Asi implementing-threat-modeling-with-mitre-attack
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-threat-modeling-with-mitre-attack" ~/.claude/skills/plurigrid-asi-implementing-threat-modeling-with-mitre-attack && rm -rf "$T"
manifest:
plugins/asi/skills/implementing-threat-modeling-with-mitre-attack/SKILL.mdsource content
Implementing Threat Modeling with MITRE ATT&CK
When to Use
Use this skill when:
- SOC teams need to assess detection coverage against relevant threat actors and their TTPs
- Security leadership requires threat-informed defense prioritization
- New environments (cloud migration, OT integration) need detection strategy planning
- Purple team exercises require structured adversary emulation based on threat models
- Annual risk assessments need ATT&CK-based threat landscape analysis
Do not use as a one-time exercise — threat models must be continuously updated as adversary TTPs evolve and organizational attack surface changes.
Prerequisites
- MITRE ATT&CK framework knowledge (Enterprise, ICS, Mobile, or Cloud matrices)
- ATT&CK Navigator tool (web or local) for layer visualization
- Current detection rule inventory mapped to ATT&CK technique IDs
- Threat intelligence on adversary groups targeting your sector
- Organizational asset inventory with criticality classifications
Workflow
Step 1: Identify Relevant Threat Actors
Research adversary groups targeting your sector using MITRE ATT&CK Groups:
import requests import json # Download ATT&CK STIX data response = requests.get( "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" ) attack_data = response.json() # Extract groups and their techniques groups = {} for obj in attack_data["objects"]: if obj["type"] == "intrusion-set": group_name = obj["name"] aliases = obj.get("aliases", []) description = obj.get("description", "") groups[group_name] = { "aliases": aliases, "description": description[:200], "techniques": [] } # Map techniques to groups via relationships relationships = [obj for obj in attack_data["objects"] if obj["type"] == "relationship"] techniques = {obj["id"]: obj for obj in attack_data["objects"] if obj["type"] == "attack-pattern"} for rel in relationships: if rel["relationship_type"] == "uses": source = rel["source_ref"] target = rel["target_ref"] for group_name, group_data in groups.items(): if source == group_data.get("id") and target in techniques: tech = techniques[target] ext_refs = tech.get("external_references", []) for ref in ext_refs: if ref.get("source_name") == "mitre-attack": group_data["techniques"].append(ref["external_id"]) # Example: Financial sector threat actors financial_actors = ["FIN7", "FIN8", "Carbanak", "APT38", "Lazarus Group"] for actor in financial_actors: if actor in groups: print(f"{actor}: {len(groups[actor]['techniques'])} techniques") print(f" Top techniques: {groups[actor]['techniques'][:10]}")
Step 2: Build Threat Actor TTP Profile
Create ATT&CK Navigator layers for priority threat actors:
import json def create_attack_layer(actor_name, techniques, color="#ff6666"): """Generate ATT&CK Navigator JSON layer for a threat actor""" layer = { "name": f"{actor_name} TTP Profile", "versions": { "attack": "15", "navigator": "5.0", "layer": "4.5" }, "domain": "enterprise-attack", "description": f"Techniques associated with {actor_name}", "techniques": [ { "techniqueID": tech_id, "tactic": "", "color": color, "comment": f"Used by {actor_name}", "enabled": True, "score": 1 } for tech_id in techniques ], "gradient": { "colors": ["#ffffff", color], "minValue": 0, "maxValue": 1 } } return layer # Create layers for top threat actors fin7_techniques = ["T1566.001", "T1059.001", "T1053.005", "T1547.001", "T1078", "T1021.001", "T1003", "T1071.001", "T1041"] layer = create_attack_layer("FIN7", fin7_techniques, "#ff6666") with open("fin7_layer.json", "w") as f: json.dump(layer, f, indent=2)
Step 3: Map Current Detection Coverage
Export current detection rules mapped to ATT&CK:
--- Extract ATT&CK technique mappings from Splunk ES correlation searches | rest /services/saved/searches splunk_server=local | where match(title, "^(COR|ESCU|RBA):") | eval techniques = if(isnotnull(action.correlationsearch.annotations), spath(action.correlationsearch.annotations, "mitre_attack"), "unmapped") | stats count by techniques | mvexpand techniques | stats count by techniques | rename techniques AS technique_id, count AS rule_count
Create detection coverage layer:
def create_coverage_layer(detection_rules): """Generate coverage layer from detection rule inventory""" technique_counts = {} for rule in detection_rules: for tech in rule.get("techniques", []): technique_counts[tech] = technique_counts.get(tech, 0) + 1 layer = { "name": "SOC Detection Coverage", "versions": {"attack": "15", "navigator": "5.0", "layer": "4.5"}, "domain": "enterprise-attack", "techniques": [ { "techniqueID": tech_id, "color": "#31a354" if count >= 2 else "#a1d99b" if count == 1 else "", "score": count, "comment": f"{count} detection rule(s)" } for tech_id, count in technique_counts.items() ], "gradient": { "colors": ["#ffffff", "#a1d99b", "#31a354"], "minValue": 0, "maxValue": 3 } } return layer
Step 4: Perform Gap Analysis
Overlay threat actor TTPs against detection coverage:
def gap_analysis(threat_techniques, covered_techniques): """Identify detection gaps for specific threat actor""" gaps = set(threat_techniques) - set(covered_techniques) covered = set(threat_techniques) & set(covered_techniques) print(f"Threat Actor Techniques: {len(threat_techniques)}") print(f"Detected: {len(covered)} ({len(covered)/len(threat_techniques)*100:.0f}%)") print(f"Gaps: {len(gaps)} ({len(gaps)/len(threat_techniques)*100:.0f}%)") # Prioritize gaps by kill chain phase priority_order = { "TA0001": 1, "TA0002": 2, "TA0003": 3, "TA0004": 4, "TA0005": 5, "TA0006": 6, "TA0007": 7, "TA0008": 8, "TA0009": 9, "TA0010": 10, "TA0011": 11, "TA0040": 12 } gap_details = [] for tech_id in gaps: gap_details.append({ "technique": tech_id, "priority": "HIGH" if tech_id.split(".")[0] in ["T1003", "T1021", "T1059"] else "MEDIUM", "recommendation": f"Build detection for {tech_id}" }) return { "total_actor_techniques": len(threat_techniques), "covered": len(covered), "gaps": len(gaps), "coverage_pct": round(len(covered)/len(threat_techniques)*100, 1), "gap_details": sorted(gap_details, key=lambda x: x["priority"]) } # Run analysis result = gap_analysis(fin7_techniques, current_coverage)
Step 5: Create Prioritized Remediation Plan
Build a detection engineering roadmap:
threat_model_remediation_plan: assessed_date: 2024-03-15 primary_threats: - FIN7 (Financial sector) - APT38 (DPRK financial) - Lazarus Group (Destructive) current_coverage: 64% target_coverage: 80% priority_1_gaps: # 30-day target - technique: T1021.002 name: SMB/Windows Admin Shares data_source: Windows Security Event 5140 effort: Low detection_approach: Monitor admin share access from non-admin workstations - technique: T1003.006 name: DCSync data_source: Windows Security Event 4662 effort: Medium detection_approach: Detect DS-Replication-Get-Changes from non-DC sources priority_2_gaps: # 60-day target - technique: T1055 name: Process Injection data_source: Sysmon EventCode 8, 10 effort: High detection_approach: Monitor cross-process memory access patterns - technique: T1071.001 name: Web Protocols (C2) data_source: Proxy/Firewall logs effort: Medium detection_approach: Detect beaconing patterns in HTTP/S traffic priority_3_gaps: # 90-day target - technique: T1070.004 name: File Deletion data_source: Sysmon EventCode 23 effort: Low detection_approach: Monitor mass file deletion in sensitive directories
Step 6: Validate with Adversary Emulation
Test coverage using MITRE Caldera or Atomic Red Team:
# Using Atomic Red Team to validate coverage for FIN7 techniques # T1566.001 — Spearphishing Attachment Invoke-AtomicTest T1566.001 # T1059.001 — PowerShell Invoke-AtomicTest T1059.001 -TestNumbers 1,2,3 # T1053.005 — Scheduled Task Invoke-AtomicTest T1053.005 # T1547.001 — Registry Run Keys Invoke-AtomicTest T1547.001 # T1003 — Credential Dumping Invoke-AtomicTest T1003 -TestNumbers 1,2 # Verify detections # Check SIEM for corresponding alerts within 15 minutes
Document emulation results to validate threat model accuracy.
Key Concepts
| Term | Definition |
|---|---|
| MITRE ATT&CK | Knowledge base of adversary tactics, techniques, and procedures based on real-world observations |
| TTP | Tactics, Techniques, and Procedures — the behavioral patterns of adversary groups |
| ATT&CK Navigator | Web tool for visualizing ATT&CK matrices as layered heatmaps showing coverage or threat profiles |
| Gap Analysis | Process of comparing threat actor TTPs against detection coverage to identify blind spots |
| Threat-Informed Defense | Security strategy prioritizing defenses based on actual adversary behaviors rather than theoretical risks |
| Adversary Emulation | Controlled simulation of threat actor TTPs to validate detection and response capabilities |
Tools & Systems
- MITRE ATT&CK Navigator: Web-based visualization tool for creating and overlaying ATT&CK technique layers
- MITRE Caldera: Automated adversary emulation platform for testing detection coverage at scale
- Atomic Red Team: Open-source library of ATT&CK technique tests for security control validation
- CTID ATT&CK Workbench: MITRE tool for customizing ATT&CK knowledge base with organizational context
- Tidal Cyber: Commercial platform for threat-informed defense planning using ATT&CK framework
Common Scenarios
- Annual Threat Assessment: Map top 5 threat actors to ATT&CK, overlay against detection, produce gap analysis
- Cloud Migration Planning: Model cloud-specific threats (T1078.004, T1537) and plan detection coverage
- M&A Security Assessment: Threat model the acquired company's environment against relevant threat actors
- Budget Justification: Use gap analysis to demonstrate detection blind spots requiring tool investment
- Purple Team Planning: Select adversary emulation scenarios based on highest-priority gaps from threat model
Output Format
THREAT MODEL ASSESSMENT — Financial Services Division ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Date: 2024-03-15 Threat Actors: FIN7, APT38, Lazarus Group Techniques Total: 87 unique techniques across all actors DETECTION COVERAGE: Covered: 56/87 (64%) Gaps: 31/87 (36%) Tactic Coverage Breakdown: Initial Access: 78% ████████░░ Execution: 82% █████████░ Persistence: 71% ████████░░ Priv Escalation: 65% ███████░░░ Defense Evasion: 52% ██████░░░░ <-- Priority gap Credential Access: 58% ██████░░░░ <-- Priority gap Discovery: 45% █████░░░░░ Lateral Movement: 61% ███████░░░ Collection: 50% ██████░░░░ Exfiltration: 55% ██████░░░░ C2: 67% ███████░░░ TOP PRIORITY GAPS (30-day remediation): 1. T1055 Process Injection — used by all 3 actors, 0 detections 2. T1003.006 DCSync — used by FIN7 and Lazarus, 0 detections 3. T1070.004 File Deletion — evidence destruction, 0 detections INVESTMENT RECOMMENDATION: Closing top 10 gaps requires: 2 detection engineer FTEs, 60 days Expected coverage improvement: 64% -> 76%