Implementing Threat Modeling with MITRE ATT&CK
When to Use
Use this skill when:
- SOC teams need to assess detection coverage against relevant threat actors and their TTPs
- Security leadership requires threat-informed defense prioritization
- New environments (cloud migration, OT integration) need detection strategy planning
- Purple team exercises require structured adversary emulation based on threat models
- Annual risk assessments need ATT&CK-based threat landscape analysis
Do not use as a one-time exercise — threat models must be continuously updated as adversary TTPs evolve and organizational attack surface changes.
Prerequisites
- MITRE ATT&CK framework knowledge (Enterprise, ICS, Mobile, or Cloud matrices)
- ATT&CK Navigator tool (web or local) for layer visualization
- Current detection rule inventory mapped to ATT&CK technique IDs
- Threat intelligence on adversary groups targeting your sector
- Organizational asset inventory with criticality classifications
Workflow
Step 1: Identify Relevant Threat Actors
Research adversary groups targeting your sector using MITRE ATT&CK Groups:
import requests
import json
# Download ATT&CK STIX data
response = requests.get(
"https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
)
attack_data = response.json()
# Extract groups and their techniques
groups = {}
for obj in attack_data["objects"]:
if obj["type"] == "intrusion-set":
group_name = obj["name"]
aliases = obj.get("aliases", [])
description = obj.get("description", "")
groups[group_name] = {
"aliases": aliases,
"description": description[:200],
"techniques": []
}
# Map techniques to groups via relationships
relationships = [obj for obj in attack_data["objects"] if obj["type"] == "relationship"]
techniques = {obj["id"]: obj for obj in attack_data["objects"]
if obj["type"] == "attack-pattern"}
for rel in relationships:
if rel["relationship_type"] == "uses":
source = rel["source_ref"]
target = rel["target_ref"]
for group_name, group_data in groups.items():
if source == group_data.get("id") and target in techniques:
tech = techniques[target]
ext_refs = tech.get("external_references", [])
for ref in ext_refs:
if ref.get("source_name") == "mitre-attack":
group_data["techniques"].append(ref["external_id"])
# Example: Financial sector threat actors
financial_actors = ["FIN7", "FIN8", "Carbanak", "APT38", "Lazarus Group"]
for actor in financial_actors:
if actor in groups:
print(f"{actor}: {len(groups[actor]['techniques'])} techniques")
print(f" Top techniques: {groups[actor]['techniques'][:10]}")
Step 2: Build Threat Actor TTP Profile
Create ATT&CK Navigator layers for priority threat actors:
import json
def create_attack_layer(actor_name, techniques, color="#ff6666"):
"""Generate ATT&CK Navigator JSON layer for a threat actor"""
layer = {
"name": f"{actor_name} TTP Profile",
"versions": {
"attack": "15",
"navigator": "5.0",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": f"Techniques associated with {actor_name}",
"techniques": [
{
"techniqueID": tech_id,
"tactic": "",
"color": color,
"comment": f"Used by {actor_name}",
"enabled": True,
"score": 1
}
for tech_id in techniques
],
"gradient": {
"colors": ["#ffffff", color],
"minValue": 0,
"maxValue": 1
}
}
return layer
# Create layers for top threat actors
fin7_techniques = ["T1566.001", "T1059.001", "T1053.005", "T1547.001",
"T1078", "T1021.001", "T1003", "T1071.001", "T1041"]
layer = create_attack_layer("FIN7", fin7_techniques, "#ff6666")
with open("fin7_layer.json", "w") as f:
json.dump(layer, f, indent=2)
Step 3: Map Current Detection Coverage
Export current detection rules mapped to ATT&CK:
--- Extract ATT&CK technique mappings from Splunk ES correlation searches
| rest /services/saved/searches
splunk_server=local
| where match(title, "^(COR|ESCU|RBA):")
| eval techniques = if(isnotnull(action.correlationsearch.annotations),
spath(action.correlationsearch.annotations, "mitre_attack"),
"unmapped")
| stats count by techniques
| mvexpand techniques
| stats count by techniques
| rename techniques AS technique_id, count AS rule_count
Create detection coverage layer:
def create_coverage_layer(detection_rules):
"""Generate coverage layer from detection rule inventory"""
technique_counts = {}
for rule in detection_rules:
for tech in rule.get("techniques", []):
technique_counts[tech] = technique_counts.get(tech, 0) + 1
layer = {
"name": "SOC Detection Coverage",
"versions": {"attack": "15", "navigator": "5.0", "layer": "4.5"},
"domain": "enterprise-attack",
"techniques": [
{
"techniqueID": tech_id,
"color": "#31a354" if count >= 2 else "#a1d99b" if count == 1 else "",
"score": count,
"comment": f"{count} detection rule(s)"
}
for tech_id, count in technique_counts.items()
],
"gradient": {
"colors": ["#ffffff", "#a1d99b", "#31a354"],
"minValue": 0,
"maxValue": 3
}
}
return layer
Step 4: Perform Gap Analysis
Overlay threat actor TTPs against detection coverage:
def gap_analysis(threat_techniques, covered_techniques):
"""Identify detection gaps for specific threat actor"""
gaps = set(threat_techniques) - set(covered_techniques)
covered = set(threat_techniques) & set(covered_techniques)
print(f"Threat Actor Techniques: {len(threat_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(threat_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(threat_techniques)*100:.0f}%)")
# Prioritize gaps by kill chain phase
priority_order = {
"TA0001": 1, "TA0002": 2, "TA0003": 3, "TA0004": 4,
"TA0005": 5, "TA0006": 6, "TA0007": 7, "TA0008": 8,
"TA0009": 9, "TA0010": 10, "TA0011": 11, "TA0040": 12
}
gap_details = []
for tech_id in gaps:
gap_details.append({
"technique": tech_id,
"priority": "HIGH" if tech_id.split(".")[0] in ["T1003", "T1021", "T1059"] else "MEDIUM",
"recommendation": f"Build detection for {tech_id}"
})
return {
"total_actor_techniques": len(threat_techniques),
"covered": len(covered),
"gaps": len(gaps),
"coverage_pct": round(len(covered)/len(threat_techniques)*100, 1),
"gap_details": sorted(gap_details, key=lambda x: x["priority"])
}
# Run analysis
result = gap_analysis(fin7_techniques, current_coverage)
Step 5: Create Prioritized Remediation Plan
Build a detection engineering roadmap:
threat_model_remediation_plan:
assessed_date: 2024-03-15
primary_threats:
- FIN7 (Financial sector)
- APT38 (DPRK financial)
- Lazarus Group (Destructive)
current_coverage: 64%
target_coverage: 80%
priority_1_gaps: # 30-day target
- technique: T1021.002
name: SMB/Windows Admin Shares
data_source: Windows Security Event 5140
effort: Low
detection_approach: Monitor admin share access from non-admin workstations
- technique: T1003.006
name: DCSync
data_source: Windows Security Event 4662
effort: Medium
detection_approach: Detect DS-Replication-Get-Changes from non-DC sources
priority_2_gaps: # 60-day target
- technique: T1055
name: Process Injection
data_source: Sysmon EventCode 8, 10
effort: High
detection_approach: Monitor cross-process memory access patterns
- technique: T1071.001
name: Web Protocols (C2)
data_source: Proxy/Firewall logs
effort: Medium
detection_approach: Detect beaconing patterns in HTTP/S traffic
priority_3_gaps: # 90-day target
- technique: T1070.004
name: File Deletion
data_source: Sysmon EventCode 23
effort: Low
detection_approach: Monitor mass file deletion in sensitive directories
Step 6: Validate with Adversary Emulation
Test coverage using MITRE Caldera or Atomic Red Team:
# Using Atomic Red Team to validate coverage for FIN7 techniques
# T1566.001 — Spearphishing Attachment
Invoke-AtomicTest T1566.001
# T1059.001 — PowerShell
Invoke-AtomicTest T1059.001 -TestNumbers 1,2,3
# T1053.005 — Scheduled Task
Invoke-AtomicTest T1053.005
# T1547.001 — Registry Run Keys
Invoke-AtomicTest T1547.001
# T1003 — Credential Dumping
Invoke-AtomicTest T1003 -TestNumbers 1,2
# Verify detections
# Check SIEM for corresponding alerts within 15 minutes
Document emulation results to validate threat model accuracy.
Key Concepts
| Term | Definition | |------|-----------| | MITRE ATT&CK | Knowledge base of adversary tactics, techniques, and procedures based on real-world observations | | TTP | Tactics, Techniques, and Procedures — the behavioral patterns of adversary groups | | ATT&CK Navigator | Web tool for visualizing ATT&CK matrices as layered heatmaps showing coverage or threat profiles | | Gap Analysis | Process of comparing threat actor TTPs against detection coverage to identify blind spots | | Threat-Informed Defense | Security strategy prioritizing defenses based on actual adversary behaviors rather than theoretical risks | | Adversary Emulation | Controlled simulation of threat actor TTPs to validate detection and response capabilities |
Tools & Systems
- MITRE ATT&CK Navigator: Web-based visualization tool for creating and overlaying ATT&CK technique layers
- MITRE Caldera: Automated adversary emulation platform for testing detection coverage at scale
- Atomic Red Team: Open-source library of ATT&CK technique tests for security control validation
- CTID ATT&CK Workbench: MITRE tool for customizing ATT&CK knowledge base with organizational context
- Tidal Cyber: Commercial platform for threat-informed defense planning using ATT&CK framework
Common Scenarios
- Annual Threat Assessment: Map top 5 threat actors to ATT&CK, overlay against detection, produce gap analysis
- Cloud Migration Planning: Model cloud-specific threats (T1078.004, T1537) and plan detection coverage
- M&A Security Assessment: Threat model the acquired company's environment against relevant threat actors
- Budget Justification: Use gap analysis to demonstrate detection blind spots requiring tool investment
- Purple Team Planning: Select adversary emulation scenarios based on highest-priority gaps from threat model
Output Format
THREAT MODEL ASSESSMENT — Financial Services Division
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date: 2024-03-15
Threat Actors: FIN7, APT38, Lazarus Group
Techniques Total: 87 unique techniques across all actors
DETECTION COVERAGE:
Covered: 56/87 (64%)
Gaps: 31/87 (36%)
Tactic Coverage Breakdown:
Initial Access: 78% ████████░░
Execution: 82% █████████░
Persistence: 71% ████████░░
Priv Escalation: 65% ███████░░░
Defense Evasion: 52% ██████░░░░ <-- Priority gap
Credential Access: 58% ██████░░░░ <-- Priority gap
Discovery: 45% █████░░░░░
Lateral Movement: 61% ███████░░░
Collection: 50% ██████░░░░
Exfiltration: 55% ██████░░░░
C2: 67% ███████░░░
TOP PRIORITY GAPS (30-day remediation):
1. T1055 Process Injection — used by all 3 actors, 0 detections
2. T1003.006 DCSync — used by FIN7 and Lazarus, 0 detections
3. T1070.004 File Deletion — evidence destruction, 0 detections
INVESTMENT RECOMMENDATION:
Closing top 10 gaps requires: 2 detection engineer FTEs, 60 days
Expected coverage improvement: 64% -> 76%