI analysis using ATT&CK-mapped data
    • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked and complete the exercises, then proceed with viewing the video to go over the exercise

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Curriculum

  • Module 1: Introducing training and understanding ATT&CK
  • Introducing training and understanding ATT&CK Video
  • Introducing training and understanding ATT&CK - PDF
  • Module 2: Mapping to ATT&CK from finished reporting
  • Mapping to ATT&CK from finished reporting video
  • Mapping to ATT&CK from finished reporting
  • Module 2 Exercises: Mapping from finished reporting

    Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.

  • Cybereason Cobalt Kitty Report: Highlights Only
  • Cybereason Cobalt Kitty Report: Tactic Hints
  • Cybereason Cobalt Kitty Report: Answers
  • Cybereason Cobalt Kitty Report: Original Report
  • Module 3: Mapping to ATT&CK from raw data
  • Mapping to ATT&CK from raw data video
  • Mapping to ATT&CK from raw data - PDF
  • Module 3 Exercises: Working with raw data

    Ticket 473822: we walk through this exercise in the video and slides

    Ticket 4473845: we walk through this exercise in the video and slides

  • Ticket 473822 Rich Text File
  • Ticket 473822 Answers
  • Ticket 4473845 Rich Text File
  • Ticket 4473845 Answers
  • Module 4: Storing and analyzing ATT&CK-mapped intel
  • Storing and analyzing ATT&CK-mapped intel video
  • Untitled LessonStoring and analyzing ATT&CK-mapped intel - PDF
  • Module 4 Excercises: Storing and analyzing ATT&CK-mapped intel
  • Comparing Layers in Navigator
  • APT39 and Cobalt Kitty techniques
  • Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
  • Making ATT&CK-mapped data actionable with defensive recommendations video
  • Making ATT&CK-mapped data actionable with defensive recommendations PDF
  • Module 5 Exercises: Making defensive recommendations

    Guided Exercise: we walk through this exercise in the video and slides.

    Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.

  • Making Defensive Recommendations - Guided Exercise
  • Making Defensive Recommendations Unguided Exercise

About this course

The goal of this training is for students to understand the following:

    • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
    • How to map to ATT&CK from both finished reporting and raw data
    • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
    • How to perform CTI analysis using ATT&CK-mapped data
    • How to make defensive recommendations based on CTI analysis

The training contains five modules that consist of videos and exercises. This training was designed to be completed in approximately 4 hours, and may be completed solo or as a team. We recommend you view the video for each module, and when prompted, pause the video to access the exercise documents linked and complete the exercises, then proceed with viewing the video to go over the exercise

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Curriculum

  • Module 1: Introducing training and understanding ATT&CK
  • Introducing training and understanding ATT&CK Video
  • Introducing training and understanding ATT&CK - PDF
  • Module 2: Mapping to ATT&CK from finished reporting
  • Mapping to ATT&CK from finished reporting video
  • Mapping to ATT&CK from finished reporting
  • Module 2 Exercises: Mapping from finished reporting

    Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.

  • Cybereason Cobalt Kitty Report: Highlights Only
  • Cybereason Cobalt Kitty Report: Tactic Hints
  • Cybereason Cobalt Kitty Report: Answers
  • Cybereason Cobalt Kitty Report: Original Report
  • Module 3: Mapping to ATT&CK from raw data
  • Mapping to ATT&CK from raw data video
  • Mapping to ATT&CK from raw data - PDF
  • Module 3 Exercises: Working with raw data

    Ticket 473822: we walk through this exercise in the video and slides

    Ticket 4473845: we walk through this exercise in the video and slides

  • Ticket 473822 Rich Text File
  • Ticket 473822 Answers
  • Ticket 4473845 Rich Text File
  • Ticket 4473845 Answers
  • Module 4: Storing and analyzing ATT&CK-mapped intel
  • Storing and analyzing ATT&CK-mapped intel video
  • Untitled LessonStoring and analyzing ATT&CK-mapped intel - PDF
  • Module 4 Excercises: Storing and analyzing ATT&CK-mapped intel
  • Comparing Layers in Navigator
  • APT39 and Cobalt Kitty techniques
  • Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
  • Making ATT&CK-mapped data actionable with defensive recommendations video
  • Making ATT&CK-mapped data actionable with defensive recommendations PDF
  • Module 5 Exercises: Making defensive recommendations

    Guided Exercise: we walk through this exercise in the video and slides.

    Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.

  • Making Defensive Recommendations - Guided Exercise
  • Making Defensive Recommendations Unguided Exercise