Lab 1: Threat Actor Profiling and MITRE ATT&CK Framework

Analysis

Objective:

This lab focuses on understanding and profiling threat actors using the MITRE ATT&CK Framework.

Students will analyze the tactics, techniques, and procedures (TTPs) used by real-world threat actors,
and learn how to profile them effectively.

Lab Outline:

1. Introduction to Threat Actor Profiling

Definition and importance of Threat Actor Profiling.

Analyzing the motivations, goals, and resources of different threat actor groups (e.g.,
APTs, cybercriminals, hacktivists).

How to gather information on adversary groups using open-source intelligence (OSINT).

2. Overview of the MITRE ATT&CK Framework

Introduction to the ATT&CK Matrix: Structure, tactics, techniques, and sub-techniques.

Mapping techniques to real-world scenarios: How threat actors utilize techniques to

achieve their goals.

Understanding TTPs and how they help in profiling threat actors.

3. Identifying and Mapping Threat Actor TTPs

Analyze a real-world threat actor (e.g., APT28, Lazarus Group, FIN7) and identify their

commonly used techniques within the MITRE ATT&CK framework.

Use tools like OSINT and threat intelligence reports to gather information about the

group’s tactics.

Map the attack lifecycle from initial access to exfiltration based on the MITRE ATT&CK

framework.
 4. Creating a Threat Actor Profile

Collect and synthesize data on the threat actor's behavior and techniques.

Build a profile based on their TTPs, including:

▪ Common attack vectors (e.g., spear-phishing, drive-by downloads).

▪ Tools and malware used (e.g., Cobalt Strike, Mimikatz).

▪ Indicators of Compromise (IoCs) associated with the group (e.g., IP addresses, file
hashes).

Discuss the attack chain and how the threat actor moves through it.
5. Applying MITRE ATT&CK for Threat Intelligence

Correlating specific attacks with techniques in the ATT&CK framework.

Identify defensive gaps by mapping existing security controls to ATT&CK techniques.

Understanding how to use the MITRE ATT&CK framework to improve defense posture.

Lab Tasks:

Task 1: Research and Profile a Threat Actor

1. Select a Threat Actor:

Choose a known adversary (e.g., APT29, FIN4, Charming Kitten).

Use open-source intelligence (OSINT) tools and resources like:

▪ VirusTotal, Shodan, CIRCL (Computer Incident Response Center Luxembourg).

▪ Threat reports and blogs from security vendors (e.g., CrowdStrike, FireEye).

2. Analyze TTPs:
Research and list Tactics, Techniques, and Sub-techniques used by the selected group.

Map each technique to specific ATT&CK categories such as Initial

Access, Execution, Persistence, Privilege Escalation, Exfiltration, etc.
3. Create a Threat Actor Profile:
Document the attacker's objectives, tools, and methods.
 Build a profile detailing the actor’s characteristics and potential targets.

Create an attack chain diagram for the adversary group, identifying how they would
execute a complete attack from initial access to data exfiltration.

Task 2: Map a Real-World Attack Using MITRE ATT&CK

1. Choose a Real-World Attack:

Pick a recent cyber-attack (e.g., SolarWinds, NotPetya, Wannacry) or a publicized APT

attack.

2. Analyze the Attack:

Break down the attack phases and map them to the MITRE ATT&CK Matrix.

Identify the tactics, techniques, and sub-techniques used at each phase of the attack.
3. Reporting:

Document the attack timeline and techniques used by the adversary.

Provide insights into how the attack could have been detected using the MITRE ATT&CK

framework.

Task 3: Write a Threat Actor Profile and Submit a Report

1. Create the Profile:

Document the full profile of the adversary or attack in a report format.

Include:

▪ A description of the adversary.

▪ Key TTPs used.

▪ Attack phases with ATT&CK mappings.

▪ Key IoCs (e.g., IPs, hashes, domains).

2. Report Evaluation:
The report should summarize the adversary’s behavior and suggest possible detection
methods for each tactic and technique observed.
Expected Outcomes:

• Students will gain an understanding of how to profile threat actors and map their behavior to

the MITRE ATT&CK framework.

• They will become proficient in identifying adversary tactics, techniques, and indicators of

compromise (IoCs) through OSINT and threat intelligence.

• Students will learn how to integrate the MITRE ATT&CK Matrix into threat hunting efforts

and improve detection and defense capabilities.

Deliverables:

1. Threat Actor Profile: Submit a report that includes:

A detailed threat actor profile with TTP mappings to MITRE ATT&CK.

Attack chain diagram and explanations.

IoCs and tactics used by the threat actor.

2. Real-World Attack Analysis: A report analyzing a real-world attack and mapping it to MITRE

ATT&CK.

3. Reflection: Briefly discuss the importance of threat actor profiling and how the MITRE ATT&CK

framework aids in improving cybersecurity posture.

Tools You Will Use:

• MITRE ATT&CK Matrix: For understanding and mapping adversary techniques.

• OSINT Tools: For gathering information on threat actors and IoCs

(e.g., VirusTotal, Shodan, CIRCL).

• Security Blogs/Reports: From vendors like CrowdStrike, FireEye, and others.

• Attack Chain Diagram Tools: (e.g., draw.io or Lucidchart).

Additional Notes:

• This lab is critical for building a foundational understanding of how adversaries operate, which

will make it easier for students to understand the YARA rule creation process in the next lab.

• The lab also sets the stage for understanding the attack lifecycle, which is essential for

detecting and responding to threats effectively.

Conclusion:

This lab will provide students with practical experience in understanding how threat actors operate,

which will allow them to apply more effective detection and mitigation strategies. By the end of this
exercise, students will be equipped to use MITRE ATT&CK to profile adversaries and identify their

tactics, techniques, and procedures (TTPs), setting the foundation for the subsequent application
of YARA rules for advanced threat hunting.