█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Hands-on: MITRE ATT&CK Navigator
60 minIntermediate

Hands-on: MITRE ATT&CK Navigator

After this lesson, you will be able to: Use the MITRE ATT&CK Navigator to map a real publicly-known threat actor's tradecraft and identify the defensive gaps in a fictional environment.

MITRE ATT&CK is the canonical language of adversary tradecraft. Every threat intel report, every red-team engagement, every detection-engineering effort references it. This lesson gets you fluent enough to map an APT and identify gaps.

Prerequisites:Building a Threat Intelligence Program

What ATT&CK actually is

ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real intrusions. Tactics are the why (Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration, etc.). Techniques are the how (Spearphishing Attachment, Scheduled Task, OS Credential Dumping). Sub-techniques are the specific variant (e.g., T1003.001 = LSASS Memory Dumping). Groups (G-numbers) and Software (S-numbers) tag which actors use which techniques.

Tour ATT&CK Navigator

The Navigator is the canonical visualisation tool, free and browser-based.

  1. 1

    Open mitre-attack.github.io/attack-navigator

  2. 2

    Click 'Create New Layer' > 'Enterprise ATT&CK'

  3. 3

    In the search bar, type 'APT29' and click the Search button; this is a Russian state-sponsored threat group with rich public reporting

  4. 4

    Click the multiselect link in the search result to highlight every technique APT29 has used

  5. 5

    Observe the matrix: rows are tactics, columns are techniques. Highlighted cells are APT29's playbook.

  6. 6

    Export as JSON; this becomes your reference for any APT29-tracking exercise

Map your defences against the actor

This is the workflow real CTI analysts run quarterly.

  1. 1

    Create a second Navigator layer; in the legend, set colour to indicate coverage status (green = detected, yellow = partial, red = no detection)

  2. 2

    For each APT29 technique, ask: 'do we have a Splunk/Sentinel/EDR rule that detects this?'

  3. 3

    Where coverage is partial or missing, note the gap and the system that would need to change (SIEM rule, EDR config, log source)

  4. 4

    Export the gap layer as a PNG and as JSON; this is the slide you bring to leadership

  5. 5

    Prioritise gaps by APT29's most-frequent techniques (Initial Access > Discovery > Credential Access tends to be where defenders are weakest)

💡 Use the techniques, not the buzzwords

Saying 'we're defending against APT29' is buzzword soup. Saying 'we detect T1059.001 (PowerShell), T1078 (Valid Accounts), and T1003.001 (LSASS dumping) but miss T1133 (External Remote Services)' is a CTI deliverable. Always anchor in specific techniques; vague threat-actor framing doesn't survive engineering review.

Useful APT mappings for practice

APT29 (Russia, espionage), well-documented; great for first mapping. APT28 (Russia, GRU), military intelligence; election interference. Lazarus (North Korea), financial + destructive operations; Sony, WannaCry. FIN7 (cybercrime), payment-card focused; consistent use of social engineering. Scattered Spider (cybercrime, recent), social-engineering-heavy; relevant to current MFA-fatigue attacks. Pick one per quarter, deep-map their techniques, identify your defensive gaps.

Common mistakes only experienced CTI analysts catch

Mapping a threat actor's techniques but not validating they're current. Threat groups evolve; a 2018 mapping doesn't reflect 2026 tradecraft. Treating every CISA advisory as new. Cross-reference against existing ATT&CK mappings; usually 80% is already covered. Confusing techniques with software. PowerShell is a technique (T1059.001); Cobalt Strike is software (S0154). They appear differently in Navigator. Defending against every technique. Some techniques (e.g., command-line interpreter) are unavoidable; defence is detection + response, not prevention.

Quick Check

Which APT29 technique would have the highest defensive priority?

Pick the one that delivers initial access and is poorly defended in most environments.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Building a Threat Intelligence Program
Back to Threat Intelligence
OSINT Toolkit: Shodan, Censys, VirusTotal, URLscan→