RedSheep SecurityRedSheepSecurity
Academy/Advanced/Lesson 32
Advanced — Lesson 32 of 10

Capstone: End-to-End Intelligence Operation

14 min read

This capstone exercise ties together the concepts from all three levels of the CTI Academy into a single, end-to-end intelligence operation. You will work through a realistic scenario from initial requirement through finished intelligence product, applying the frameworks, methodologies, and analytical techniques covered throughout the course. This is designed as a hands-on exercise — work through each phase before reading the next.

Learning Objectives

  • Execute a complete intelligence cycle from requirement to dissemination
  • Apply the Diamond Model, MITRE ATT&CK, and Analysis of Competing Hypotheses in a single investigation
  • Produce a finished intelligence report with proper structure, confidence language, and TLP marking
  • Create detection rules and hunt proposals based on analytical findings
  • Demonstrate mastery of CTI concepts across all three academy levels

The Scenario

You are a CTI analyst at Meridian Health Systems, a mid-sized healthcare organization operating 12 hospitals and 45 clinics across the southeastern United States. Meridian processes approximately 2 million patient records and handles $1.8 billion in annual revenue. Your security operations center runs Splunk as its primary SIEM.

On a Monday morning, your SOC escalates the following alert:

SOC Alert #4721: Endpoint detection triggered on workstation WKS-FIN-0342 (Finance department, accounts payable). The alert fired on suspicious PowerShell execution: an encoded PowerShell command was launched from Microsoft Word. The initial detection was triggered at 06:47 UTC. The user, Janet Morrison, reports opening an email attachment titled "Q1_Invoice_Review.docm" at approximately 06:45 UTC. The email appeared to come from a known vendor. EDR logs show the PowerShell process made an outbound HTTPS connection to 198.51.100.47 on port 443.

Your IR team is beginning containment. The CISO has asked the CTI team to support the response by identifying the threat actor, assessing the scope, and producing intelligence products.

Phase 1: Receive the Requirement

Every intelligence operation begins with a requirement. In this case, the CISO's request translates into several specific intelligence questions:

Immediate requirements (tactical):

  • What is the IP address 198.51.100.47 associated with? Is it known C2 infrastructure?
  • What threat actor or campaign does this activity align with?
  • What additional indicators should the IR team look for?

Short-term requirements (operational):

  • What is this threat actor's typical kill chain? What comes next after initial access?
  • Is Meridian specifically targeted, or is this part of a broad campaign?
  • Are other healthcare organizations seeing similar activity?

Longer-term requirements (strategic):

  • What is the threat actor's motivation and capability level?
  • How does this incident change Meridian's risk profile?
  • What defensive investments would reduce exposure to this type of threat?

Your task: Write these requirements formally as Priority Intelligence Requirements. Assign each a priority (Critical, High, Medium) and a timeline for answering.

Phase 2: Plan Collection

With requirements defined, plan your collection strategy. You need to identify what data sources will answer each requirement.

Internal Sources

  • SIEM (Splunk): Query for all activity from WKS-FIN-0342, all connections to 198.51.100.47, and all systems that received email from the spoofed vendor address
  • EDR: Full process tree from the Word/PowerShell execution chain on WKS-FIN-0342
  • Email gateway logs: Identify all recipients of the malicious email, examine headers for originating infrastructure
  • Proxy/firewall logs: All connections to 198.51.100.47 across the environment, and any connections to related infrastructure you discover during enrichment
  • Active Directory: Janet Morrison's account activity — any anomalous authentication events

External Sources

  • Threat intelligence feeds: Query for 198.51.100.47 and the file hash of Q1_Invoice_Review.docm
  • VirusTotal: Submit the file hash (not the file itself — OPSEC consideration) and the IP
  • Passive DNS: Historical resolutions for 198.51.100.47
  • Shodan/Censys: What is hosted at 198.51.100.47? What services, certificates, JARM hash?
  • ISAC: Query the Health-ISAC for related activity in the healthcare sector
  • Certificate transparency: Any certificates associated with the IP or related domains
  • OSINT reporting: Search for public threat intelligence reports referencing the IP, file hash, or behavioral pattern

Your task: Create a collection plan matrix mapping each intelligence requirement to the sources you will query, the specific queries or searches you will perform, and the expected timeline for results.

Phase 3: Collect and Process

For this exercise, we will provide simulated collection results. In a real operation, you would execute the queries from your collection plan and aggregate the results.

Simulated Collection Results

VirusTotal results for 198.51.100.47:

  • 8/90 vendors flag as malicious
  • Associated domains: update-service-cdn[.]com (first seen 45 days ago), cloud-sync-health[.]com (first seen 30 days ago)
  • Both domains registered through Namecheap
  • The IP is hosted on a VPS provider in Romania

Passive DNS for 198.51.100.47:

  • update-service-cdn[.]com resolved to this IP from 45 days ago to present
  • cloud-sync-health[.]com resolved to this IP from 30 days ago to present
  • A third domain, ms-aborthealth-update[.]com, resolved to this IP briefly 60 days ago before moving to a different IP

Shodan results:

  • Port 443 open with a self-signed TLS certificate
  • Port 8443 open (unusual)
  • JARM hash matches known Cobalt Strike Beacon profile
  • Certificate CN: "Microsoft Update Services" (an obvious attempt to appear legitimate)

EDR process tree from WKS-FIN-0342:

  • WINWORD.EXE spawned cmd.exe
  • cmd.exe launched powershell.exe with Base64-encoded command
  • Decoded command: downloads a DLL from update-service-cdn[.]com/api/v2/sync and executes it via rundll32.exe
  • rundll32.exe established HTTPS connection to 198.51.100.47:443
  • Subsequently, nltest.exe and net.exe were executed (domain enumeration)

Email gateway analysis:

  • The phishing email was sent to 15 recipients across the Finance and HR departments
  • The sender address spoofed a known vendor (MedSupply Partners)
  • Email headers show the originating mail server is 203.0.113.88
  • Only Janet Morrison opened the attachment (confirmed by EDR)

Splunk query results:

  • No other workstations have connected to 198.51.100.47
  • No other workstations have connected to update-service-cdn[.]com
  • No anomalous activity on Janet Morrison's AD account beyond the initial PowerShell execution

Health-ISAC query:

  • Two other member organizations reported similar phishing campaigns in the past 60 days
  • Both involved healthcare-themed domains and .docm attachments
  • One report attributed the activity to a cluster tracked as "TIDAL SPIDER" (fictional), a financially motivated group known to deploy ransomware in healthcare environments

Your task: Normalize all collected data into a structured format. Create an indicator table with all IOCs, their types, sources, first-seen dates, and confidence levels.

Phase 4: Analyze

This is the core of the intelligence operation. Apply multiple analytical frameworks to the collected data.

Diamond Model Analysis

Construct a Diamond Model for this intrusion:

  • Adversary: TIDAL SPIDER (assessed with moderate confidence based on infrastructure overlap and Health-ISAC reporting)
  • Capability: Spearphishing with macro-enabled documents, Cobalt Strike Beacon for C2, domain enumeration tools. This represents a moderate-to-sophisticated capability — they are using commercial offensive tools rather than custom malware.
  • Infrastructure: 198.51.100.47 (Romanian VPS), update-service-cdn[.]com, cloud-sync-health[.]com, ms-aborthealth-update[.]com, 203.0.113.88 (mail server). Infrastructure uses healthcare-themed domain names, suggesting sector targeting.
  • Victim: Meridian Health Systems, specifically Finance and HR departments (accounts payable staff targeted with invoice-themed lure).

The Diamond Model immediately reveals that the infrastructure naming convention (healthcare-themed domains) and the victim targeting (healthcare sector) are consistent — this is not opportunistic. The adversary is deliberately targeting healthcare organizations.

MITRE ATT&CK Mapping

Map the observed techniques:

Tactic Technique ID Evidence
Initial Access Spearphishing Attachment T1566.001 Macro-enabled .docm delivered via email
Execution Command and Scripting Interpreter: PowerShell T1059.001 Encoded PowerShell launched from Word
Execution System Services: Service Execution T1569.002 rundll32.exe used to execute downloaded DLL
Defense Evasion Obfuscated Files or Information T1027 Base64-encoded PowerShell command
Defense Evasion System Binary Proxy Execution: Rundll32 T1218.011 DLL loaded via rundll32.exe
Command and Control Application Layer Protocol: Web Protocols T1071.001 HTTPS C2 to port 443
Discovery Domain Trust Discovery T1482 nltest.exe execution
Discovery Account Discovery: Domain Account T1087.002 net.exe execution

Predictive analysis: Based on TIDAL SPIDER's known playbook and the ATT&CK mapping, the adversary was in the Discovery phase. If not contained, likely next steps would include:

  • Credential access (T1003 — OS Credential Dumping, likely via Mimikatz)
  • Lateral movement (T1021.002 — SMB/Windows Admin Shares)
  • Data staging and exfiltration
  • Ransomware deployment (historically 5-10 days after initial access for this group)

Analysis of Competing Hypotheses (ACH)

Evaluate three hypotheses:

H1: Targeted attack by TIDAL SPIDER for ransomware deployment

  • Healthcare-themed infrastructure: Consistent
  • Health-ISAC reports of similar activity: Consistent
  • Cobalt Strike C2: Consistent (TIDAL SPIDER known tool)
  • Finance/HR targeting: Consistent (targeting departments with access to sensitive data and financial systems)
  • Invoice-themed lure: Consistent (social engineering for financial access)

H2: Opportunistic phishing campaign by unrelated cybercriminal group

  • Healthcare-themed infrastructure: Inconsistent (opportunistic campaigns use generic lures)
  • Targeted departments: Inconsistent (opportunistic campaigns don't target specific departments)
  • Health-ISAC reports: Inconsistent (multiple healthcare orgs suggest sector targeting)
  • Cobalt Strike: Neutral (widely available tool)

H3: Targeted espionage operation (nation-state)

  • Cobalt Strike: Neutral (used by both criminals and nation-states)
  • Ransomware deployment history: Inconsistent (espionage groups rarely deploy ransomware)
  • Financial targeting: Inconsistent (espionage would target research, executive, or clinical systems)
  • Health-ISAC attribution to criminal cluster: Inconsistent

Assessment: H1 is most consistent with the evidence. We assess with moderate confidence that this is a targeted intrusion by TIDAL SPIDER or a closely related cluster, with the likely objective of ransomware deployment. Confidence is moderate rather than high because attribution is based on infrastructure overlap and behavioral similarity, not on technical indicators uniquely attributable to TIDAL SPIDER.

Campaign Timeline

Days Before Incident Activity
-60 ms-aborthealth-update[.]com registered and briefly pointed to 198.51.100.47
-45 update-service-cdn[.]com registered and pointed to 198.51.100.47
-30 cloud-sync-health[.]com registered and pointed to 198.51.100.47
-14 (est.) First Health-ISAC member targeted with similar campaign
0 (Monday 06:45 UTC) Phishing email delivered to 15 Meridian staff
0 (Monday 06:47 UTC) Janet Morrison opens attachment, Cobalt Strike beacon established
0 (Monday 06:48-06:55 UTC) Domain enumeration activity (nltest, net.exe)
0 (Monday ~07:15 UTC) SOC alert escalated, containment initiated

The 60-day infrastructure preparation timeline is consistent with a planned campaign, not an opportunistic attack.

Phase 5: Produce the Intelligence Report

Your task: Write a finished intelligence report using the following structure.

Report Structure

TLP:AMBER (restricted to Meridian Health Systems and its information sharing partners)

BLUF (Bottom Line Up Front): On [date], Meridian Health Systems was targeted by a spearphishing campaign assessed with moderate confidence to be conducted by TIDAL SPIDER, a financially motivated threat group known to deploy ransomware against healthcare organizations. The intrusion was detected and contained during the Discovery phase before lateral movement or data access occurred. Two other Health-ISAC member organizations have reported similar targeting in the past 60 days. Based on TIDAL SPIDER's historical operations, the likely objective was ransomware deployment within 5-10 days of initial access.

Body sections should include:

  1. Summary of the incident
  2. Threat actor assessment (who, motivation, capability, intent)
  3. Technical analysis (ATT&CK mapping, Diamond Model summary)
  4. Campaign analysis (timeline, related targeting of healthcare sector)
  5. Impact assessment (what was accessed, what was prevented)
  6. Confidence assessment (what you know, what you assess, what gaps remain)

Recommendations:

  • Block all identified IOCs across email gateway, proxy, and firewall
  • Reset credentials for Janet Morrison's account
  • Conduct a targeted hunt across all endpoints for Cobalt Strike indicators
  • Increase monitoring of Finance and HR department workstations
  • Engage Health-ISAC to share indicators and receive updates from peer organizations
  • Review and test offline backup procedures in preparation for potential follow-up attempts
  • Conduct phishing awareness refresher for Finance and HR staff emphasizing vendor impersonation

Phase 6: Create Detection Rules and Propose a Hunt

Detection Rules

Based on the intrusion analysis, create detection logic for your SIEM. Example Splunk SPL queries:

Detection 1: Word spawning command interpreter

index=edr sourcetype=process_creation parent_process_name="WINWORD.EXE"
(process_name="cmd.exe" OR process_name="powershell.exe" OR process_name="wscript.exe" OR process_name="cscript.exe")
| table _time host user parent_process_name process_name command_line

Detection 2: Encoded PowerShell execution

index=edr sourcetype=process_creation process_name="powershell.exe"
(command_line="*-enc*" OR command_line="*-EncodedCommand*" OR command_line="*FromBase64String*")
| table _time host user command_line

Detection 3: Rundll32 with network connection

index=network sourcetype=firewall process_name="rundll32.exe" direction="outbound"
| stats count by src_ip dest_ip dest_port
| where count > 0

Detection 4: Domain enumeration tool execution

index=edr sourcetype=process_creation
(process_name="nltest.exe" OR (process_name="net.exe" AND (command_line="*domain*" OR command_line="*group*" OR command_line="*user*")))
| table _time host user process_name command_line

Hunt Proposal

Hunt Title: TIDAL SPIDER Post-Compromise Activity Hunt

Hypothesis: Based on the targeted phishing campaign against Meridian and the 60-day infrastructure preparation timeline, TIDAL SPIDER may have achieved access to other Meridian systems through earlier, undetected phishing attempts or through alternate initial access vectors.

Scope: All endpoints in Finance, HR, and IT departments. Network traffic logs for the past 90 days. Email gateway logs for the past 90 days.

Hunt Activities:

  1. Search for any connections to the identified IOCs (IP addresses, domains) across all network logs for the past 90 days
  2. Search for .docm and .xlsm attachments received from external senders in the past 90 days — analyze any with low VirusTotal detection rates
  3. Hunt for Cobalt Strike indicators across all endpoints: named pipes, process injection patterns, characteristic beacon timing in network traffic
  4. Search for domain enumeration commands (nltest, net.exe, dsquery) executed from non-IT workstations
  5. Review PowerShell script block logging for encoded or obfuscated commands across all endpoints
  6. Analyze DNS logs for queries to the identified malicious domains and any domains with similar naming patterns

Expected Duration: 2 weeks

Success Criteria: Confirm whether the adversary has any additional footholds in the environment, and identify any previously undetected compromise.

Phase 7: Close the Loop

The final phase connects this incident back to the broader CTI program.

Your task: Complete these closing actions:

  1. Update PIRs: Based on this incident, do any Priority Intelligence Requirements need to be added or modified? TIDAL SPIDER should now be a tracked threat actor if it was not already.

  2. Update threat actor tracking: Create or update a TIDAL SPIDER profile with all observed TTPs, infrastructure patterns, and targeting preferences.

  3. Share intelligence: Prepare an IOC package and TTP summary for sharing through Health-ISAC. Apply TLP:AMBER marking. Include detection rules that peer organizations can implement.

  4. Update detection coverage: Map the ATT&CK techniques observed against your existing detection coverage. Identify gaps — techniques the adversary used or could have used that you cannot currently detect.

  5. Metrics capture: Record this incident for your CTI metrics program. Key data points: time from alert to CTI assessment, number of additional IOCs identified through enrichment, detection rules created, hunt findings.

  6. Lessons learned: What worked well in the CTI support to this incident? What could be improved? Did enrichment tools provide timely results? Were pre-staged playbooks adequate? Did communication with the IR team flow smoothly?

Capstone Checklist

Use this checklist to verify you have completed all phases of the exercise:

  • Intelligence requirements formally documented with priorities and timelines
  • Collection plan mapping requirements to sources
  • Indicator table with all IOCs, types, sources, and confidence levels
  • Diamond Model completed with all four vertices
  • ATT&CK mapping with at least 8 techniques across multiple tactics
  • ACH matrix evaluating at least 3 hypotheses
  • Campaign timeline from infrastructure preparation through containment
  • Finished intelligence report with BLUF, body sections, and recommendations
  • Confidence language used correctly throughout (distinguish facts from assessments)
  • TLP marking applied appropriately
  • At least 3 detection rules created in SPL, KQL, or Sigma format
  • Hunt proposal with hypothesis, scope, and specific hunt activities
  • Feedback loop actions identified (PIR updates, sharing, detection gaps, metrics)

Key Takeaways

  • The intelligence cycle is not abstract theory — it is a practical workflow that structures real-world intelligence operations from requirement through dissemination
  • The Diamond Model, ATT&CK, and ACH are complementary frameworks that each reveal different aspects of a threat
  • Confidence language is essential in intelligence products — state what you know versus what you assess, and at what confidence level
  • Every incident is an intelligence collection opportunity that should feed back into the CTI program
  • Detection rules and hunt proposals are concrete, operational outputs that demonstrate CTI value
  • The capstone demonstrates that CTI is fundamentally about enabling better decisions — from tactical (what to block) to strategic (where to invest in defense)

Further Reading

  • NIST SP 800-61 Rev. 2 — "Computer Security Incident Handling Guide" (the foundational IR framework referenced throughout this exercise)
  • Caltagirone, S., Pendergast, A., Betz, C. — "The Diamond Model of Intrusion Analysis" (2013)
  • Heuer, R.J. — "Psychology of Intelligence Analysis" (CIA Center for the Study of Intelligence, 1999 — the foundational text on ACH and analytical rigor)
  • MITRE ATT&CK Framework — Enterprise Matrix (attack.mitre.org/matrices/enterprise/)