Threat Intelligence Integration

Planning

Cyber Threat Intelligence (CTI) provides the blueprint for realistic red team operations. By understanding which threat actors target your industry, their TTPs, and their objectives, red teams can design engagements that test defenses against the most relevant threats.

Building a Threat Model

threat-model.md
markdown 
# Threat Model Template for Red Team Planning

## Organization Profile
- Industry: Healthcare
- Revenue: $500M+
- Geographic Presence: US, EU
- Crown Jewels: Patient records (PHI), Payment card data (PCI), Research IP

## Relevant Threat Actors
1. **FIN7** (Carbanak Group)
   - Motivation: Financial gain
   - Targets: POS systems, payment card data
   - TTPs: Phishing with malicious macros, Carbanak backdoor, memory scraping

2. **APT41** (Double Dragon)
   - Motivation: Espionage + Financial
   - Targets: Healthcare IP, pharmaceutical research
   - TTPs: Supply chain compromise, web shells, SQL injection

3. **Conti Ransomware**
   - Motivation: Ransomware/Extortion
   - Targets: Healthcare organizations (high willingness to pay)
  - TTPs: commodity post-exploitation tooling, domain dominance, staged data theft before encryption

## Recommended Emulation
- **Primary:** FIN7 (highest likelihood based on industry targeting patterns)
- **Secondary:** Conti (ransomware is existential risk for healthcare)

## Engagement Objective
Emulate FIN7-inspired objectives with safe controls:
1. Send approved awareness validation to scoped pilot group
2. Generate benign callback telemetry to approved collector
3. Validate identity and endpoint alerting with seeded test accounts
4. Confirm POS environment segmentation using approved read-only checks
5. Use synthetic canary records instead of payment data
6. Record prevention, detection, and response outcomes
# Threat Model Template for Red Team Planning

## Organization Profile
- Industry: Healthcare
- Revenue: $500M+
- Geographic Presence: US, EU
- Crown Jewels: Patient records (PHI), Payment card data (PCI), Research IP

## Relevant Threat Actors
1. **FIN7** (Carbanak Group)
   - Motivation: Financial gain
   - Targets: POS systems, payment card data
   - TTPs: Phishing with malicious macros, Carbanak backdoor, memory scraping

2. **APT41** (Double Dragon)
   - Motivation: Espionage + Financial
   - Targets: Healthcare IP, pharmaceutical research
   - TTPs: Supply chain compromise, web shells, SQL injection

3. **Conti Ransomware**
   - Motivation: Ransomware/Extortion
   - Targets: Healthcare organizations (high willingness to pay)
  - TTPs: commodity post-exploitation tooling, domain dominance, staged data theft before encryption

## Recommended Emulation
- **Primary:** FIN7 (highest likelihood based on industry targeting patterns)
- **Secondary:** Conti (ransomware is existential risk for healthcare)

## Engagement Objective
Emulate FIN7-inspired objectives with safe controls:
1. Send approved awareness validation to scoped pilot group
2. Generate benign callback telemetry to approved collector
3. Validate identity and endpoint alerting with seeded test accounts
4. Confirm POS environment segmentation using approved read-only checks
5. Use synthetic canary records instead of payment data
6. Record prevention, detection, and response outcomes

Use MITRE ATT&CK for Threat Actors

MITRE ATT&CK maintains profiles for major threat groups showing their techniques. Navigate to Groups section and filter by your industry to find relevant adversaries.

CTI Sources for Red Teams

🌐 MITRE ATT&CK

Free, comprehensive database of adversary tactics and techniques with group profiles.

📊 Mandiant/FireEye Reports

Detailed APT analysis, M-Trends annual reports showing attacker trends.

🔍 CISA Alerts

Government advisories on active threat campaigns targeting specific sectors.

💰 Commercial TI Platforms

Recorded Future, CrowdStrike Falcon Intelligence, Anomali - curated threat actor profiles.

Translating CTI to Red Team TTPs

Example: Emulating APT29's credential theft campaign

CTI Report Findings

  • APT29 uses spearphishing with malicious links to Microsoft Office documents hosted on OneDrive
  • Payload behavior: benign callback used to test detection coverage
  • Persistence objective: validate detection logic with approved test markers
  • Credential access objective: validate browser-token and password-store detections using approved test accounts
  • C2: HTTPS to legitimate-looking domains registered days before campaign

Red Team Implementation Plan

cti-driven-emulation-plan.txt
text 
# 1. Simulation Infrastructure
- Register approved exercise domain documented in the RoE
- Host benign landing page and non-secret telemetry collector
- Craft consented lure: "Action Required: Security Awareness Validation"

# 2. Initial Access Validation
- Target: approved pilot group
- Payload behavior: benign callback or training marker only
- Detection goal: email gateway, identity, endpoint, and SOC workflow coverage

# 3. Persistence Control Validation
- Use approved test markers and detection rules
- Do not deploy persistence unless separately authorized

# 4. Credential Access Detection
- Use seeded test accounts and synthetic secrets
- Validate alerting for suspicious browser-token or password-store access

# 5. Data Movement Simulation
- Use harmless canary files and approved collectors
- Preserve timestamps, alert IDs, and control outcomes
# 1. Simulation Infrastructure
- Register approved exercise domain documented in the RoE
- Host benign landing page and non-secret telemetry collector
- Craft consented lure: "Action Required: Security Awareness Validation"

# 2. Initial Access Validation
- Target: approved pilot group
- Payload behavior: benign callback or training marker only
- Detection goal: email gateway, identity, endpoint, and SOC workflow coverage

# 3. Persistence Control Validation
- Use approved test markers and detection rules
- Do not deploy persistence unless separately authorized

# 4. Credential Access Detection
- Use seeded test accounts and synthetic secrets
- Validate alerting for suspicious browser-token or password-store access

# 5. Data Movement Simulation
- Use harmless canary files and approved collectors
- Preserve timestamps, alert IDs, and control outcomes

Diamond Model for Red Team Planning

The Diamond Model maps relationships between Adversary, Capability, Infrastructure, and Victim. Use it to plan engagements:

Adversary

APT29 (Cozy Bear) - Russian state-sponsored

Capability

Benign callback, persistence-control validation, credential-access detection

Infrastructure

Approved exercise domains, consented file-hosting tests, telemetry collectors

Victim

Government agencies, think tanks, financial services

Update Threat Model Quarterly

Threat landscapes evolve. Update your threat model every 3-6 months based on new CTI reports, emerging threat groups, and industry-specific campaigns.

Related Topics

Threat Intelligence

Adversary Simulation

Red Team Infrastructure