Skill Guide

Threat Intelligence & Attack Frameworks (MITRE ATT&CK, TTPs)

Threat Intelligence & Attack Frameworks (MITRE ATT&CK, TTPs) is the systematic practice of analyzing adversary behavior, mapping it to known frameworks like MITRE ATT&CK, and using this knowledge to improve organizational detection, response, and defensive postures.

This skill translates raw threat data into actionable defensive strategy, directly reducing mean time to detect (MTTD) and respond (MTTR) to incidents. It enables proactive security investments aligned with real-world threats, minimizing business disruption and financial loss from breaches.

1 Careers

1 Categories

9.0 Avg Demand

15% Avg AI Risk

How to Learn Threat Intelligence & Attack Frameworks (MITRE ATT&CK, TTPs)

Focus on memorizing the core structure of the MITRE ATT&CK matrix (Tactics, Techniques, Sub-techniques, Procedures) and understanding key TTP definitions. Begin mapping simple, known malware or phishing attacks to ATT&CK techniques. Study basic threat intelligence cycle (direction, collection, analysis, dissemination).

Apply frameworks to analyze real-world threat reports (e.g., from Mandiant, CrowdStrike) and map reported adversary TTPs. Conduct a purple team exercise using a specific APT group's documented playbook. Common mistake: focusing on tools rather than behaviors; practice mapping to techniques, not software names.

Integrate ATT&CK mappings into SIEM detection rules, SOAR playbooks, and risk registers. Develop a threat-informed defense strategy by prioritizing security controls based on threat intelligence relevant to your industry. Mentor junior analysts on translating CTI into tactical mitigations.

Practice Projects

Beginner

Project

APT Group TTP Profile Creation

Scenario

You are a junior CTI analyst tasked with creating a one-page profile of a notorious APT group (e.g., APT29) for your security operations center (SOC).

How to Execute

1. Select a public threat report on the APT from a vendor like Microsoft or Secureworks. 2. List all observed Tactics, Techniques, and Procedures mentioned. 3. Map each procedure to a specific MITRE ATT&CK technique ID. 4. Synthesize findings into a structured brief with TTP table, key victims, and suggested detection opportunities.

Intermediate

Case Study/Exercise

Purple Team Exercise Based on Real TTPs

Scenario

Your SOC suspects a competitor in your sector is being targeted by a specific threat actor known for credential dumping. You need to test your detections.

How to Execute

1. Select a documented threat actor playbook (e.g., FIN6). 2. Use Atomic Red Team tests or a safe adversary emulation plan to simulate 3-4 key techniques (e.g., T1003 - OS Credential Dumping). 3. Monitor SIEM/EDR alerts during emulation. 4. Analyze gaps in detection and update detection logic or hunting queries.

Advanced

Project

Threat-Informed Defense Program Design

Scenario

As a security architect, you are tasked with redesigning the security control budget for the next fiscal year based on a threat-centric approach.

How to Execute

1. Aggregate CTI reports specific to your industry/geography over the past 18 months. 2. Perform a heat map analysis on the ATT&CK matrix to identify the most frequently used techniques against peers. 3. Map current security controls (e.g., EDR, NGFW, SIEM) to those techniques. 4. Present a data-driven proposal to reallocate resources, proposing new controls or tuning existing ones to close the highest-risk gaps.

Tools & Frameworks

Core Frameworks & Standards

MITRE ATT&CK NavigatorMITRE D3FEND (Defensive Countermeasures)STIX/TAXII (Threat Intel Sharing Formats)Cyber Kill Chain (Lockheed Martin)

ATT&CK is the primary behavioral model; Navigator visualizes coverage. D3FEND links techniques to defenses. STIX/TAXII standardize intel sharing. The Kill Chain provides a high-phase adversary lifecycle view for strategic planning.

Software & Platforms

Threat Intelligence Platforms (TIP) - OpenCTI, MISPAdversary Emulation Tools - MITRE Caldera, Atomic Red TeamSIEM/EDR Query Languages (KQL, SPL)CTI Feeds - VirusTotal, AlienVault OTX

TIPs (OpenCTI, MISP) aggregate and correlate intel. Adversary emulation tools (Caldera) safely simulate TTPs to test detections. SIEM query skills are essential for turning TTPs into actionable hunts. Commercial feeds provide structured, real-time data.

Interview Questions

Answer Strategy

Use the Diamond Model or ATT&CK chain to structure the response. Prioritize: 1) Map specific tools/procedures to Techniques (e.g., PsExec -> T1021.002 Remote Services: SMB/Windows Admin Shares). 2) Query SIEM for all historical activity matching those techniques. 3) Issue immediate tactical mitigations (e.g., block C2 IPs, disable PsExec via GPO).

Answer Strategy

Testing for impact and influence. Use the STAR (Situation, Task, Action, Result) method. Emphasize the analytical link: 'We saw Group X using MFA fatigue attacks (T1621) against our sector. I mapped this to our identity provider logs, found we had no alerting. I worked with IAM to implement suspicious MFA volume alerting, which later detected a real attempt.'