The methodology consists of 6 steps. (a) Collect cyber incidents. (b) Extract features. (c) Define campaign. (d) Extract TTPs of campaigns. (e) Calculate ATT&CK matrix similarity. (f) Derive countermeasures.