Skip to main content

A02 — Proactive CTI: CelltronX Telecom

Mode: Proactive · Org: CelltronX Telecom · PROJ-2024-002

Scenario

CelltronX — a major Israeli telecom listed on the TA-35 index — has a new CISO with a 6-month mandate, a $3.5M Year 1 budget, and four concurrent trigger events landing within weeks of each other. Before an incident happens, build a threat model, detection backlog, and 90-day roadmap from scratch.

Your entry point: No CTI function exists. The detection engineering team can implement 6–8 rules per sprint. An INCD-CID compliance audit is 6 months away. Four triggers have just landed simultaneously.

Four Trigger Events

#TriggerSourceINCD-CID Relevance
TRG-001Peer telecom ransomware — 400K subscribers disrupted; credential stuffing initial access via VPN similar to CelltronXInformal CISO callArticle 21(2)(b)(e)
TRG-002CERT-IL TLP:AMBER — Iranian-nexus actor actively targeting Israeli telecoms with government contracts; SS7 + OSS/NMS TTPsCERT-IL advisoryArticle 21(2)(e)
TRG-003NetSys Solutions Ltd. contractor has AWS AdministratorAccess from 18 months ago — never revokedInternal AWS IAM reviewArticle 21(2)(d)
TRG-004AiTM phishing blocked — 3 attempts in 2 weeks targeting OSS Engineering and Network Operations employeesMicrosoft Defender ATPArticle 21(2)(b)

Crown Jewels (Top 5 of 10)

AssetThreat AttractivenessCurrent MonitoringINCD-CID Gap
BSS-Oracle (billing, 8M subscribers)Very High — ransomware + fraudNone — not in SIEMCritical — Art. 21(2)(e)
CDR Repository (GCP BigQuery, 2.1B records/month)High — state actor, CDR geolocationNone — GCP not in SIEMCritical
SS7 GatewayMedium — subscriber interceptNone — no loggingArt. 21(2)(e)
Government communication channelsLow-Medium — national securityPartialArt. 21(2)(e)
NetSys AWS AdministratorAccessHigh — open right nowNone — CloudTrail not in SIEMCritical — Art. 21(2)(d)

Key Attack Paths

PathScenarioDetection Blind Spot
AP-001Ransomware via VPN credential stuffing → Lateral movement → BSS encryptionNo VPN alert rule; BSS not in SIEM
AP-002Nation-state OSS/NMS spearphishing → SS7 gateway subscriber interceptLinux servers minimal visibility; SS7 no logging
AP-003NetSys AWS AdminAccess abuse → CDR BigQuery exfiltrationCloudTrail not in SIEM; GCP not in SIEM
AP-004AiTM phishing OSS Engineer → M365 session takeover → OSS/NMS consoleEntra ID risky sign-in not configured

Detection Backlog (Sprint 1 priorities)

IDTechniqueRule LogicPre-requisiteSprint
DB-001T1078 / T1110.003VPN: >10 failed auth from one IP in 5 minData already in SplunkS1
DB-002T1003.006EID 4662 DS-Replication-Get-Changes (not DC/AAD-Connect)Enable Advanced Audit Policy all 3 DCsS1
DB-003T1059.001powershell.exe with -Enc or -EncodedCommandSysmon EID 1 already in SplunkS1
DB-004T1078.004CloudTrail AssumeRole from unexpected IP for NetSys roleCloudTrail → Splunk integration (3 days)S1→S2
DB-005T1530BigQuery job bytes_processed >10 GB from non-analytics accountGCP Pub/Sub → Splunk (2 weeks)S2→S3

Assignment Deliverables

  1. Business Threat Profile — government contract threat profile change; trigger event analysis
  2. Crown Jewel Analysis — 10–12 assets; INCD-CID compliance column
  3. Sector Threat Landscape — 6 categories including Trusted Third-Party Abuse (NetSys)
  4. Trigger Event Analysis — how each trigger updates the threat model
  5. 4 Attack Path Models — ATT&CK mapped; blind spot per path; minimum telemetry required
  6. Prioritized ATT&CK Technique List — 15–20 techniques; business impact + detection gap
  7. Detection Backlog — 12–15 items; sprint capacity constrained; pre-requisites noted
  8. Detection Coverage Matrix — INCD-CID compliance column
  9. Telemetry Gap Analysis — 12 log sources assessed with INCD-CID reference
  10. 30/60/90-day Roadmap — capacity-constrained; immediate NetSys remediation prioritized
  11. Executive Brief for Board — 1 page; all 4 triggers addressed
  12. INCD-CID Compliance Gap Assessment — Article 21 mapping

Key Learning Objectives

  • Incorporate concurrent trigger events into a threat model rather than building in a vacuum
  • Treat an open third-party access exposure (NetSys) as an immediate remediation, not a backlog item
  • Build a detection roadmap with explicit sprint capacity constraints and log-source pre-requisites
  • Map INCD-CID Article 21 requirements to specific detection gaps — not just checkbox compliance
  • Explain why the government contract public announcement changes CelltronX's threat actor relevance profile