Mapping APT TTPs With Navigator

v20260317

analyzing-threat-actor-ttps-with-mitre-navigator

Programmatically maps APT group tactics, techniques, and procedures to MITRE ATT&CK via attackcti and the ATT&CK Navigator, generating layer JSON files, overlaying detection coverage, and sharing visualizations for defense teams.

MITRE ATT&CK Navigator attackcti STIX TAXII Threat Intelligence APT Mapping Security Analysis

Get Skill

128 downloads

Overview

Analyzing Threat Actor TTPs with MITRE Navigator

Overview

The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices. Combined with the attackcti Python library (which queries ATT&CK STIX data via TAXII), analysts can programmatically generate Navigator layer files mapping specific threat group TTPs, compare multiple groups, and assess detection coverage gaps against known adversaries.

Prerequisites

Python 3.8+ with attackcti and stix2 libraries installed
MITRE ATT&CK Navigator (web UI or local instance)
Understanding of STIX 2.1 objects and relationships

Steps

Query ATT&CK STIX data for target threat group using attackcti
Extract techniques associated with the group via STIX relationships
Generate ATT&CK Navigator layer JSON with technique annotations
Overlay detection coverage to identify gaps
Export layer for team review and defensive planning

Expected Output

{
  "name": "APT29 TTPs",
  "domain": "enterprise-attack",
  "techniques": [
    {"techniqueID": "T1566.001", "score": 1, "comment": "Spearphishing Attachment"},
    {"techniqueID": "T1059.001", "score": 1, "comment": "PowerShell"}
  ]
}

Info

Category Development

Name analyzing-threat-actor-ttps-with-mitre-navigator

Version v20260317

Size 9.16KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18