Mapping MITRE ATT&CK Techniques

When to Use

Use this skill when:

• Generating an ATT&CK coverage heatmap to show which techniques your detection stack addresses
• Tagging existing SIEM use cases or Sigma rules with ATT&CK technique IDs for structured reporting
• Aligning your security program roadmap to specific adversary groups known to target your sector

Do not use this skill for real-time incident triage — ATT&CK mapping is an analytical activity best performed post-detection or during threat hunting planning.

Prerequisites

• Access to MITRE ATT&CK knowledge base (https://attack.mitre.org) or local ATT&CK STIX data bundle
• ATT&CK Navigator web app or local installation (https://mitre-attack.github.io/attack-navigator/)
• Inventory of existing detection rules (Sigma, Splunk, Sentinel KQL) to assess current coverage
• ATT&CK Python library: pip install mitreattack-python

Workflow

Step 1: Obtain Current ATT&CK Data

Download the latest ATT&CK STIX bundle for the relevant matrix (Enterprise, Mobile, ICS):

curl -o enterprise-attack.json \
  https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

Use the mitreattack-python library to query techniques programmatically:

from mitreattack.stix20 import MitreAttackData

mitre = MitreAttackData("enterprise-attack.json")
techniques = mitre.get_techniques(remove_revoked_deprecated=True)
for t in techniques[:5]:
    print(t["external_references"][0]["external_id"], t["name"])

Step 2: Map Existing Detections to Techniques

For each SIEM rule or Sigma file, assign ATT&CK technique IDs. Sigma rules support native ATT&CK tagging:

tags:
  - attack.execution
  - attack.t1059.001  # PowerShell
  - attack.t1059.003  # Windows Command Shell

Create a coverage matrix: list each technique ID and mark as: Detected (alert fires), Logged (data present but no alert), Blind (no data source).

Step 3: Prioritize Coverage Gaps Using Threat Intelligence

Cross-reference coverage gaps with adversary groups targeting your sector. Use ATT&CK Groups data:

groups = mitre.get_groups()
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
apt29_techniques = mitre.get_techniques_used_by_group(apt29)
for t in apt29_techniques:
    print(t["object"]["external_references"][0]["external_id"])

Prioritize adding detection for techniques used by high-priority threat groups where your coverage is blind.

Step 4: Build Navigator Heatmap

Export coverage scores as ATT&CK Navigator JSON layer:

import json

layer = {
    "name": "SOC Detection Coverage Q1 2025",
    "versions": {"attack": "14", "navigator": "4.9", "layer": "4.5"},
    "domain": "enterprise-attack",
    "techniques": [
        {"techniqueID": "T1059.001", "score": 100, "comment": "Splunk rule: PS_Encoded_Command"},
        {"techniqueID": "T1071.001", "score": 50, "comment": "Logged only, no alert"},
        {"techniqueID": "T1055", "score": 0, "comment": "No coverage — blind spot"}
    ],
    "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}
}
with open("coverage_layer.json", "w") as f:
    json.dump(layer, f)

Import layer into ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) for visualization.

Step 5: Generate Executive Coverage Report

Summarize coverage by tactic category (Initial Access, Execution, Persistence, etc.) with counts and percentages. Provide a risk-ranked list of top 10 blind-spot techniques based on adversary group usage frequency. Recommend data source additions (e.g., "Enable PowerShell Script Block Logging to address 12 Execution sub-technique gaps").

Key Concepts

Term	Definition
ATT&CK Technique	Specific adversary method identified by T-number (e.g., T1059 = Command and Scripting Interpreter)
Sub-technique	More granular variant of a technique (e.g., T1059.001 = PowerShell, T1059.003 = Windows Command Shell)
Tactic	Adversary goal category in ATT&CK: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C&C, Exfiltration, Impact
Data Source	ATT&CK v10+ component identifying telemetry required to detect a technique (e.g., Process Creation, Network Traffic)
Coverage Score	Numeric (0–100) representing detection completeness for a technique: 0=blind, 50=logged only, 100=alerted
MITRE D3FEND	Defensive countermeasure ontology complementing ATT&CK — maps defensive techniques to attack techniques they mitigate

Tools & Systems

• ATT&CK Navigator: Browser-based heatmap visualization tool for layering coverage scores and annotations on the ATT&CK matrix
• mitreattack-python: Official MITRE Python library for programmatic access to ATT&CK STIX data (techniques, groups, software, mitigations)
• Atomic Red Team: MITRE-aligned test library providing atomic test cases to validate detection for each technique
• Sigma: Detection rule format with ATT&CK tagging support; translatable to Splunk, Sentinel, QRadar, Elastic
• ATT&CK Workbench: Self-hosted ATT&CK knowledge base for organizations maintaining custom technique extensions

Common Pitfalls

• Over-claiming coverage: Logging a data source (e.g., process creation events) does not mean the associated technique is detected — a rule must actually fire on malicious patterns.
• Mapping at tactic level only: Tagging a rule as "attack.execution" without a specific technique ID prevents granular gap analysis.
• Ignoring sub-techniques: Many adversaries use specific sub-techniques. Coverage of T1059 (parent) doesn't imply coverage of T1059.005 (Visual Basic).
• Static mapping without updates: ATT&CK releases major versions annually. Coverage maps go stale as techniques are added, revised, or deprecated.
• Not mapping to adversary groups: Generic coverage maps don't distinguish between techniques used by APTs targeting your sector vs. commodity malware.

Verification Criteria

Confirm successful execution by validating:

• [ ] All prerequisite tools and access requirements are satisfied
• [ ] Each workflow step completed without errors
• [ ] Output matches expected format and contains expected data
• [ ] No security warnings or misconfigurations detected
• [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

• SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
• ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
• NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
• NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add mapping-mitre-attack-techniques

# Or load dynamically via MCP
grc.load_skill("mapping-mitre-attack-techniques")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

• SHA-256 chain hashing ensures no step can be modified after execution
• Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
• Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.