CyberlyTech  |  cyberlytech.tech  |  Threat Intelligence

◈ THREAT INTELLIGENCE

📌 Introduction — The Language Threat Actors Speak

The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework is the single most impactful knowledge base in modern cybersecurity. Developed by MITRE Corporation in 2013 from real-world APT observations and now maintained as a globally accessible, community-contributed resource, ATT&CK has fundamentally transformed how defenders understand, categorize, and respond to adversary behavior.

Unlike CVE-based vulnerability management, which focuses on what can be broken, ATT&CK focuses on how adversaries behave after initial access — their persistence mechanisms, lateral movement strategies, command-and-control architectures, and data exfiltration methods. This behavioral perspective is what separates reactive security from proactive threat-informed defense.

Today, ATT&CK is used by: CISA and NSA for threat advisories, every major SIEM vendor for detection content mapping, incident response teams for post-breach investigation, red teams for adversary emulation, and threat intelligence platforms like OpenCTI and MISP for structuring threat data. This post provides the deepest, most practical treatment of ATT&CK available outside of paid professional training.

🏗️ Section 1 — ATT&CK Architecture: Matrices, Tactics, Techniques & Sub-Techniques

1.1 The Three ATT&CK Matrices

ATT&CK is not a single matrix — it encompasses three distinct knowledge bases, each targeting a different technology domain:

Matrix	Coverage Domain	Tactic Count	Technique Count	Primary Users
Enterprise	Windows, macOS, Linux, Cloud (AWS/Azure/GCP), SaaS, Network	14 Tactics	196 Techniques / 411 Sub-techniques	SOC, IR, Red Team
Mobile	Android, iOS	12 Tactics	66 Techniques	Mobile Security, MDM
ICS	Industrial Control Systems, SCADA, OT networks	12 Tactics	81 Techniques	Critical Infrastructure, OT Security

1.2 The 14 Enterprise Tactics (The Attack Lifecycle)

Each Tactic represents a goal an adversary is trying to achieve. The 14 Enterprise tactics form a complete adversary lifecycle — from initial compromise to mission completion:

ID	Tactic	Adversary Goal	Example Technique
TA0043	Reconnaissance	Gather information before attack	Phishing for Information (T1598)
TA0042	Resource Development	Build infrastructure and capabilities	Acquire Infrastructure (T1583)
TA0001	Initial Access	Gain first foothold in network	Phishing (T1566), Exploit Public App (T1190)
TA0002	Execution	Run malicious code	PowerShell (T1059.001), WMI (T1047)
TA0003	Persistence	Maintain access across reboots	Registry Run Keys (T1547.001)
TA0004	Privilege Escalation	Gain higher permissions	Token Impersonation (T1134)
TA0005	Defense Evasion	Avoid detection	Obfuscated Files (T1027), Masquerading (T1036)
TA0006	Credential Access	Steal credentials	OS Credential Dumping (T1003)
TA0007	Discovery	Learn about environment	Network Share Discovery (T1135)
TA0008	Lateral Movement	Move through network	Pass the Hash (T1550.002), RDP (T1021.001)
TA0009	Collection	Gather data of interest	Email Collection (T1114), Screen Capture (T1113)
TA0011	Command and Control	Communicate with compromised systems	Ingress Tool Transfer (T1105), DNS C2 (T1071.004)
TA0010	Exfiltration	Steal data out of network	Exfil Over C2 Channel (T1041), DNS Exfil (T1048.003)
TA0040	Impact	Disrupt, destroy, or ransom	Data Encrypted for Impact (T1486) — Ransomware

1.3 Techniques vs. Sub-Techniques: The Precision Layer

ATT&CK v14 introduced sub-techniques to provide surgical precision in describing adversary behavior. The hierarchy is: Tactic → Technique → Sub-technique.

Example: Tactic TA0006 (Credential Access) → Technique T1003 (OS Credential Dumping) → Sub-techniques:

• T1003.001 — LSASS Memory (Mimikatz, ProcDump)
• T1003.002 — Security Account Manager (SAM database)
• T1003.003 — NTDS (Active Directory database)
• T1003.004 — LSA Secrets (registry-based credentials)
• T1003.006 — DCSync (replication-based hash extraction)

This granularity matters enormously for detection engineering — each sub-technique requires distinct detection logic, data sources, and response playbooks.

🎭 Section 2 — Threat Actor Profiling with ATT&CK Groups

2.1 Understanding ATT&CK Groups

MITRE documents 140+ named threat actor groups in ATT&CK, each with attributed techniques, targeted industries, geographic focus, and associated malware. This intelligence is foundational for threat-informed defense — understanding which groups target your sector lets you prioritize defenses against the most relevant TTPs.

2.2 High-Priority APT Groups by Sector

Group (ATT&CK ID)	Nation-State	Primary Targets	Signature Techniques	Active Since
APT29 / Cozy Bear (G0016)	Russia (SVR)	Government, Think Tanks, Healthcare	T1566 Spearphishing, T1027 Obfuscation, T1078 Valid Accounts	2008
APT41 (G0096)	China (MSS)	Technology, Healthcare, Telecom	T1190 Exploit Public App, T1059 Scripting, T1486 Ransomware	2012
Lazarus Group (G0032)	North Korea	Finance, Defense, Crypto Exchanges	T1566 Phishing, T1105 Ingress Tool Transfer, T1486 Ransom	2009
FIN7 (G0046)	Criminal	Retail, Hospitality, Finance	T1566 Phishing, T1055 Process Injection, T1071 C2 over HTTP	2015
BlackCat/ALPHV (G1006)	Criminal	Healthcare, Manufacturing, Legal	T1486 Encryption, T1490 Inhibit Recovery, T1657 Extortion	2021
Sandworm (G0034)	Russia (GRU)	Critical Infrastructure, Energy	T1561 Disk Wipe, T1498 DDoS, T1059 PowerShell/cmd	2009

2.3 Extracting Sector-Specific Intelligence

The correct workflow for leveraging ATT&CK Groups intelligence in your organization:

1. Identify which threat groups target your industry sector (use ATT&CK Groups filter by industry)
2. Export the combined TTP matrix for your top 5 most relevant threat actors
3. Load into ATT&CK Navigator — overlay all groups to find technique frequency
4. Highest-frequency techniques = your organization’s highest-priority detection gaps
5. Map existing SIEM detections against this prioritized technique list
6. Gaps in detection coverage = immediate investment priorities for blue team

🗺️ Section 3 — ATT&CK Navigator: Professional Workflow

3.1 What ATT&CK Navigator Is

ATT&CK Navigator (attack.mitre.org/resources/attack-navigator/) is the official web-based visualization and annotation tool for the ATT&CK matrices. It allows analysts to: create custom layers, color-code techniques by detection coverage, overlay multiple threat actor profiles, export data for reporting, and compare security posture before/after defensive improvements.

3.2 Professional Navigator Workflows

Workflow A — Threat Actor Coverage Analysis:

• Create new layer in Navigator
• Select a specific APT group (e.g., APT29) and load their attributed techniques
• Use red/orange/yellow scoring to mark your detection capability per technique
• Export as SVG for executive reports or JSON for programmatic processing

Workflow B — Red Team vs Blue Team Gap Analysis:

1. Red team creates layer: all techniques they successfully executed in engagement
2. Blue team creates layer: all techniques their SIEM/EDR detected and alerted
3. Compare layers — undetected successful techniques = critical gaps
4. Prioritize blue team investment based on gap severity and technique frequency

3.3 Navigator JSON Layer via API

# Export ATT&CK data programmatically

pip install mitreattack-python

from mitreattack.stix20 import MitreAttackData

ma_data = MitreAttackData(‘enterprise-attack.json’)

# Get all techniques for a specific group

apt29 = ma_data.get_group_by_alias(‘APT29’)

techniques = ma_data.get_techniques_used_by_group(apt29.id)

for t in techniques:

    print(f”{t[‘technique’].external_id}: {t[‘technique’].name}”)

🔬 Section 4 — Detection Engineering with ATT&CK & Sigma Rules

4.1 The ATT&CK Detection Data Sources Model

Every ATT&CK technique specifies what data sources produce evidence of its execution. This is the bridge between threat intelligence and detection engineering. Before writing any detection rule, analysts must answer: what logs would capture this technique?

ATT&CK Technique	Data Sources Required	Log Source (Windows)	SIEM Query Type
T1059.001 PowerShell	Process Creation, Script Block Logging	Event ID 4103, 4104, Sysmon 1	Command-line string matching
T1003.001 LSASS Memory	Process Access, OS API Execution	Sysmon Event ID 10	Target process = lsass.exe
T1547.001 Registry Run Keys	Registry Modification	Sysmon Event ID 12/13, Security 4657	Registry path contains Run/RunOnce
T1071.001 HTTP C2	Network Traffic, HTTP Request	Proxy logs, Zeek HTTP logs	Beacon intervals, user-agent anomalies
T1566.001 Spearphishing	Email, File Creation	Exchange logs, Sysmon 11	Attachment type + sender reputation
T1486 Ransomware Encryption	File Modification (Mass)	Sysmon 2/11, Windows MFT	High-rate file rename with extensions

4.2 Writing Production-Grade Sigma Rules

Sigma is the universal SIEM rule format — write once, convert to Splunk, Elastic, QRadar, Chronicle, Microsoft Sentinel, and 30+ other platforms. Every ATT&CK technique should have at least one Sigma detection.

Example: Detecting LSASS Memory Dumping (T1003.001) via Sigma:

title: LSASS Memory Access by Non-System Process

id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da

status: stable

description: Detects suspicious process access to LSASS memory — potential credential dumping

references:

  – https://attack.mitre.org/techniques/T1003/001/

author: CyberlyTech Threat Intelligence

date: 2026/03/01

tags:

  – attack.credential_access

  – attack.t1003.001

logsource:

  category: process_access

  product: windows

detection:

  selection:

    TargetImage|endswith: ‘\lsass.exe’

    GrantedAccess|contains:

      – ‘0x1010’

      – ‘0x1410’

      – ‘0x1438’

      – ‘0x143a’

      – ‘0x1fffff’

  filter_system:

    SourceImage|startswith:

      – ‘C:\Windows\System32\’

      – ‘C:\Windows\SysWOW64\’

  condition: selection and not filter_system

falsepositives:

  – Legitimate security tools (CrowdStrike, SentinelOne agents)

  – Windows Defender credential guard processes

level: high

4.3 Converting Sigma to Your SIEM

pip install sigmac    # or use sigma-cli (newer)

# Convert to Splunk

sigma convert -t splunk lsass_dump.yml

# Convert to Microsoft Sentinel KQL

sigma convert -t microsoft365defender lsass_dump.yml

# Convert to Elastic EQL

sigma convert -t es-qs lsass_dump.yml

🖥️ Section 5 — Threat Intelligence Platforms: OpenCTI & MISP

5.1 OpenCTI — Structured Threat Intelligence Management

OpenCTI (Open Cyber Threat Intelligence Platform) is the leading open-source CTI platform, built natively on STIX 2.1 and tightly integrated with ATT&CK. It provides a knowledge graph of threat actors, campaigns, malware, indicators, and relationships — enabling professional-grade intelligence management.

Deploy OpenCTI with Docker

git clone https://github.com/OpenCTI-Platform/docker.git opencti

cd opencti

cp .env.sample .env

# Edit .env: set strong passwords for OPENCTI_ADMIN_PASSWORD, MINIO_SECRET_KEY

docker-compose up -d

# Access: http://localhost:8080 | Default: admin@opencti.io

5.2 Key OpenCTI Capabilities for Threat Analysts

• Import threat intel feeds: TAXII, MISP, CSV, OpenCTI connectors (AlienVault, VirusTotal, Shodan, Mandiant)
• ATT&CK mapping: Tag every IOC, malware, and incident with ATT&CK tactics and techniques
• Relationship graph: Visualize connections between threat actors, campaigns, and malware families
• Diamond Model mapping: Adversary / Infrastructure / Capability / Victim relationships
• Automated enrichment: Enrich IPs, domains, hashes with reputation data from integrated sources
• Export reports: Generate structured STIX 2.1 bundles, PDF reports, and CSV indicator exports

5.3 MISP — Malware Information Sharing Platform

MISP is the world’s most widely deployed threat intelligence sharing platform, used by 6,000+ organizations including Europol, NATO CERTs, and national CSIRTs. It focuses on IOC management and sharing via the MISP Threat Sharing (MTS) standard.

# Quick MISP deploy (Ubuntu)

wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh

bash /tmp/INSTALL.sh

MISP vs OpenCTI — choosing the right tool:

Capability	MISP	OpenCTI
Primary Focus	IOC sharing and management	Structured knowledge graph / CTI management
Data Model	MISP Objects (custom, flexible)	STIX 2.1 (structured, interoperable)
ATT&CK Integration	Via galaxies (limited)	Native deep integration
Correlation Engine	Strong (automatic IOC correlation)	Moderate (relationship-based)
Sharing	MISP Communities, TAXII	TAXII, direct connectors
Best Use Case	SOC IOC management, CERT sharing	Strategic CTI, threat actor profiling

🎯 Section 6 — Adversary Emulation with Atomic Red Team

Atomic Red Team (by Red Canary) is a library of 1,000+ small, portable atomic tests mapped directly to ATT&CK techniques. Each test is a minimal, self-contained proof-of-concept that executes a specific technique — enabling teams to verify whether their detections actually fire.

Install and Run Atomic Tests

# PowerShell (Windows)

IEX (IWR ‘https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1’ -UseBasicParsing)

Install-AtomicRedTeam -getAtomics

# Run test for T1003.001 (LSASS dump)

Invoke-AtomicTest T1003.001

# Run without actually executing (show what it would do)

Invoke-AtomicTest T1003.001 -ShowDetails

# Run and check if detections fired

Invoke-AtomicTest T1059.001 -CheckPrereqs

📌 NOTE: Atomic Red Team tests should only be executed in dedicated lab environments or during authorized purple team exercises. Never run on production systems. Always coordinate with the blue team beforehand.

6.2 Purple Team Workflow with ATT&CK + Atomic Red Team

1. Select target technique from prioritized ATT&CK coverage gap list
2. Run corresponding Atomic Red Team test on isolated lab endpoint
3. Monitor SIEM/EDR for 15 minutes — did detection fire?
4. If no alert: analyze why (missing log source, rule gap, wrong field mapping)
5. Fix detection gap: update Sigma rule, enable logging, tune EDR policy
6. Re-run atomic test — verify detection now fires correctly
7. Document result in ATT&CK Navigator layer (green = detected, red = gap)
8. Repeat for all high-priority techniques quarterly

📡 Section 7 — STIX 2.1 & TAXII 2.1: The Intelligence Exchange Standards

7.1 STIX 2.1 Object Types

STIX (Structured Threat Information Expression) 2.1 is the JSON-based standard for representing cyber threat intelligence. It defines 18 STIX Domain Objects (SDOs) and 2 STIX Relationship Objects (SROs):

STIX Object	Type	Description	ATT&CK Mapping
Intrusion Set	SDO	Persistent threat actor / APT group	ATT&CK Group
Malware	SDO	Malicious software and its characteristics	ATT&CK Software
Attack Pattern	SDO	Specific adversary behavior / TTP	ATT&CK Technique
Indicator	SDO	Observable pattern indicating malicious activity (IOC)	Detectable artifact
Course of Action	SDO	Mitigation or remediation action	ATT&CK Mitigation
Campaign	SDO	Grouping of intrusion activity over time	ATT&CK Campaign
Relationship	SRO	Links two SDOs (e.g., Actor uses Malware)	ATT&CK relationship edges

7.2 Consuming ATT&CK via TAXII

pip install taxii2-client stix2

from taxii2client.v21 import Server

from stix2 import Filter

# Connect to MITRE ATT&CK TAXII server

server = Server(‘https://attack-taxii.mitre.org/’, verify=True)

api_root = server.api_roots[0]

# List available collections (Enterprise, Mobile, ICS)

for col in api_root.collections:

    print(f'{col.id}: {col.title}’)

# Get all Enterprise ATT&CK techniques

enterprise_col = [c for c in api_root.collections if ‘Enterprise’ in c.title][0]

techniques = enterprise_col.get_objects(filters=[Filter(‘type’, ‘=’, ‘attack-pattern’)])

print(f’Total techniques: {len(techniques.objects)}’)

📊 ATT&CK Coverage Maturity Model

Maturity Level	Coverage Description	Navigator Score	Typical Organization
Level 1 — Initial	Ad-hoc, no structured ATT&CK mapping	0–10%	Small orgs, no dedicated security team
Level 2 — Developing	Top 20 techniques covered, basic SIEM rules	10–30%	SMEs with basic SOC or MSSP
Level 3 — Defined	Sector-relevant threat groups mapped, Sigma rules	30–60%	Enterprise with L2 SOC and CTI analyst
Level 4 — Managed	All high-priority TTPs detected + Atomic tested	60–80%	Mature SOC, purple team exercises quarterly
Level 5 — Optimizing	Real-time ATT&CK telemetry, automated response	80–100%	Tier-1 financial, defense, government

✅ Conclusion

MITRE ATT&CK is not a checkbox compliance exercise — it is a dynamic, living framework that reflects real adversary behavior observed in the wild. Organizations that integrate ATT&CK into their threat intelligence, detection engineering, and red/purple team programs gain a measurable, evidence-based understanding of their security posture that is impossible to achieve through vulnerability scanning alone.

The maturity journey begins with mapping existing detections to ATT&CK, identifying gaps against your most relevant threat actors, and systematically closing those gaps using Sigma rules, atomic testing, and continuous improvement. The tools covered in this post — ATT&CK Navigator, OpenCTI, MISP, Sigma, and Atomic Red Team — form a complete, free, open-source threat intelligence and detection stack capable of competing with commercial solutions costing hundreds of thousands of dollars annually.

For career development: ATT&CK fluency is now an expected skill for SOC analysts L2 and above, all CTI roles, red team operators, and detection engineers. MITRE offers free ATT&CK training at attack.mitre.org/resources/training. Supplement with hands-on practice in your home lab and work toward certifications like GCTI (GIAC Cyber Threat Intelligence) or the eCTHP (eLearnSecurity Threat Hunting Professional).

Learn more about: https://cyberlytech.tech/category/cybersecurity-certifications/

❓ Frequently Asked Questions — Expert Level

Q1: How does ATT&CK differ from the Cyber Kill Chain?

The Lockheed Martin Cyber Kill Chain is a linear 7-stage model (Reconnaissance → Actions on Objectives) that describes the attack lifecycle at a high level. ATT&CK is non-linear, behavior-specific, and exponentially more detailed — documenting 196 specific techniques across 14 tactics. The Kill Chain is useful for executive communication; ATT&CK is essential for operational security work. Most mature organizations use both: Kill Chain for strategic framing, ATT&CK for tactical detection and response.

Q2: How often is ATT&CK updated and how do teams manage version changes?

MITRE releases ATT&CK updates approximately twice yearly (e.g., v14 in October 2023, v15 in April 2024). Each release adds new techniques, revises existing ones, and deprecates outdated entries. Teams manage this via the ATT&CK changelog, automated layer version comparison in Navigator, and by subscribing to the MITRE CTI GitHub repository (github.com/mitre/cti) for automated change detection. Detection rules should be reviewed against each new version.

Q3: What is the D3FEND framework and how does it complement ATT&CK?

MITRE D3FEND (Defensive Techniques Knowledge Graph) is the counterpart to ATT&CK — it maps defensive techniques (Harden, Detect, Isolate, Deceive, Evict) to the offensive techniques in ATT&CK. Where ATT&CK answers ‘what do attackers do?’, D3FEND answers ‘what countermeasures exist?’. Together they provide a complete bidirectional mapping between offensive tactics and defensive controls. D3FEND is at d3fend.mitre.org and is increasingly adopted by security architecture teams.

Q4: How do SOC teams integrate ATT&CK into daily triage workflows?

Mature SOC teams embed ATT&CK tags directly in SIEM detection rules (via Sigma tags), SOAR playbooks (triggered by specific technique IDs), ticketing systems (Jira/ServiceNow fields for ATT&CK technique), and shift handover reports. When an alert fires, the ATT&CK technique ID immediately contextualizes the threat — analysts know which actor groups commonly use that technique, what lateral movement typically follows, and which response actions are most effective.

Q5: What is the relationship between ATT&CK and CISA’s CIEM/SBOM programs?

CISA actively incorporates ATT&CK in its advisories, the Known Exploited Vulnerabilities (KEV) catalog, and the Cybersecurity Performance Goals (CPGs). CISA’s joint advisories with NSA and FBI (e.g., on Russian SVR techniques, Chinese APT40 methods) all use ATT&CK technique IDs as the primary reference standard. Organizations aligning with CISA CPGs will find ATT&CK coverage directly maps to several control objectives, particularly around detection and response capabilities.

⚠️  LEGAL & ETHICAL NOTICE: All content is strictly for educational and defensive security purposes. Any offensive techniques described are presented solely to help defenders understand attacker methodologies. Never apply these techniques against systems you do not own or have explicit written authorization to test.

Learn more about: https://cyberlytech.tech/how-to-learn-cybersecurity-2026/

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

© 2026 CyberlyTech — Premium Threat Intelligence & Cybersecurity Education | cyberlytech.tech