creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-threat-actor-ttps-with-mitre-attack/references/workflows.md
T

91 lines
4.7 KiB
Markdown
Raw Blame History

# MITRE ATT&CK Analysis Workflows
## Workflow 1: Threat Actor TTP Mapping
```
[Threat Report] --> [Extract Behaviors] --> [Map to ATT&CK] --> [Navigator Layer]
|
v
[Detection Priorities]
```
### Steps:
1. **Report Ingestion**: Obtain threat intelligence report (vendor, OSINT, internal)
2. **Behavior Extraction**: Identify adversary actions described in the report
3. **Technique Mapping**: Map each behavior to ATT&CK technique IDs using the ATT&CK knowledge base
4. **Sub-technique Precision**: Drill down to sub-techniques where procedure details allow
5. **Layer Creation**: Generate ATT&CK Navigator layer with mapped techniques
6. **Priority Assessment**: Rank techniques by detection feasibility and impact
## Workflow 2: Detection Gap Analysis
```
[Current Detections] --> [Detection Layer] --> [Overlay with Threat Layer] --> [Gap Layer]
|
v
[Engineering Backlog]
```
### Steps:
1. **Detection Inventory**: Catalog existing detection rules mapped to ATT&CK techniques
2. **Detection Layer**: Create Navigator layer showing detected techniques (green)
3. **Threat Layer**: Create layer showing adversary techniques (red)
4. **Overlay Analysis**: Combine layers to identify uncovered threat techniques
5. **Gap Prioritization**: Rank gaps by threat actor relevance and detection feasibility
6. **Engineering Plan**: Create detection engineering backlog from prioritized gaps
## Workflow 3: Cross-Actor Comparison
```
[Group A TTPs] --+
|--> [Intersection Analysis] --> [Common Techniques] --> [Priority Detections]
[Group B TTPs] --+ |
| v
[Group C TTPs] --+ [Unique Techniques per Group]
```
### Steps:
1. **Group Selection**: Choose threat groups relevant to your industry/region
2. **TTP Extraction**: Pull technique lists for each group from ATT&CK
3. **Common Analysis**: Find techniques shared across all selected groups
4. **Unique Analysis**: Identify techniques unique to specific groups
5. **Detection ROI**: Prioritize detections for commonly used techniques (highest coverage ROI)
6. **Actor Attribution**: Use unique techniques as potential attribution indicators
## Workflow 4: Campaign-to-TTP Analysis
```
[Campaign IOCs] --> [Sandbox/Analysis] --> [Behavior Extraction] --> [TTP Mapping]
|
v
[Compare to Known Groups]
|
v
[Attribution Hypothesis]
```
### Steps:
1. **IOC Collection**: Gather campaign IOCs (malware hashes, C2 domains, phishing emails)
2. **Dynamic Analysis**: Execute samples in sandbox, capture behavioral artifacts
3. **Behavior Documentation**: Document file operations, registry changes, network connections, process activity
4. **ATT&CK Mapping**: Map observed behaviors to techniques and sub-techniques
5. **Group Comparison**: Compare campaign TTPs against known group profiles
6. **Attribution Assessment**: Assess likelihood of attribution based on TTP overlap
## Workflow 5: Threat-Informed Defense
```
[ATT&CK Mappings] --> [Data Source Analysis] --> [Telemetry Assessment] --> [Control Mapping]
|
v
[Security Roadmap]
```
### Steps:
1. **Threat Profile**: Identify relevant threat actors and their techniques
2. **Data Source Mapping**: Determine which data sources can detect each technique
3. **Telemetry Audit**: Assess which data sources are currently collected
4. **Control Assessment**: Map existing security controls to technique mitigations
5. **Gap Identification**: Find techniques with neither detection nor mitigation coverage
6. **Roadmap Creation**: Build security improvement roadmap addressing highest-risk gaps
Reference in New Issue View Git Blame Copy Permalink