Cellular Provider Case Study
Purpose
Provide a structured defensive CTI workflow for a fictional cellular provider.
Practitioner-Level Explanation
The case study models a realistic CTI engagement without exposing a real victim. It starts with crown jewels, dependencies, PIRs, source collection, threat scenarios, telemetry readiness, hunts, detections, SOC handoff, and executive reporting.
The purpose is to show how CTI becomes operational decisions.
CTI Relevance
Case studies let analysts practice customer-specific relevance instead of generic actor summaries.
Common Mistakes
- Writing sector CTI as generic threat landscape prose.
- Not connecting threats to assets and dependencies.
- Ignoring telemetry and control realities.
- Overstating public evidence about successful compromise.
Practical Workflow
- Define business functions.
- Identify crown jewels and dependencies.
- Write PIRs and SIRs.
- Map relevant actors and behaviors.
- Score threat scenarios.
- Assess telemetry readiness.
- Create hunts and detection backlog.
- Write SOC and executive outputs.
Example / Mini Case
Scenario: supplier VPN credentials are abused to access telecom management systems. CTI output identifies identity logs, VPN logs, privileged session monitoring, supplier contact path, and escalation criteria.
Analyst Checklist
- Are assets and dependencies defined?
- Are threats tied to observable behavior?
- Are sector-specific false positives considered?
- Are source limits explicit?
Output Artifact
Customer:
Crown Jewels:
PIRs:
Threat Scenarios:
Relevant Actors:
Telemetry:
Hunts:
Detection Backlog:
SOC Handoff:
Executive Summary: