implementing-threat-modeling-with-mitre-attack

# Implementing Threat Modeling with MITRE ATT&CK ## When to Use Use this skill when: - SOC teams need to assess detection coverage against relevant threat actors and their TTPs - Security leadership requires threat-informed defense prioritization - New environments (cloud migration, OT integration) need detection strategy planning - Purple team exercises require structured adversary emulation based on threat models - Annual risk assessments need ATT&CK-based threat landscape analysis **Do not use** as a one-time exercise — threat models must be continuously updated as adversary TTPs evolve and organizational attack surface changes. ## Prerequisites - MITRE ATT&CK framework knowledge (Enterprise, ICS, Mobile, or Cloud matrices) - ATT&CK Navigator tool (web or local) for layer visualization - Current detection rule inventory mapped to ATT&CK technique IDs - Threat intelligence on adversary groups targeting your sector - Organizational asset inventory with criticality classifications ## Workflow ### Step 1: Identify Relevant Threat Actors Research adversary groups targeting your sector using MITRE ATT&CK Groups: ```python import requests import json # Download ATT&CK STIX data response = requests.get( "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" ) attack_data = response.json() # Extract groups and their techniques groups = {} for obj in attack_data["objects"]: if obj["type"] == "intrusion-set": group_nam...