analyzing-threat-actor-ttps-with-mitre-attack

# Analyzing Threat Actor TTPs with MITRE ATT&CK ## Overview MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices. ## When to Use - When investigating security incidents that require analyzing threat actor ttps with mitre attack - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `mitreattack-python`, `attackcti`, `stix2` libraries - MITRE ATT&CK Navigator (web-based or local deployment) - Understanding of ATT&CK matrix structure: Tactics, Techniques, Sub-techniques - Access to threat intelligence reports or MISP/OpenCTI for threat actor data - Familiarity with STIX 2.1 Attack Pattern objects ## Key Concepts ### ATT&CK Matrix Structure The ATT&CK Enterprise matrix organizes adversary behavior into 14 Tactics (the "why") containing Techniques (the "how") and Sub-techniques (specific implementations). Each technique has associated data sources, detection...