When operationalizing threat intelligence feeds that contain raw indicators of compromise (IOCs) and tactical descriptions, what is the foundational process to transform this information into actionable intelligence within the ATT&CK context?

The foundational process to transform raw Indicators of Compromise (IOCs) and tactical descriptions from threat intelligence feeds into actionable intelligence within the ATT&CK context is mapping and enrichment. This process involves two primary steps: IOC Mapping and Tactic/Technique Attribution. Indicators of Compromise (IOCs) are pieces of forensic data, like IP addresses, file hashes, or domain names, that identify malicious activity on a network or system. Raw IOCs themselves don't tell you *how* an adversary operates. Tactical descriptions provide context about adversary behaviors and methods. The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It acts as a common language for describing and understanding adversary behavior. Mapping involves comparing the raw IOCs and tactical descriptions from a threat intelligence feed against the ATT&CK framework. Specifically, IOC Mapping takes a raw IOC and determines which ATT&CK technique or sub-technique it is associated with. For instance, a specific malicious IP address might be mapped to the ATT&CK technique T1071 (Application Layer Protocol) if it's used for command and control (C2) communication. Tactic/Technique Attribution goes further by analyzing the tactical descriptions provided in the feed to directly link observed behaviors to specific ATT&CK tactics (e.g., Initial Access, Execution, Persistence) and techniques. Enrichment is the subsequent step where the mapped ATT&CK information is used to add value and context to the raw data. This includes adding metadata like the relevant ATT&CK ID, tactic names, and potentially descriptions of how the technique is used in the context of the observed threat. For example, if a feed describes an attacker using a phishing email to gain initial access, mapping this behavior would link it to the ATT&CK tactic Initial Access and the technique T1566 (Phishing). The enrichment would then attach the corresponding ATT&CK IDs and descriptions to this observation. By performing mapping and enrichment, raw, often context-poor IOCs and descriptive text are translated into structured, categorized information that aligns with the ATT&CK framework. This allows security teams to understand the adversary's objectives (tactics) and the specific methods they employ (techniques), enabling them to proactively hunt for threats, tune security controls, and prioritize defensive efforts based on known adversary behaviors rather than just isolated indicators.