---
id: skill:threat-actor-ttps
type: skill
title: 'Sample skill: Analyzing Threat Actor TTPs with MITRE ATT&CK'
status: active
confidence: 0.9
sources:
  - 2026-05-09-cybersec-skill-threat-actor-ttps.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [skill-sample, threat-intel, mitre-attack, navigator]
---

# Sample skill — Analyzing Threat Actor TTPs with MITRE ATT&CK

## Summary

A worked example skill from the threat-intelligence domain. Use it when you need to systematically map a threat actor's behavior to ATT&CK techniques, build a coverage heatmap with the [[tool:mitre-attack-navigator]], identify detection gaps, and produce actionable intelligence reports. The workflow drives the `mitreattack-python`, `attackcti`, and `stix2` Python libraries to query ATT&CK programmatically, generates a custom Navigator layer JSON for a target group (APT29 / G0016 in the example), then runs gap analysis and cross-group comparison.

## Claims

- Skill name: `analyzing-threat-actor-ttps-with-mitre-attack`. Domain: cybersecurity, subdomain: threat-intelligence. Version 1.0, Apache-2.0. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.95}`
- Purpose: "MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports..." `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.9}`
- Frontmatter mappings declared: `nist_csf: [ID.RA-01, ID.RA-05, DE.CM-01, DE.AE-02]` (4 subcategories) and `d3fend_techniques: [Executable Denylisting, Execution Isolation, File Metadata Consistency Validation, Content Format Conversion, File Content Analysis]` (5 friendly-name countermeasures). No `atlas_techniques`, `nist_ai_rmf`, or `mitre_attack` frontmatter fields — even though the body is entirely about ATT&CK. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.9}`
- The 5-step workflow: (1) query ATT&CK programmatically via attackcti (TAXII), (2) map a threat actor to techniques via group ID (e.g. G0016 = APT29), (3) generate ATT&CK Navigator layer JSON with techniques colored by score, (4) identify detection gaps by comparing actor techniques against detected techniques, (5) cross-group comparison (APT29 vs APT28 vs Lazarus G0032). `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.9}`
- Prerequisites: Python 3.9+ with `mitreattack-python`, `attackcti`, `stix2`; ATT&CK Navigator (web or local); ATT&CK matrix structure understanding; access to threat-intel reports or MISP/OpenCTI; STIX 2.1 Attack Pattern familiarity. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.9}`
- ATT&CK catalogs over 140 threat groups (APT28, APT29, Lazarus, FIN7) with documented technique usage including aliases, targeted sectors, campaigns, software, and procedure-level detail. `[src: raw/2026-05-09-cybersec-skill-threat-actor-ttps.md] {conf: 0.85}`

## Relationships

- categorized-as → [[domain:threat-intelligence]] `{conf: 0.9}`
- uses → [[tool:mitre-attack-navigator]] `{conf: 0.95}`
- uses → [[tool:attackcti]] `{conf: 0.9}`
- maps-to → [[framework:mitre-attack]] `{conf: 0.95}`
- maps-to → [[framework:nist-csf-20]] `{conf: 0.9}`
- maps-to → [[framework:mitre-d3fend]] `{conf: 0.85}`
- composes → [[concept:cybersec-skill-library]] `{conf: 0.8}`

## Open questions

- [ ] Why no explicit `atlas_techniques` field, given that prompt-injection / agentic-AI threat actors are now in scope (per ATLAS v5.4)?

## Changelog

- 2026-05-09 — created