- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
cybersecurity
threat-intelligence
threat-intelligence
cti
ioc
mitre-attack
stix
ttp-analysis
threat-actors
1.0
mahipal
Apache-2.0
Executable Denylisting
Execution Isolation
File Metadata Consistency Validation
Content Format Conversion
File Content Analysis
ID.RA-01
ID.RA-05
DE.CM-01
DE.AE-02
T1566.001
T1059.001
T1071.001
T1547.001
T1053.005
Analyzing Threat Actor TTPs with MITRE ATT&CK
Overview
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.
When to Use
When investigating security incidents that require analyzing threat actor ttps with mitre attack
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques
Prerequisites
Python 3.9+ with mitreattack-python, attackcti, stix2 libraries
MITRE ATT&CK Navigator (web-based or local deployment)
Understanding of ATT&CK matrix structure: Tactics, Techniques, Sub-techniques
Access to threat intelligence reports or MISP/OpenCTI for threat actor data
Familiarity with STIX 2.1 Attack Pattern objects
Key Concepts
ATT&CK Matrix Structure
The ATT&CK Enterprise matrix organizes adversary behavior into 14 Tactics (the "why") containing Techniques (the "how") and Sub-techniques (specific implementations). Each technique has associated data sources, detections, mitigations, and real-world procedure examples from observed threat groups.
Threat Group Profiles
ATT&CK catalogs over 140 threat groups (e.g., APT28, APT29, Lazarus Group, FIN7) with documented technique usage. Each group profile includes aliases, targeted sectors, associated campaigns, software used, and technique mappings with procedure-level detail.
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for creating custom ATT&CK matrix visualizations. Analysts create layers (JSON files) that annotate techniques with scores, colors, comments, and metadata to visualize threat actor coverage, detection capabilities, or risk assessments.
Workflow
Step 1: Query ATT&CK Data Programmatically
fromattackctiimportattack_clientimportjson# Initialize ATT&CK client (queries MITRE TAXII server)lift=attack_client()# Get all Enterprise techniquesenterprise_techniques=lift.get_enterprise_techniques()print(f"Total Enterprise techniques: {len(enterprise_techniques)}")# Get all threat groupsgroups=lift.get_groups()print(f"Total threat groups: {len(groups)}")# Get specific group by nameapt29=[gforgingroupsif'APT29'ing.get('name','')]ifapt29:group=apt29[0]print(f"Group: {group['name']}")print(f"Aliases: {group.get('aliases',[])}")print(f"Description: {group.get('description','')[:200]}")
Step 2: Map Threat Actor to ATT&CK Techniques
fromattackctiimportattack_clientlift=attack_client()# Get techniques used by APT29apt29_techniques=lift.get_techniques_used_by_group("G0016")# APT29 group IDtechnique_map={}forentryinapt29_techniques:tech_id=entry.get("external_references",[{}])[0].get("external_id","")tech_name=entry.get("name","")description=entry.get("description","")tactic_refs=[phase.get("phase_name","")forphaseinentry.get("kill_chain_phases",[])]technique_map[tech_id]={"name":tech_name,"tactics":tactic_refs,"description":description[:300],}print(f"\nAPT29 uses {len(technique_map)} techniques:")fortid,infoinsorted(technique_map.items()):print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")
Step 3: Generate ATT&CK Navigator Layer
importjsondefcreate_navigator_layer(group_name,technique_map,description=""):"""Generate ATT&CK Navigator layer JSON for a threat group."""techniques_list=[]fortech_id,infointechnique_map.items():techniques_list.append({"techniqueID":tech_id,"tactic":info["tactics"][0]ifinfo["tactics"]else"","color":"#ff6666",# Red for observed techniques"comment":info["description"][:200],"enabled":True,"score":100,"metadata":[{"name":"group","value":group_name},],})layer={"name":f"{group_name} TTP Coverage","versions":{"attack":"16.1","navigator":"5.1.0","layer":"4.5",},"domain":"enterprise-attack","description":descriptionorf"Techniques attributed to {group_name}","filters":{"platforms":["Windows","Linux","macOS","Cloud"]},"sorting":0,"layout":{"layout":"side","aggregateFunction":"average","showID":True,"showName":True,"showAggregateScores":False,"countUnscored":False,},"hideDisabled":False,"techniques":techniques_list,"gradient":{"colors":["#ffffff","#ff6666"],"minValue":0,"maxValue":100,},"legendItems":[{"label":"Observed technique","color":"#ff6666"},{"label":"Not observed","color":"#ffffff"},],"showTacticRowBackground":True,"tacticRowBackground":"#dddddd","selectTechniquesAcrossTactics":True,"selectSubtechniquesWithParent":False,"selectVisibleTechniques":False,}returnlayer# Generate and save layerlayer=create_navigator_layer("APT29",technique_map,"APT29 (Cozy Bear) TTP analysis")withopen("apt29_navigator_layer.json","w")asf:json.dump(layer,f,indent=2)print("[+] Navigator layer saved to apt29_navigator_layer.json")
Step 4: Identify Detection Gaps
fromattackctiimportattack_clientlift=attack_client()# Get all techniques with data sourcesall_techniques=lift.get_enterprise_techniques()# Build data source coverage mapdata_source_coverage={}fortechinall_techniques:tech_id=tech.get("external_references",[{}])[0].get("external_id","")data_sources=tech.get("x_mitre_data_sources",[])fordsindata_sources:ifdsnotindata_source_coverage:data_source_coverage[ds]=[]data_source_coverage[ds].append(tech_id)# Compare threat actor techniques against available detectionsdetected_techniques={"T1059","T1071","T1566"}# Example: techniques you can detectactor_techniques=set(technique_map.keys())covered=actor_techniques.intersection(detected_techniques)gaps=actor_techniques-detected_techniquesprint(f"\n=== Detection Gap Analysis for APT29 ===")print(f"Actor techniques: {len(actor_techniques)}")print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")print(f"\nUndetected techniques:")fortech_idinsorted(gaps):iftech_idintechnique_map:print(f" {tech_id}: {technique_map[tech_id]['name']}")
Step 5: Cross-Group Technique Comparison
fromattackctiimportattack_clientlift=attack_client()# Compare techniques across multiple groupsgroups_to_compare={"G0016":"APT29","G0007":"APT28","G0032":"Lazarus Group",}group_techniques={}forgid,gnameingroups_to_compare.items():techs=lift.get_techniques_used_by_group(gid)tech_ids=set()fortintechs:tid=t.get("external_references",[{}])[0].get("external_id","")iftid:tech_ids.add(tid)group_techniques[gname]=tech_ids# Find common and unique techniquesall_groups=list(group_techniques.keys())common_to_all=set.intersection(*group_techniques.values())print(f"\nTechniques common to all {len(all_groups)} groups: {len(common_to_all)}")fortidinsorted(common_to_all):print(f" {tid}")forgname,techsingroup_techniques.items():unique=techs-set.union(*[tforn,tingroup_techniques.items()ifn!=gname])print(f"\nUnique to {gname}: {len(unique)} techniques")
Validation Criteria
ATT&CK data successfully queried via TAXII server or local copy
Threat actor mapped to specific techniques with procedure examples
ATT&CK Navigator layer JSON is valid and renders correctly
Detection gap analysis identifies unmonitored techniques
Cross-group comparison reveals shared and unique TTPs
Output is actionable for detection engineering prioritization