Section 03

Threat Landscape Analysis

A TRA is only as good as its threat intelligence. This section covers threat actor profiling using the capability-intent-opportunity model, CTI feed integration with STIX/TAXII, systematic MITRE ATT&CK mapping, industry-specific threat catalogs, and structured threat scenario development.

Why Threat Landscape Matters for TRA

Most TRAs fail because they treat all threats equally. A healthcare SaaS platform faces different actors than a defense contractor or a cryptocurrency exchange. Understanding who would attack, why, and how transforms generic risk registers into actionable, prioritized assessments.

Threat Actor Profiling

Profile threat actors using three dimensions: Capability (technical sophistication), Intent (motivation and objectives), and Opportunity (access and attack surface exposure).

Actor Type Capability Intent Typical TTPs Dwell Time
Nation-State (APT) Very High — zero-days, custom malware, supply chain Espionage, IP theft, disruption, pre-positioning Spear-phishing, living-off-the-land, supply chain compromise Months to years
Organized Crime High — RaaS, IABs, custom tooling Financial gain — ransomware, BEC, data theft for sale Phishing, credential stuffing, ransomware, extortion Days to weeks
Insider Threat Variable — has legitimate access and system knowledge Financial, revenge, ideology, coercion, negligence Data exfiltration, privilege abuse, sabotage, social engineering Ongoing
Hacktivist Low-Medium — commodity tools, DDoS services Ideology, reputation damage, political messaging DDoS, defacement, data leaks, doxing Hours to days
Opportunistic Low — automated scanners, known exploits, scripts Easy targets — cryptojacking, spam, bot networks Mass scanning, default credentials, known CVEs Minutes to hours

MITRE ATT&CK Mapping

Map identified threat actors to MITRE ATT&CK techniques to understand specific TTPs your controls must address. Focus on techniques relevant to your architecture and actor profiles.

ATT&CK-Based Threat Mapping for TRA

flowchart TD A["1. Identify Relevant\nThreat Actors"] --> B["2. Map Actor Groups\nto ATT&CK"] B --> C["3. Extract Relevant\nTechniques"] C --> D["4. Map Techniques\nto System Components"] D --> E["5. Assess Detection\n& Prevention Gaps"] E --> F["6. Feed into\nRisk Analysis"] style A fill:#ff8800,stroke:#000,color:#000 style B fill:#22d3ee,stroke:#000,color:#000 style C fill:#a855f7,stroke:#000,color:#000 style D fill:#ec4899,stroke:#000,color:#000 style E fill:#ff8800,stroke:#000,color:#000 style F fill:#22d3ee,stroke:#000,color:#000
attack_technique_mapper.py
python 
# ATT&CK Technique Mapping for TRA — Python Helper
# Maps system components to relevant ATT&CK techniques based on actor profiles

import json
from dataclasses import dataclass

@dataclass
class ThreatMapping:
    technique_id: str
    technique_name: str
    tactic: str
    component: str
    actor_relevance: list[str]
    current_control: str
    gap_assessment: str

# Example: Cloud-Native SaaS Platform threat mapping
threat_mappings = [
    ThreatMapping(
        technique_id="T1190",
        technique_name="Exploit Public-Facing Application",
        tactic="Initial Access",
        component="API Gateway / Web Application",
        actor_relevance=["Organized Crime", "Nation-State", "Opportunistic"],
        current_control="WAF with OWASP CRS, input validation",
        gap_assessment="WAF bypass testing not in regular pentest scope"
    ),
    ThreatMapping(
        technique_id="T1078.004",
        technique_name="Valid Accounts: Cloud Accounts",
        tactic="Initial Access / Persistence",
        component="Entra ID / IAM",
        actor_relevance=["Nation-State", "Organized Crime", "Insider"],
        current_control="MFA enforced, Conditional Access policies",
        gap_assessment="No impossible travel detection; service principal monitoring gaps"
    ),
    ThreatMapping(
        technique_id="T1195.002",
        technique_name="Supply Chain Compromise: Compromise Software Supply Chain",
        tactic="Initial Access",
        component="CI/CD Pipeline / Dependencies",
        actor_relevance=["Nation-State"],
        current_control="Dependabot, SBOM generation",
        gap_assessment="No build provenance verification; no SLSA compliance"
    ),
    ThreatMapping(
        technique_id="T1552.001",
        technique_name="Unsecured Credentials: Credentials In Files",
        tactic="Credential Access",
        component="Application Code / Config",
        actor_relevance=["Organized Crime", "Insider", "Opportunistic"],
        current_control="Key Vault for production; pre-commit secret scanning",
        gap_assessment="Historical secrets not rotated after scanning implementation"
    ),
    ThreatMapping(
        technique_id="T1530",
        technique_name="Data from Cloud Storage",
        tactic="Collection",
        component="Blob Storage / S3 Buckets",
        actor_relevance=["Nation-State", "Organized Crime"],
        current_control="Private endpoints, SSE-KMS encryption",
        gap_assessment="No DLP monitoring on storage access patterns"
    ),
]

def generate_gap_report(mappings: list[ThreatMapping]) -> dict:
    """Generate a gap analysis report from ATT&CK mappings."""
    gaps_by_tactic = {}
    for m in mappings:
        if m.tactic not in gaps_by_tactic:
            gaps_by_tactic[m.tactic] = []
        gaps_by_tactic[m.tactic].append({
            "technique": f"{m.technique_id}: {m.technique_name}",
            "component": m.component,
            "gap": m.gap_assessment,
            "actor_count": len(m.actor_relevance)
        })
    # Sort each tactic's gaps by number of relevant actors (highest priority first)
    for tactic in gaps_by_tactic:
        gaps_by_tactic[tactic].sort(key=lambda x: x["actor_count"], reverse=True)
    return gaps_by_tactic

report = generate_gap_report(threat_mappings)
print(json.dumps(report, indent=2))
# ATT&CK Technique Mapping for TRA — Python Helper
# Maps system components to relevant ATT&CK techniques based on actor profiles

import json
from dataclasses import dataclass

@dataclass
class ThreatMapping:
    technique_id: str
    technique_name: str
    tactic: str
    component: str
    actor_relevance: list[str]
    current_control: str
    gap_assessment: str

# Example: Cloud-Native SaaS Platform threat mapping
threat_mappings = [
    ThreatMapping(
        technique_id="T1190",
        technique_name="Exploit Public-Facing Application",
        tactic="Initial Access",
        component="API Gateway / Web Application",
        actor_relevance=["Organized Crime", "Nation-State", "Opportunistic"],
        current_control="WAF with OWASP CRS, input validation",
        gap_assessment="WAF bypass testing not in regular pentest scope"
    ),
    ThreatMapping(
        technique_id="T1078.004",
        technique_name="Valid Accounts: Cloud Accounts",
        tactic="Initial Access / Persistence",
        component="Entra ID / IAM",
        actor_relevance=["Nation-State", "Organized Crime", "Insider"],
        current_control="MFA enforced, Conditional Access policies",
        gap_assessment="No impossible travel detection; service principal monitoring gaps"
    ),
    ThreatMapping(
        technique_id="T1195.002",
        technique_name="Supply Chain Compromise: Compromise Software Supply Chain",
        tactic="Initial Access",
        component="CI/CD Pipeline / Dependencies",
        actor_relevance=["Nation-State"],
        current_control="Dependabot, SBOM generation",
        gap_assessment="No build provenance verification; no SLSA compliance"
    ),
    ThreatMapping(
        technique_id="T1552.001",
        technique_name="Unsecured Credentials: Credentials In Files",
        tactic="Credential Access",
        component="Application Code / Config",
        actor_relevance=["Organized Crime", "Insider", "Opportunistic"],
        current_control="Key Vault for production; pre-commit secret scanning",
        gap_assessment="Historical secrets not rotated after scanning implementation"
    ),
    ThreatMapping(
        technique_id="T1530",
        technique_name="Data from Cloud Storage",
        tactic="Collection",
        component="Blob Storage / S3 Buckets",
        actor_relevance=["Nation-State", "Organized Crime"],
        current_control="Private endpoints, SSE-KMS encryption",
        gap_assessment="No DLP monitoring on storage access patterns"
    ),
]

def generate_gap_report(mappings: list[ThreatMapping]) -> dict:
    """Generate a gap analysis report from ATT&CK mappings."""
    gaps_by_tactic = {}
    for m in mappings:
        if m.tactic not in gaps_by_tactic:
            gaps_by_tactic[m.tactic] = []
        gaps_by_tactic[m.tactic].append({
            "technique": f"{m.technique_id}: {m.technique_name}",
            "component": m.component,
            "gap": m.gap_assessment,
            "actor_count": len(m.actor_relevance)
        })
    # Sort each tactic's gaps by number of relevant actors (highest priority first)
    for tactic in gaps_by_tactic:
        gaps_by_tactic[tactic].sort(key=lambda x: x["actor_count"], reverse=True)
    return gaps_by_tactic

report = generate_gap_report(threat_mappings)
print(json.dumps(report, indent=2))

Industry-Specific Threat Catalogs

Different industries face different primary threats. Use these catalogs as starting points for threat identification, then customize based on your specific system and threat intelligence.

Financial Services

  • • Account takeover via credential stuffing / MFA bypass
  • • Business email compromise (BEC) for wire fraud
  • • Ransomware targeting operational systems
  • • Card-not-present fraud via API abuse
  • • Insider trading via privileged data access
  • • ATM / POS system compromise
  • • SWIFT network targeting (nation-state)

Frameworks: PCI DSS 4.0, DORA, NIST CSF

Healthcare

  • • Ransomware targeting clinical systems (patient safety)
  • • PHI exfiltration for identity fraud
  • • Medical device compromise (IoMT)
  • • EHR system manipulation (data integrity)
  • • Telehealth platform abuse
  • • Research data theft (IP, clinical trials)
  • • Supply chain attacks on medical software

Frameworks: HIPAA, HITRUST, FDA guidance

Critical Infrastructure / OT

  • • IT/OT convergence exploitation
  • • SCADA/ICS protocol abuse (Modbus, DNP3)
  • • Safety system targeting (SIS)
  • • Pre-positioning for future disruption (APT)
  • • Remote access compromise (VPN, jump hosts)
  • • Firmware manipulation on PLCs/RTUs
  • • Supply chain compromise of OT vendors

Frameworks: NIS2, IEC 62443, NERC CIP

SaaS / Technology

  • • API abuse for data scraping / extraction
  • • Multi-tenant isolation bypass
  • • OAuth/OIDC flow manipulation
  • • CI/CD pipeline compromise (supply chain)
  • • Customer data access via support tools
  • • LLM prompt injection / model manipulation
  • • Third-party integration abuse (webhooks, APIs)

Frameworks: SOC 2, ISO 27001, OWASP

Threat Scenario Development

Transform actor profiles and technique mappings into structured threat scenarios. Each scenario describes a realistic attack narrative that feeds directly into risk analysis.

threat-scenario-template.txt
text 
Threat Scenario Template

SCENARIO: Ransomware via Compromised CI/CD Pipeline
────────────────────────────────────────────────────
Actor:          Organized crime (RaaS affiliate)
Capability:     High — access brokers, custom loaders, established C2
Intent:         Financial gain via double extortion
Opportunity:    Public GitHub repository with Actions workflows

ATTACK NARRATIVE
1. Initial Access: Attacker compromises a developer's GitHub PAT
   via phishing (T1566.002) or credential dump from a third-party breach (T1078)
2. Execution: Attacker modifies GitHub Actions workflow to inject
   malicious payload during build (T1195.002)
3. Persistence: Backdoored artifact deployed to production via
   normal CI/CD pipeline (T1072)
4. Lateral Movement: Compromised service account credentials used
   to access adjacent services and data stores (T1021)
5. Impact: Ransomware deployed across production environment,
   data exfiltrated for double extortion (T1486, T1567)

AFFECTED COMPONENTS
• CI/CD pipeline (GitHub Actions)
• Build artifacts and container registry
• Production Kubernetes cluster
• Customer database (data exfiltration)
• All services deployed via the compromised pipeline

EXISTING CONTROLS
✓ Branch protection rules requiring PR approval
✓ Container image scanning (Trivy)
✗ No workflow file change alerts
✗ No build provenance verification (SLSA)
✗ No runtime anomaly detection in production

RISK INPUTS (for FAIR analysis)
• Threat Event Frequency: 2-5 attempts per year (based on CTI)
• Vulnerability (probability of success): 30-50% (gaps in pipeline security)
• Primary Loss: $2M-8M (incident response, recovery, customer notification)
• Secondary Loss: $5M-20M (regulatory fines, litigation, reputation)

RECOMMENDED CONTROLS
1. Require signed commits and workflow approvals
2. Implement SLSA Level 3 build provenance
3. Alert on workflow file modifications
4. Deploy runtime behavioral detection (Falco)
5. Implement break-glass CI/CD override with audit trail
Threat Scenario Template

SCENARIO: Ransomware via Compromised CI/CD Pipeline
────────────────────────────────────────────────────
Actor:          Organized crime (RaaS affiliate)
Capability:     High — access brokers, custom loaders, established C2
Intent:         Financial gain via double extortion
Opportunity:    Public GitHub repository with Actions workflows

ATTACK NARRATIVE
1. Initial Access: Attacker compromises a developer's GitHub PAT
   via phishing (T1566.002) or credential dump from a third-party breach (T1078)
2. Execution: Attacker modifies GitHub Actions workflow to inject
   malicious payload during build (T1195.002)
3. Persistence: Backdoored artifact deployed to production via
   normal CI/CD pipeline (T1072)
4. Lateral Movement: Compromised service account credentials used
   to access adjacent services and data stores (T1021)
5. Impact: Ransomware deployed across production environment,
   data exfiltrated for double extortion (T1486, T1567)

AFFECTED COMPONENTS
• CI/CD pipeline (GitHub Actions)
• Build artifacts and container registry
• Production Kubernetes cluster
• Customer database (data exfiltration)
• All services deployed via the compromised pipeline

EXISTING CONTROLS
✓ Branch protection rules requiring PR approval
✓ Container image scanning (Trivy)
✗ No workflow file change alerts
✗ No build provenance verification (SLSA)
✗ No runtime anomaly detection in production

RISK INPUTS (for FAIR analysis)
• Threat Event Frequency: 2-5 attempts per year (based on CTI)
• Vulnerability (probability of success): 30-50% (gaps in pipeline security)
• Primary Loss: $2M-8M (incident response, recovery, customer notification)
• Secondary Loss: $5M-20M (regulatory fines, litigation, reputation)

RECOMMENDED CONTROLS
1. Require signed commits and workflow approvals
2. Implement SLSA Level 3 build provenance
3. Alert on workflow file modifications
4. Deploy runtime behavioral detection (Falco)
5. Implement break-glass CI/CD override with audit trail

CTI Integration via STIX/TAXII

Integrate structured threat intelligence into your TRA process using STIX (Structured Threat Information eXpression) for data format and TAXII (Trusted Automated eXchange of Intelligence Information) for transport.

CTI Sources for TRA

  • MITRE ATT&CK — technique and group mappings
  • CISA KEV — Known Exploited Vulnerabilities catalog
  • AlienVault OTX — community threat intelligence
  • Industry ISACs — sector-specific threat sharing
  • Vendor threat reports — Mandiant, CrowdStrike, Microsoft
  • OSINT feeds — abuse.ch, VirusTotal, Shodan

Integrating CTI into TRA

  • 1. Subscribe to industry-relevant TAXII feeds
  • 2. Filter indicators by relevance to your technology stack
  • 3. Map threat actor groups to ATT&CK techniques
  • 4. Cross-reference with your component inventory
  • 5. Update threat scenarios with current campaign data
  • 6. Feed updated threat landscape into risk quantification

Emerging Threat Vectors (2025-2026)

Keep these on your radar for any TRA: AI/ML supply chain (poisoned models, prompt injection), identity-first attacks (MFA fatigue, Adversary-in-the-Middle), cloud control plane abuse (cross-tenant attacks, IMDS exploitation), and API business logic abuse (automated fraud, rate limit bypass). See Section 09 for detailed coverage.

Section Summary

Key Takeaways

  • • Profile threat actors by capability, intent, and opportunity — not all threats are equal
  • • Map actors to MITRE ATT&CK techniques relevant to your system components
  • • Use industry-specific threat catalogs as starting points, then customize
  • • Develop structured threat scenarios that feed directly into FAIR risk analysis

Next Steps