MITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training

By the end of this MITRE ATT&CK Cyber Threat Intelligence Certification course, students should be able to:

Module 0: Introducing ATT&CK for CTI Training

TI is actionable knowledge and insight on adversaries and their malicious activities. Reduce harm through better security decision-making
Structure TI with ATT&CK to compare behaviors (groups to each other, over time and defenses) and communicate in common language

Module 1: Mapping to ATT&CK from Narrative Reporting

Identify behaviors in narrative reporting
Challenges vs advantages (shift in thinking about behaviors, discover new adversary techniques and facilitates enhanced learning of technical side)
Mapping process (i) Find behavior - tactic/techniques; (ii) Research behavior - details about network protocols used, potential vulnerabilities leveraged by adversary; (iii) Translate behaviour into tactic - 14 tactic options and link behaviour to adversary's goal; (iv) Identify Techniques/sub-techniques - some technique fall under various tactic, context is key; and (v) Compare to other analysts
Bias in mapped data (i) Consumer bias - source (e.g. reports from security vendors/news), novelty bias (repetitive vs exciting), availability bias (techniques we remember vs unfamiliar, familiar behaviors vs all others), visibility bias (data aligned with sensors vs all others), victim bias (based on who's victim), novelty bias (new group vs old adversary group)
Stratgies to hedge biases (i) Collaborate - diverse thoughts makes stronger teams and mitigate biases, (ii) Adjust & Calibrate - data sources, (iii) Diverse sources - different data sources, (iv) Prioritize the known

Module 2: Mapping to ATT&CK from Raw Data

Challenges: require advanced knowledge, different levels of expertise, difficult to identify adversary intent and tactics so require additional sources
Advantages: more info at procedure level, facilitates learning of technical side, not interpreting another analyst's insights
Pro/Cons of mapping from raw data vs narrative reporting
Step 1: Find the behavior
Step 2: Research the behavior - need expertise to understand context about behaviour
Step 3: Translate behavior to tactic
Step 4: Figure out what technique or subtechnique applies - certain tactics have concurrent techniques e.g. phishing: spearphishing attachment + user execution (initial access + execution)
Step 5: Compare your results to other analysts - hedge biases by leveraging divserse skillsets

Module 3: Storing and Analyzing ATT&CK-mapped Intelligence

Considerations for storing ATT&CK-mapped data - who's consuming it, what's intelligence requirements and provide context, how detailed, how you capture the detail and how you import/export the data
Express data - beginning, end or in middle of report
Compare layers in ATT&CK Navigator

Module 4: Making Defensive Recommendations from ATT&CK-mapped data

Step 0: Determine priority techniques and sub-techniques - what are adversaries doing
Step 1: Research how the techniques are being used - what procedures used for given technique, defensive response corresponds with activity
Step 2: Research defensive options related to techniques - ATT&CK, Cyber Analytics Repositary (CAR), Roberto Rodriguez's ThreatHunter Playbook, ATomic Threat Coverage
Step 3: Research organisational capability/constraint - exisiting data sources/defenses/mitigations, deployed products with additional capabilities, anything the organisation may preclude response. Notional capabilities (e.g. technical workforce, windows events collected to SIEM). Notional constraints (SIEM close to license limit, files in transit encrypted by NIPS)
Step 4: Determine trade-offs on specific options - pros/cons of each option
Step 5: Make defensive recommendations - strategic, operational, tactical, policy-related focused on risk acceptance, recommendation for audience,

Last updated 2 years ago