Threat Intelligence Research

Full actor profile — aliases, attribution, claimed operations, TTPs, malware families, and detection opportunities for the Handala Hack Team hacktivist cluster.

Profile of Sandworm (APT44 / FROZENBARENTS): destructive operations, wiper malware families, ICS/OT targeting, and Ukraine conflict-related activity.

Profile of MuddyWater: MOIS-linked actor, RMM tool abuse, spear-phishing tradecraft, persistent access methodology, and detection candidates.

Structured threat landscape assessment for container and Kubernetes environments: tracked actor activity, common TTPs, and detection priorities.

CTI report underpinning Operation DragonRx: APT41 initial access via Log4Shell, lateral movement to Active Directory, credential harvesting, and detection hypotheses.

Full tradecraft reference: evidence labeling, source reliability, confidence tiering, attribution methodology, infrastructure pivoting, and detection candidate mapping.

Applying kill chain analysis to real adversary behavior — evidence labeling at each stage with worked examples drawn from public reporting.

Moving beyond the matrix: technique selection, sub-technique context, ATT&CK Navigator usage, and detection hypothesis construction from real reports.

Tool-to-technique mapping reference: which adversary tools map to which ATT&CK techniques, how to use this for detection prioritization.

Structured approach to attribution: evidence strength ladder, false-flag considerations, confidence levels, and how to defend attribution claims under scrutiny.

Passive DNS, certificate transparency, ASN/hosting pivots, and JARM/JA3 fingerprinting — turning one IOC into a defensible infrastructure cluster.

Words of estimative probability, source critique, assumption tracking, and cognitive bias mitigation applied to practical CTI production.

Side-by-side workflow timing: same CTI task completed manually vs. with AI assistance — where time is saved, where analyst judgment remains irreplaceable.

End-to-end workflow: actor assessment → TTP extraction → detection candidate → hunting hypothesis → backlog item → production rule.

Practitioner reference for building and evaluating atomic detection rules — coverage gaps, noise thresholds, and the tradeoffs between specificity and recall.

When and how to write single-event rules: signal strength requirements, false-positive budgets, and integration with correlation layers.

Stacking atomic signals into behavioral patterns — temporal windows, entity pivots, and MITRE ATT&CK tactic-level correlation logic.

Practitioner analysis: how AI-augmented offensive operations change attacker tempo, tradecraft diversity, and the assumptions underlying existing detection coverage.

Framing detection as statistical inference — baseline construction, drift detection, and reducing false-positive rates in anomaly-based rules.

Data source requirements, behavioral baselines, and detection logic for identifying malicious insider patterns across endpoint, identity, and data-access telemetry.

Using the Pyramid of Pain to prioritize hunt targets — moving from hash-based detection toward behavioral and TTP-level hunting with practical examples.

Wireshark-driven hunt methodology: protocol anomalies, C2 communication patterns, DNS tunneling indicators, and SSL/TLS fingerprinting in captured traffic.

Platform-specific hunt playbooks: process genealogy analysis, persistence mechanism review, and lateral movement artifacts across Windows, Linux, and macOS endpoints.

Protocol-level threat mapping for 4G/LTE infrastructure: GTP exploitation, SS7 abuse, and defensive controls for cellular network operators.

5G-specific threat landscape: network slicing attacks, SBA exposure, O-RAN security considerations, and detection priorities for 5G operators.

Applied case study: translating telecom threat intelligence into a prioritized defensive roadmap for a cellular provider — from threat model to detection backlog.

Container and Kubernetes threat landscape: supply chain risks, runtime attacks, lateral movement in ephemeral environments, and cloud-native detection approaches.

Evidence-based assessment of AI adoption in offensive tradecraft: phishing automation, malware generation, reconnaissance acceleration, and the detection implications.

Prompt injection, data exfiltration via LLM agents, tool-call manipulation, and the emerging attack surface introduced by agentic AI deployments.

Full end-to-end pipeline: 8 promoted public sources on MuddyWater (Iranian MOIS) → AI-deduplicated source register (71 → 8) → OpenCTI 6.2 knowledge graph → 11 ATT&CK-mapped detection rules → Ansible-validated Kibana proof screenshots. 13 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks.

Full pipeline documentation: Phase 1 source gathering with review gate, Phase 2 procedure dataset, Phase 3 OpenCTI graph, Phase 4 detection atlas (all 11 detections with pseudologic), Phase 5 validation lab with lab architecture, Phase 6 coverage matrix, and production scars.

Infrastructure design for the APT41 simulation: target network topology, Sliver C2 setup, Wazuh + Zeek + Elastic detection stack, and isolation controls.

Step-by-step attack execution: Log4Shell initial access → Sliver C2 implant → AD lateral movement → LSASS dump → detection trigger analysis.

Introduction to the methodology: what a structured client-facing CTI engagement looks like, and how AI tooling fits inside a controlled analyst workflow.

Project charter, scope definition, stakeholder requirements, and the evidence and confidence framework that governs the entire engagement.

Phase-by-phase walkthrough: collection, enrichment, analysis, and reporting with explicit human validation checkpoints at each stage.

Templates, prompt library, quality gates, output artifact formats, and the cross-reference map tying the methodology to the CTI Analyst Field Manual.