Implementing Threat Modeling with MITRE ATT&CK

When to Use

Use this skill when:

• SOC teams need to assess detection coverage against relevant threat actors and their TTPs
• Security leadership requires threat-informed defense prioritization
• New environments (cloud migration, OT integration) need detection strategy planning
• Purple team exercises require structured adversary emulation based on threat models
• Annual risk assessments need ATT&CK-based threat landscape analysis

Do not use as a one-time exercise — threat models must be continuously updated as adversary TTPs evolve and organizational attack surface changes.

Prerequisites

• MITRE ATT&CK framework knowledge (Enterprise, ICS, Mobile, or Cloud matrices)
• ATT&CK Navigator tool (web or local) for layer visualization
• Current detection rule inventory mapped to ATT&CK technique IDs
• Threat intelligence on adversary groups targeting your sector
• Organizational asset inventory with criticality classifications

Workflow

Step 1: Identify Relevant Threat Actors

Research adversary groups targeting your sector using MITRE ATT&CK Groups:

import requests
import json

# Download ATT&CK STIX data
response = requests.get(
    "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
)
attack_data = response.json()

# Extract groups and their techniques
groups = {}
for obj in attack_data["objects"]:
    if obj["type"] == "intrusion-set":
        group_name = obj["name"]
        aliases = obj.get("aliases", [])
        description = obj.get("description", "")
        groups[group_name] = {
            "aliases": aliases,
            "description": description[:200],
            "techniques": []
        }

# Map techniques to groups via relationships
relationships = [obj for obj in attack_data["objects"] if obj["type"] == "relationship"]
techniques = {obj["id"]: obj for obj in attack_data["objects"]
              if obj["type"] == "attack-pattern"}

for rel in relationships:
    if rel["relationship_type"] == "uses":
        source = rel["source_ref"]
        target = rel["target_ref"]
        for group_name, group_data in groups.items():
            if source == group_data.get("id") and target in techniques:
                tech = techniques[target]
                ext_refs = tech.get("external_references", [])
                for ref in ext_refs:
                    if ref.get("source_name") == "mitre-attack":
                        group_data["techniques"].append(ref["external_id"])

# Example: Financial sector threat actors
financial_actors = ["FIN7", "FIN8", "Carbanak", "APT38", "Lazarus Group"]
for actor in financial_actors:
    if actor in groups:
        print(f"{actor}: {len(groups[actor]['techniques'])} techniques")
        print(f"  Top techniques: {groups[actor]['techniques'][:10]}")

Step 2: Build Threat Actor TTP Profile

Create ATT&CK Navigator layers for priority threat actors:

import json

def create_attack_layer(actor_name, techniques, color="#ff6666"):
    """Generate ATT&CK Navigator JSON layer for a threat actor"""
    layer = {
        "name": f"{actor_name} TTP Profile",
        "versions": {
            "attack": "15",
            "navigator": "5.0",
            "layer": "4.5"
        },
        "domain": "enterprise-attack",
        "description": f"Techniques associated with {actor_name}",
        "techniques": [
            {
                "techniqueID": tech_id,
                "tactic": "",
                "color": color,
                "comment": f"Used by {actor_name}",
                "enabled": True,
                "score": 1
            }
            for tech_id in techniques
        ],
        "gradient": {
            "colors": ["#ffffff", color],
            "minValue": 0,
            "maxValue": 1
        }
    }
    return layer

# Create layers for top threat actors
fin7_techniques = ["T1566.001", "T1059.001", "T1053.005", "T1547.001",
                    "T1078", "T1021.001", "T1003", "T1071.001", "T1041"]
layer = create_attack_layer("FIN7", fin7_techniques, "#ff6666")

with open("fin7_layer.json", "w") as f:
    json.dump(layer, f, indent=2)

Step 3: Map Current Detection Coverage

Export current detection rules mapped to ATT&CK:

--- Extract ATT&CK technique mappings from Splunk ES correlation searches
| rest /services/saved/searches
  splunk_server=local
| where match(title, "^(COR|ESCU|RBA):")
| eval techniques = if(isnotnull(action.correlationsearch.annotations),
                       spath(action.correlationsearch.annotations, "mitre_attack"),
                       "unmapped")
| stats count by techniques
| mvexpand techniques
| stats count by techniques
| rename techniques AS technique_id, count AS rule_count

Create detection coverage layer:

def create_coverage_layer(detection_rules):
    """Generate coverage layer from detection rule inventory"""
    technique_counts = {}
    for rule in detection_rules:
        for tech in rule.get("techniques", []):
            technique_counts[tech] = technique_counts.get(tech, 0) + 1

    layer = {
        "name": "SOC Detection Coverage",
        "versions": {"attack": "15", "navigator": "5.0", "layer": "4.5"},
        "domain": "enterprise-attack",
        "techniques": [
            {
                "techniqueID": tech_id,
                "color": "#31a354" if count >= 2 else "#a1d99b" if count == 1 else "",
                "score": count,
                "comment": f"{count} detection rule(s)"
            }
            for tech_id, count in technique_counts.items()
        ],
        "gradient": {
            "colors": ["#ffffff", "#a1d99b", "#31a354"],
            "minValue": 0,
            "maxValue": 3
        }
    }
    return layer

Step 4: Perform Gap Analysis

Overlay threat actor TTPs against detection coverage:

def gap_analysis(threat_techniques, covered_techniques):
    """Identify detection gaps for specific threat actor"""
    gaps = set(threat_techniques) - set(covered_techniques)
    covered = set(threat_techniques) & set(covered_techniques)

    print(f"Threat Actor Techniques: {len(threat_techniques)}")
    print(f"Detected: {len(covered)} ({len(covered)/len(threat_techniques)*100:.0f}%)")
    print(f"Gaps: {len(gaps)} ({len(gaps)/len(threat_techniques)*100:.0f}%)")

    # Prioritize gaps by kill chain phase
    priority_order = {
        "TA0001": 1, "TA0002": 2, "TA0003": 3, "TA0004": 4,
        "TA0005": 5, "TA0006": 6, "TA0007": 7, "TA0008": 8,
        "TA0009": 9, "TA0010": 10, "TA0011": 11, "TA0040": 12
    }

    gap_details = []
    for tech_id in gaps:
        gap_details.append({
            "technique": tech_id,
            "priority": "HIGH" if tech_id.split(".")[0] in ["T1003", "T1021", "T1059"] else "MEDIUM",
            "recommendation": f"Build detection for {tech_id}"
        })

    return {
        "total_actor_techniques": len(threat_techniques),
        "covered": len(covered),
        "gaps": len(gaps),
        "coverage_pct": round(len(covered)/len(threat_techniques)*100, 1),
        "gap_details": sorted(gap_details, key=lambda x: x["priority"])
    }

# Run analysis
result = gap_analysis(fin7_techniques, current_coverage)

Step 5: Create Prioritized Remediation Plan

Build a detection engineering roadmap:

threat_model_remediation_plan:
  assessed_date: 2024-03-15
  primary_threats:
    - FIN7 (Financial sector)
    - APT38 (DPRK financial)
    - Lazarus Group (Destructive)

  current_coverage: 64%
  target_coverage: 80%

  priority_1_gaps: # 30-day target
    - technique: T1021.002
      name: SMB/Windows Admin Shares
      data_source: Windows Security Event 5140
      effort: Low
      detection_approach: Monitor admin share access from non-admin workstations

    - technique: T1003.006
      name: DCSync
      data_source: Windows Security Event 4662
      effort: Medium
      detection_approach: Detect DS-Replication-Get-Changes from non-DC sources

  priority_2_gaps: # 60-day target
    - technique: T1055
      name: Process Injection
      data_source: Sysmon EventCode 8, 10
      effort: High
      detection_approach: Monitor cross-process memory access patterns

    - technique: T1071.001
      name: Web Protocols (C2)
      data_source: Proxy/Firewall logs
      effort: Medium
      detection_approach: Detect beaconing patterns in HTTP/S traffic

  priority_3_gaps: # 90-day target
    - technique: T1070.004
      name: File Deletion
      data_source: Sysmon EventCode 23
      effort: Low
      detection_approach: Monitor mass file deletion in sensitive directories

Step 6: Validate with Adversary Emulation

Test coverage using MITRE Caldera or Atomic Red Team:

# Using Atomic Red Team to validate coverage for FIN7 techniques
# T1566.001 — Spearphishing Attachment
Invoke-AtomicTest T1566.001

# T1059.001 — PowerShell
Invoke-AtomicTest T1059.001 -TestNumbers 1,2,3

# T1053.005 — Scheduled Task
Invoke-AtomicTest T1053.005

# T1547.001 — Registry Run Keys
Invoke-AtomicTest T1547.001

# T1003 — Credential Dumping
Invoke-AtomicTest T1003 -TestNumbers 1,2

# Verify detections
# Check SIEM for corresponding alerts within 15 minutes

Document emulation results to validate threat model accuracy.

Key Concepts

Term	Definition
MITRE ATT&CK	Knowledge base of adversary tactics, techniques, and procedures based on real-world observations
TTP	Tactics, Techniques, and Procedures — the behavioral patterns of adversary groups
ATT&CK Navigator	Web tool for visualizing ATT&CK matrices as layered heatmaps showing coverage or threat profiles
Gap Analysis	Process of comparing threat actor TTPs against detection coverage to identify blind spots
Threat-Informed Defense	Security strategy prioritizing defenses based on actual adversary behaviors rather than theoretical risks
Adversary Emulation	Controlled simulation of threat actor TTPs to validate detection and response capabilities

Tools & Systems

• MITRE ATT&CK Navigator: Web-based visualization tool for creating and overlaying ATT&CK technique layers
• MITRE Caldera: Automated adversary emulation platform for testing detection coverage at scale
• Atomic Red Team: Open-source library of ATT&CK technique tests for security control validation
• CTID ATT&CK Workbench: MITRE tool for customizing ATT&CK knowledge base with organizational context
• Tidal Cyber: Commercial platform for threat-informed defense planning using ATT&CK framework

Common Scenarios

• Annual Threat Assessment: Map top 5 threat actors to ATT&CK, overlay against detection, produce gap analysis
• Cloud Migration Planning: Model cloud-specific threats (T1078.004, T1537) and plan detection coverage
• M&A Security Assessment: Threat model the acquired company's environment against relevant threat actors
• Budget Justification: Use gap analysis to demonstrate detection blind spots requiring tool investment
• Purple Team Planning: Select adversary emulation scenarios based on highest-priority gaps from threat model

Output Format

THREAT MODEL ASSESSMENT — Financial Services Division
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Date:             2024-03-15
Threat Actors:    FIN7, APT38, Lazarus Group
Techniques Total: 87 unique techniques across all actors

DETECTION COVERAGE:
  Covered:     56/87 (64%)
  Gaps:        31/87 (36%)

  Tactic Coverage Breakdown:
    Initial Access:      78%  ████████░░
    Execution:           82%  █████████░
    Persistence:         71%  ████████░░
    Priv Escalation:     65%  ███████░░░
    Defense Evasion:     52%  ██████░░░░  <-- Priority gap
    Credential Access:   58%  ██████░░░░  <-- Priority gap
    Discovery:           45%  █████░░░░░
    Lateral Movement:    61%  ███████░░░
    Collection:          50%  ██████░░░░
    Exfiltration:        55%  ██████░░░░
    C2:                  67%  ███████░░░

TOP PRIORITY GAPS (30-day remediation):
  1. T1055 Process Injection — used by all 3 actors, 0 detections
  2. T1003.006 DCSync — used by FIN7 and Lazarus, 0 detections
  3. T1070.004 File Deletion — evidence destruction, 0 detections

INVESTMENT RECOMMENDATION:
  Closing top 10 gaps requires: 2 detection engineer FTEs, 60 days
  Expected coverage improvement: 64% -> 76%

Verification Criteria

Confirm successful execution by validating:

• [ ] All prerequisite tools and access requirements are satisfied
• [ ] Each workflow step completed without errors
• [ ] Output matches expected format and contains expected data
• [ ] No security warnings or misconfigurations detected
• [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

• SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
• ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
• NIST 800-53: AU-6 (Audit Review), SI-4 (System Monitoring), IR-5 (Incident Monitoring)
• NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add implementing-threat-modeling-with-mitre-attack

# Or load dynamically via MCP
grc.load_skill("implementing-threat-modeling-with-mitre-attack")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

• SHA-256 chain hashing ensures no step can be modified after execution
• Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
• Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.