MITRE ATT&CK 103: Modelling Intelligence Using Navigator

Install and run

To make it easy to get started, there is a public instance running here that you can use.

1. Download the required repositories

The ATT&CK Navigator code is open source and available on GitHub.

git clone https://github.com/mitre-attack/attack-navigator cd attack-navigator/nav-app npm install

2. Build and run

Now open up a browser and navigate to localhost:4200.

Modelling an intelligence report

For this first walkthrough I will use this post from the brilliant UNIT-42; Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor to model the information against ATT&CK Tactics and Techniques.

Comparing intelligence reports

In many cases, you will want to compare Techniques between reports. For example to identify similarities between new campaigns and those that are more widely known.

  • Yellow shows Techniques unique to APT 39,
  • Red shows Techniques unique to Popping Eagle,
  • and Green shows Techniques used by both.
  • tracking the evolution of an actor over time as new Techniques are discovered or the actor changes their approach
  • comparing known intelligence collected on the same campaign from different sources so that you can have the most comprehensive information available in one place
  • identifying gaps between Techniques that you have intelligence about and Techniques you are detecting for in your SIEM (or whatever) to identify blindspots in your defenses, which brings me on to next weeks post…

ATT&CK Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our ATT&CK training.

Similar Posts You Will Enjoy Reading…

--

--

I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”. https://www.himynamesdave.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David G

David G

I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”. https://www.himynamesdave.com/