analyzing-threat-actor-ttps-with-mitre-attack
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing Threat Actor TTPs with MITRE ATT&CK
使用MITRE ATT&CK分析威胁行为者的TTPs
Overview
概述
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.
MITRE ATT&CK 是一个基于真实观测的、全球可访问的对手战术、技术和流程(TTPs)知识库。该技能涵盖了将威胁行为者的行为系统映射至ATT&CK框架,使用ATT&CK Navigator构建技术覆盖热力图,识别检测缺口,并生成可操作的情报报告,将观测到的IOC与企业、移动和ICS矩阵中的特定对手技术关联起来。
When to Use
使用场景
- When investigating security incidents that require analyzing threat actor ttps with mitre attack
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
- 当调查需要借助MITRE ATT&CK分析威胁行为者TTPs的安全事件时
- 当为此领域构建检测规则或威胁狩猎查询时
- 当SOC分析师需要此类分析的结构化流程时
- 当验证相关攻击技术的安全监控覆盖范围时
Prerequisites
前置条件
- Python 3.9+ with ,
mitreattack-python,attackctilibrariesstix2 - MITRE ATT&CK Navigator (web-based or local deployment)
- Understanding of ATT&CK matrix structure: Tactics, Techniques, Sub-techniques
- Access to threat intelligence reports or MISP/OpenCTI for threat actor data
- Familiarity with STIX 2.1 Attack Pattern objects
- Python 3.9+ 及 、
mitreattack-python、attackcti库stix2 - MITRE ATT&CK Navigator(基于Web或本地部署版本)
- 了解ATT&CK矩阵结构:Tactics(战术)、Techniques(技术)、Sub-techniques(子技术)
- 可访问威胁情报报告或MISP/OpenCTI获取威胁行为者数据
- 熟悉STIX 2.1 Attack Pattern对象
Key Concepts
核心概念
ATT&CK Matrix Structure
ATT&CK矩阵结构
The ATT&CK Enterprise matrix organizes adversary behavior into 14 Tactics (the "why") containing Techniques (the "how") and Sub-techniques (specific implementations). Each technique has associated data sources, detections, mitigations, and real-world procedure examples from observed threat groups.
ATT&CK企业矩阵将对手行为划分为14种战术(即“目的”),每种战术包含技术(即“手段”)和子技术(具体实现方式)。每个技术都关联了数据源、检测方法、缓解措施,以及来自观测到的威胁组织的真实流程示例。
Threat Group Profiles
威胁组织档案
ATT&CK catalogs over 140 threat groups (e.g., APT28, APT29, Lazarus Group, FIN7) with documented technique usage. Each group profile includes aliases, targeted sectors, associated campaigns, software used, and technique mappings with procedure-level detail.
ATT&CK收录了超过140个威胁组织(如APT28、APT29、Lazarus Group、FIN7)的已记录技术使用情况。每个组织档案包括别名、目标行业、相关活动、使用的软件,以及带有流程级细节的技术映射。
ATT&CK Navigator
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for creating custom ATT&CK matrix visualizations. Analysts create layers (JSON files) that annotate techniques with scores, colors, comments, and metadata to visualize threat actor coverage, detection capabilities, or risk assessments.
ATT&CK Navigator是一个基于Web的工具,用于创建自定义ATT&CK矩阵可视化。分析师创建图层(JSON文件),为技术添加分数、颜色、注释和元数据,以可视化威胁行为者的覆盖范围、检测能力或风险评估。
Workflow
工作流程
Step 1: Query ATT&CK Data Programmatically
Step 1: 以编程方式查询ATT&CK数据
python
from attackcti import attack_client
import jsonpython
from attackcti import attack_client
import jsonInitialize ATT&CK client (queries MITRE TAXII server)
Initialize ATT&CK client (queries MITRE TAXII server)
lift = attack_client()
lift = attack_client()
Get all Enterprise techniques
Get all Enterprise techniques
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
Get all threat groups
Get all threat groups
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
Get specific group by name
Get specific group by name
apt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
group = apt29[0]
print(f"Group: {group['name']}")
print(f"Aliases: {group.get('aliases', [])}")
print(f"Description: {group.get('description', '')[:200]}")
undefinedapt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
group = apt29[0]
print(f"Group: {group['name']}")
print(f"Aliases: {group.get('aliases', [])}")
print(f"Description: {group.get('description', '')[:200]}")
undefinedStep 2: Map Threat Actor to ATT&CK Techniques
Step 2: 将威胁行为者映射至ATT&CK技术
python
from attackcti import attack_client
lift = attack_client()python
from attackcti import attack_client
lift = attack_client()Get techniques used by APT29
Get techniques used by APT29
apt29_techniques = lift.get_techniques_used_by_group("G0016") # APT29 group ID
technique_map = {}
for entry in apt29_techniques:
tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
tech_name = entry.get("name", "")
description = entry.get("description", "")
tactic_refs = [
phase.get("phase_name", "")
for phase in entry.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech_name,
"tactics": tactic_refs,
"description": description[:300],
}print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")
undefinedapt29_techniques = lift.get_techniques_used_by_group("G0016") # APT29 group ID
technique_map = {}
for entry in apt29_techniques:
tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
tech_name = entry.get("name", "")
description = entry.get("description", "")
tactic_refs = [
phase.get("phase_name", "")
for phase in entry.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech_name,
"tactics": tactic_refs,
"description": description[:300],
}print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")
undefinedStep 3: Generate ATT&CK Navigator Layer
Step 3: 生成ATT&CK Navigator图层
python
import json
def create_navigator_layer(group_name, technique_map, description=""):
"""Generate ATT&CK Navigator layer JSON for a threat group."""
techniques_list = []
for tech_id, info in technique_map.items():
techniques_list.append({
"techniqueID": tech_id,
"tactic": info["tactics"][0] if info["tactics"] else "",
"color": "#ff6666", # Red for observed techniques
"comment": info["description"][:200],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": description or f"Techniques attributed to {group_name}",
"filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "Observed technique", "color": "#ff6666"},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layerpython
import json
def create_navigator_layer(group_name, technique_map, description=""):
"""Generate ATT&CK Navigator layer JSON for a threat group."""
techniques_list = []
for tech_id, info in technique_map.items():
techniques_list.append({
"techniqueID": tech_id,
"tactic": info["tactics"][0] if info["tactics"] else "",
"color": "#ff6666", # Red for observed techniques
"comment": info["description"][:200],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": description or f"Techniques attributed to {group_name}",
"filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "Observed technique", "color": "#ff6666"},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layerGenerate and save layer
Generate and save layer
layer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")
undefinedlayer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")
undefinedStep 4: Identify Detection Gaps
Step 4: 识别检测缺口
python
from attackcti import attack_client
lift = attack_client()python
from attackcti import attack_client
lift = attack_client()Get all techniques with data sources
Get all techniques with data sources
all_techniques = lift.get_enterprise_techniques()
all_techniques = lift.get_enterprise_techniques()
Build data source coverage map
Build data source coverage map
data_source_coverage = {}
for tech in all_techniques:
tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
data_sources = tech.get("x_mitre_data_sources", [])
for ds in data_sources:
if ds not in data_source_coverage:
data_source_coverage[ds] = []
data_source_coverage[ds].append(tech_id)data_source_coverage = {}
for tech in all_techniques:
tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
data_sources = tech.get("x_mitre_data_sources", [])
for ds in data_sources:
if ds not in data_source_coverage:
data_source_coverage[ds] = []
data_source_coverage[ds].append(tech_id)Compare threat actor techniques against available detections
Compare threat actor techniques against available detections
detected_techniques = {"T1059", "T1071", "T1566"} # Example: techniques you can detect
actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
print(f"\n=== Detection Gap Analysis for APT29 ===")
print(f"Actor techniques: {len(actor_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\nUndetected techniques:")
for tech_id in sorted(gaps):
if tech_id in technique_map:
print(f" {tech_id}: {technique_map[tech_id]['name']}")
undefineddetected_techniques = {"T1059", "T1071", "T1566"} # Example: techniques you can detect
actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
print(f"\n=== Detection Gap Analysis for APT29 ===")
print(f"Actor techniques: {len(actor_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\nUndetected techniques:")
for tech_id in sorted(gaps):
if tech_id in technique_map:
print(f" {tech_id}: {technique_map[tech_id]['name']}")
undefinedStep 5: Cross-Group Technique Comparison
Step 5: 跨组织技术对比
python
from attackcti import attack_client
lift = attack_client()python
from attackcti import attack_client
lift = attack_client()Compare techniques across multiple groups
Compare techniques across multiple groups
groups_to_compare = {
"G0016": "APT29",
"G0007": "APT28",
"G0032": "Lazarus Group",
}
group_techniques = {}
for gid, gname in groups_to_compare.items():
techs = lift.get_techniques_used_by_group(gid)
tech_ids = set()
for t in techs:
tid = t.get("external_references", [{}])[0].get("external_id", "")
if tid:
tech_ids.add(tid)
group_techniques[gname] = tech_ids
groups_to_compare = {
"G0016": "APT29",
"G0007": "APT28",
"G0032": "Lazarus Group",
}
group_techniques = {}
for gid, gname in groups_to_compare.items():
techs = lift.get_techniques_used_by_group(gid)
tech_ids = set()
for t in techs:
tid = t.get("external_references", [{}])[0].get("external_id", "")
if tid:
tech_ids.add(tid)
group_techniques[gname] = tech_ids
Find common and unique techniques
Find common and unique techniques
all_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\nTechniques common to all {len(all_groups)} groups: {len(common_to_all)}")
for tid in sorted(common_to_all):
print(f" {tid}")
for gname, techs in group_techniques.items():
unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
print(f"\nUnique to {gname}: {len(unique)} techniques")
undefinedall_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\nTechniques common to all {len(all_groups)} groups: {len(common_to_all)}")
for tid in sorted(common_to_all):
print(f" {tid}")
for gname, techs in group_techniques.items():
unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
print(f"\nUnique to {gname}: {len(unique)} techniques")
undefinedValidation Criteria
验证标准
- ATT&CK data successfully queried via TAXII server or local copy
- Threat actor mapped to specific techniques with procedure examples
- ATT&CK Navigator layer JSON is valid and renders correctly
- Detection gap analysis identifies unmonitored techniques
- Cross-group comparison reveals shared and unique TTPs
- Output is actionable for detection engineering prioritization
- 成功通过TAXII服务器或本地副本查询ATT&CK数据
- 威胁行为者已映射至带有流程示例的特定技术
- ATT&CK Navigator图层JSON有效且可正确渲染
- 检测缺口分析识别出未监控的技术
- 跨组织对比揭示了共享和独特的TTPs
- 输出可用于检测工程优先级排序