# MITRE ATT&CK Analysis Workflows ## Workflow 1: Threat Actor TTP Mapping ``` [Threat Report] --> [Extract Behaviors] --> [Map to ATT&CK] --> [Navigator Layer] | v [Detection Priorities] ``` ### Steps: 1. **Report Ingestion**: Obtain threat intelligence report (vendor, OSINT, internal) 2. **Behavior Extraction**: Identify adversary actions described in the report 3. **Technique Mapping**: Map each behavior to ATT&CK technique IDs using the ATT&CK knowledge base 4. **Sub-technique Precision**: Drill down to sub-techniques where procedure details allow 5. **Layer Creation**: Generate ATT&CK Navigator layer with mapped techniques 6. **Priority Assessment**: Rank techniques by detection feasibility and impact ## Workflow 2: Detection Gap Analysis ``` [Current Detections] --> [Detection Layer] --> [Overlay with Threat Layer] --> [Gap Layer] | v [Engineering Backlog] ``` ### Steps: 1. **Detection Inventory**: Catalog existing detection rules mapped to ATT&CK techniques 2. **Detection Layer**: Create Navigator layer showing detected techniques (green) 3. **Threat Layer**: Create layer showing adversary techniques (red) 4. **Overlay Analysis**: Combine layers to identify uncovered threat techniques 5. **Gap Prioritization**: Rank gaps by threat actor relevance and detection feasibility 6. **Engineering Plan**: Create detection engineering backlog from prioritized gaps ## Workflow 3: Cross-Actor Comparison ``` [Group A TTPs] --+ |--> [Intersection Analysis] --> [Common Techniques] --> [Priority Detections] [Group B TTPs] --+ | | v [Group C TTPs] --+ [Unique Techniques per Group] ``` ### Steps: 1. **Group Selection**: Choose threat groups relevant to your industry/region 2. **TTP Extraction**: Pull technique lists for each group from ATT&CK 3. **Common Analysis**: Find techniques shared across all selected groups 4. **Unique Analysis**: Identify techniques unique to specific groups 5. **Detection ROI**: Prioritize detections for commonly used techniques (highest coverage ROI) 6. **Actor Attribution**: Use unique techniques as potential attribution indicators ## Workflow 4: Campaign-to-TTP Analysis ``` [Campaign IOCs] --> [Sandbox/Analysis] --> [Behavior Extraction] --> [TTP Mapping] | v [Compare to Known Groups] | v [Attribution Hypothesis] ``` ### Steps: 1. **IOC Collection**: Gather campaign IOCs (malware hashes, C2 domains, phishing emails) 2. **Dynamic Analysis**: Execute samples in sandbox, capture behavioral artifacts 3. **Behavior Documentation**: Document file operations, registry changes, network connections, process activity 4. **ATT&CK Mapping**: Map observed behaviors to techniques and sub-techniques 5. **Group Comparison**: Compare campaign TTPs against known group profiles 6. **Attribution Assessment**: Assess likelihood of attribution based on TTP overlap ## Workflow 5: Threat-Informed Defense ``` [ATT&CK Mappings] --> [Data Source Analysis] --> [Telemetry Assessment] --> [Control Mapping] | v [Security Roadmap] ``` ### Steps: 1. **Threat Profile**: Identify relevant threat actors and their techniques 2. **Data Source Mapping**: Determine which data sources can detect each technique 3. **Telemetry Audit**: Assess which data sources are currently collected 4. **Control Assessment**: Map existing security controls to technique mitigations 5. **Gap Identification**: Find techniques with neither detection nor mitigation coverage 6. **Roadmap Creation**: Build security improvement roadmap addressing highest-risk gaps