creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 14:44:58 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-threat-actor-ttps-with-mitre-attack/references/workflows.md
T

4.7 KiB
Raw Blame History

MITRE ATT&CK Analysis Workflows

Workflow 1: Threat Actor TTP Mapping

[Threat Report] --> [Extract Behaviors] --> [Map to ATT&CK] --> [Navigator Layer]
                                                                       |
                                                                       v
                                                              [Detection Priorities]

Steps:

  1. Report Ingestion: Obtain threat intelligence report (vendor, OSINT, internal)
  2. Behavior Extraction: Identify adversary actions described in the report
  3. Technique Mapping: Map each behavior to ATT&CK technique IDs using the ATT&CK knowledge base
  4. Sub-technique Precision: Drill down to sub-techniques where procedure details allow
  5. Layer Creation: Generate ATT&CK Navigator layer with mapped techniques
  6. Priority Assessment: Rank techniques by detection feasibility and impact

Workflow 2: Detection Gap Analysis

[Current Detections] --> [Detection Layer] --> [Overlay with Threat Layer] --> [Gap Layer]
                                                                                    |
                                                                                    v
                                                                          [Engineering Backlog]

Steps:

  1. Detection Inventory: Catalog existing detection rules mapped to ATT&CK techniques
  2. Detection Layer: Create Navigator layer showing detected techniques (green)
  3. Threat Layer: Create layer showing adversary techniques (red)
  4. Overlay Analysis: Combine layers to identify uncovered threat techniques
  5. Gap Prioritization: Rank gaps by threat actor relevance and detection feasibility
  6. Engineering Plan: Create detection engineering backlog from prioritized gaps

Workflow 3: Cross-Actor Comparison

[Group A TTPs] --+
                 |--> [Intersection Analysis] --> [Common Techniques] --> [Priority Detections]
[Group B TTPs] --+                                                               |
                 |                                                               v
[Group C TTPs] --+                                                    [Unique Techniques per Group]

Steps:

  1. Group Selection: Choose threat groups relevant to your industry/region
  2. TTP Extraction: Pull technique lists for each group from ATT&CK
  3. Common Analysis: Find techniques shared across all selected groups
  4. Unique Analysis: Identify techniques unique to specific groups
  5. Detection ROI: Prioritize detections for commonly used techniques (highest coverage ROI)
  6. Actor Attribution: Use unique techniques as potential attribution indicators

Workflow 4: Campaign-to-TTP Analysis

[Campaign IOCs] --> [Sandbox/Analysis] --> [Behavior Extraction] --> [TTP Mapping]
                                                                          |
                                                                          v
                                                                 [Compare to Known Groups]
                                                                          |
                                                                          v
                                                                 [Attribution Hypothesis]

Steps:

  1. IOC Collection: Gather campaign IOCs (malware hashes, C2 domains, phishing emails)
  2. Dynamic Analysis: Execute samples in sandbox, capture behavioral artifacts
  3. Behavior Documentation: Document file operations, registry changes, network connections, process activity
  4. ATT&CK Mapping: Map observed behaviors to techniques and sub-techniques
  5. Group Comparison: Compare campaign TTPs against known group profiles
  6. Attribution Assessment: Assess likelihood of attribution based on TTP overlap

Workflow 5: Threat-Informed Defense

[ATT&CK Mappings] --> [Data Source Analysis] --> [Telemetry Assessment] --> [Control Mapping]
                                                                                   |
                                                                                   v
                                                                          [Security Roadmap]

Steps:

  1. Threat Profile: Identify relevant threat actors and their techniques
  2. Data Source Mapping: Determine which data sources can detect each technique
  3. Telemetry Audit: Assess which data sources are currently collected
  4. Control Assessment: Map existing security controls to technique mitigations
  5. Gap Identification: Find techniques with neither detection nor mitigation coverage
  6. Roadmap Creation: Build security improvement roadmap addressing highest-risk gaps
Reference in New Issue View Git Blame Copy Permalink