After this lesson, you will be able to: Use the MITRE ATT&CK Navigator to map a real publicly-known threat actor's tradecraft and identify the defensive gaps in a fictional environment.
MITRE ATT&CK is the canonical language of adversary tradecraft. Every threat intel report, every red-team engagement, every detection-engineering effort references it. This lesson gets you fluent enough to map an APT and identify gaps.
ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real intrusions. Tactics are the why (Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration, etc.). Techniques are the how (Spearphishing Attachment, Scheduled Task, OS Credential Dumping). Sub-techniques are the specific variant (e.g., T1003.001 = LSASS Memory Dumping). Groups (G-numbers) and Software (S-numbers) tag which actors use which techniques.
The Navigator is the canonical visualisation tool, free and browser-based.
Open mitre-attack.github.io/attack-navigator
Click 'Create New Layer' > 'Enterprise ATT&CK'
In the search bar, type 'APT29' and click the Search button; this is a Russian state-sponsored threat group with rich public reporting
Click the multiselect link in the search result to highlight every technique APT29 has used
Observe the matrix: rows are tactics, columns are techniques. Highlighted cells are APT29's playbook.
Export as JSON; this becomes your reference for any APT29-tracking exercise
This is the workflow real CTI analysts run quarterly.
Create a second Navigator layer; in the legend, set colour to indicate coverage status (green = detected, yellow = partial, red = no detection)
For each APT29 technique, ask: 'do we have a Splunk/Sentinel/EDR rule that detects this?'
Where coverage is partial or missing, note the gap and the system that would need to change (SIEM rule, EDR config, log source)
Export the gap layer as a PNG and as JSON; this is the slide you bring to leadership
Prioritise gaps by APT29's most-frequent techniques (Initial Access > Discovery > Credential Access tends to be where defenders are weakest)
APT29 (Russia, espionage), well-documented; great for first mapping. APT28 (Russia, GRU), military intelligence; election interference. Lazarus (North Korea), financial + destructive operations; Sony, WannaCry. FIN7 (cybercrime), payment-card focused; consistent use of social engineering. Scattered Spider (cybercrime, recent), social-engineering-heavy; relevant to current MFA-fatigue attacks. Pick one per quarter, deep-map their techniques, identify your defensive gaps.
Mapping a threat actor's techniques but not validating they're current. Threat groups evolve; a 2018 mapping doesn't reflect 2026 tradecraft. Treating every CISA advisory as new. Cross-reference against existing ATT&CK mappings; usually 80% is already covered. Confusing techniques with software. PowerShell is a technique (T1059.001); Cobalt Strike is software (S0154). They appear differently in Navigator. Defending against every technique. Some techniques (e.g., command-line interpreter) are unavoidable; defence is detection + response, not prevention.
Pick the one that delivers initial access and is poorly defended in most environments.
Sign in and purchase access to unlock this lesson.