Opening Framing
While tactical intelligence tells you what to block today, operational intelligence tells you how adversaries operate over time. A single malware sample is a data point; a campaign analysis reveals patterns—how attackers select targets, what infrastructure they prefer, how they adapt when detected, and what their operational tempo looks like.
Operational intelligence bridges the gap between blocking indicators and understanding adversaries. It enables security teams to anticipate next moves, prepare playbooks for likely scenarios, and detect attacks even when specific indicators change. When you understand a campaign's structure, you can detect variations that share the same operational DNA.
This week covers campaign analysis methodology, intrusion analysis frameworks, infrastructure tracking, operational pattern recognition, and producing operational intelligence products. You'll learn to connect individual incidents into broader patterns that reveal adversary operations.
Key insight: Individual attacks are tactics; campaigns are strategy. Understanding strategy enables you to counter tactics you haven't seen yet.
1) Understanding Campaigns
A campaign is a coordinated set of malicious activities sharing common objectives, infrastructure, or techniques:
Campaign Characteristics:
WHAT DEFINES A CAMPAIGN:
┌─────────────────────────────────────────────────────────────┐
│ Shared Elements: │
│ - Common adversary or group │
│ - Unified objective (espionage, financial, disruption) │
│ - Overlapping infrastructure │
│ - Consistent TTPs │
│ - Target coherence (sector, geography, criteria) │
│ - Temporal relationship (concurrent or sequential) │
└─────────────────────────────────────────────────────────────┘
Campaign vs. Individual Attack:
Individual Attack:
┌─────────────┐
│ Target A │ ← Single victim
│ One-time │ ← Single event
│ Indicators │ ← Specific IOCs
└─────────────┘
Campaign:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Target A │ │ Target B │ │ Target C │
│ March 1 │ │ March 5 │ │ March 12 │
│ Variant 1 │ │ Variant 2 │ │ Variant 3 │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
└────────────┬────┴────────────────┘
│
┌────────────────────┐
│ Shared Elements: │
│ - Same adversary │
│ - Same objective │
│ - Same TTPs │
│ - Related infra │
└────────────────────┘Campaign Types:
Campaign Categories:
ESPIONAGE CAMPAIGNS:
┌─────────────────────────────────────────────────────────────┐
│ Objective: Collect intelligence over extended period │
│ │
│ Characteristics: │
│ - Long dwell time (months to years) │
│ - Stealth prioritized over speed │
│ - Targeted victim selection │
│ - Persistent access maintenance │
│ - Data exfiltration as primary goal │
│ │
│ Example: APT29 targeting government policy organizations │
└─────────────────────────────────────────────────────────────┘
FINANCIAL CAMPAIGNS:
┌─────────────────────────────────────────────────────────────┐
│ Objective: Monetize access quickly │
│ │
│ Characteristics: │
│ - Shorter dwell time (days to weeks) │
│ - Volume-based targeting │
│ - Ransomware, BEC, or direct theft │
│ - Infrastructure reuse for efficiency │
│ - Affiliate/RaaS models │
│ │
│ Example: LockBit ransomware affiliate campaigns │
└─────────────────────────────────────────────────────────────┘
DESTRUCTIVE CAMPAIGNS:
┌─────────────────────────────────────────────────────────────┐
│ Objective: Disrupt, destroy, or deny │
│ │
│ Characteristics: │
│ - Often tied to geopolitical events │
│ - May include wiper malware │
│ - Impact prioritized over persistence │
│ - May combine with information operations │
│ │
│ Example: Sandworm attacks on Ukrainian infrastructure │
└─────────────────────────────────────────────────────────────┘
INFLUENCE CAMPAIGNS:
┌─────────────────────────────────────────────────────────────┐
│ Objective: Shape perception, spread disinformation │
│ │
│ Characteristics: │
│ - Combines cyber operations with information warfare │
│ - Hack-and-leak operations │
│ - Social media manipulation │
│ - Targets public opinion or specific audiences │
│ │
│ Example: APT28 DNC breach and leak operation │
└─────────────────────────────────────────────────────────────┘
SUPPLY CHAIN CAMPAIGNS:
┌─────────────────────────────────────────────────────────────┐
│ Objective: Compromise many via trusted relationship │
│ │
│ Characteristics: │
│ - Targets software vendors, MSPs │
│ - Single compromise enables mass access │
│ - High sophistication required │
│ - Difficult to detect at victim level │
│ │
│ Example: SolarWinds SUNBURST campaign │
└─────────────────────────────────────────────────────────────┘Key insight: Identifying the campaign type helps predict adversary behavior and prioritize defensive resources.
2) Intrusion Analysis Frameworks
Structured frameworks help analyze intrusions systematically and connect individual events to campaigns:
The Diamond Model of Intrusion Analysis:
ADVERSARY
●
/│\
/ │ \
/ │ \
/ │ \
/ │ \
INFRASTRUCTURE │ CAPABILITY
●─────────┼─────────●
\ │ /
\ │ /
\ │ /
\ │ /
\│/
●
VICTIM
Core Features:
ADVERSARY: Who is attacking
- Threat actor or group
- Nation-state, criminal, hacktivist
- Attribution confidence
CAPABILITY: What they're using
- Malware and tools
- Exploits
- TTPs
INFRASTRUCTURE: How they're delivering
- Domains, IPs
- C2 servers
- Delivery mechanisms
VICTIM: Who is targeted
- Organization or individual
- Sector, geography
- Selection criteria
Meta-Features:
- Timestamp: When the event occurred
- Phase: Kill chain stage
- Result: Success or failure
- Direction: Adversary-to-victim or vice versa
- Methodology: How analysis was performed
- Resources: What the adversary investedUsing the Diamond Model:
Diamond Model Analysis:
Single Event Analysis:
┌─────────────────────────────────────────────────────────────┐
│ Event: Phishing email delivering malware │
│ │
│ ADVERSARY: Unknown (to be determined) │
│ CAPABILITY: Emotet dropper (hash: abc123...) │
│ INFRASTRUCTURE: sender@phishing-domain.com │
│ download from evil-site.com │
│ VICTIM: Finance department employee │
│ TIMESTAMP: 2024-03-15 09:30 UTC │
│ PHASE: Initial Access │
└─────────────────────────────────────────────────────────────┘
Pivoting Through the Diamond:
Start with known element, discover unknowns:
Known: Malware hash (Capability)
└──▶ VirusTotal: What infrastructure hosts this?
└──▶ Passive DNS: What other IPs hosted this domain?
└──▶ Shodan: What other services on those IPs?
└──▶ Related campaigns: Same adversary?
Known: C2 Domain (Infrastructure)
└──▶ Who registered this domain?
└──▶ What other domains share registrant?
└──▶ What malware communicates with these?
└──▶ What victims have we seen?
Linking Events into Campaigns:
Event 1 Event 2 Event 3
●─────────────●─────────────●
│ │ │
│ Shared │ Shared │
│ Infra │ Malware │
└─────────────┴─────────────┘
│
Same CampaignCyber Kill Chain:
Lockheed Martin Cyber Kill Chain:
┌─────────────────────────────────────────────────────────────┐
│ 1. RECONNAISSANCE │
│ Adversary researches target │
│ - OSINT gathering │
│ - Scanning and enumeration │
│ - Social engineering reconnaissance │
├─────────────────────────────────────────────────────────────┤
│ 2. WEAPONIZATION │
│ Adversary creates attack payload │
│ - Malware development │
│ - Exploit integration │
│ - Payload configuration │
├─────────────────────────────────────────────────────────────┤
│ 3. DELIVERY │
│ Adversary transmits payload to victim │
│ - Phishing emails │
│ - Watering hole sites │
│ - Removable media │
├─────────────────────────────────────────────────────────────┤
│ 4. EXPLOITATION │
│ Adversary triggers payload execution │
│ - User execution (clicking) │
│ - Vulnerability exploitation │
│ - Zero-day or known exploit │
├─────────────────────────────────────────────────────────────┤
│ 5. INSTALLATION │
│ Adversary establishes persistence │
│ - Malware installation │
│ - Backdoor creation │
│ - Rootkit deployment │
├─────────────────────────────────────────────────────────────┤
│ 6. COMMAND & CONTROL │
│ Adversary establishes remote control │
│ - C2 channel establishment │
│ - Beaconing │
│ - Command reception │
├─────────────────────────────────────────────────────────────┤
│ 7. ACTIONS ON OBJECTIVES │
│ Adversary achieves goals │
│ - Data exfiltration │
│ - Lateral movement │
│ - Destruction/disruption │
└─────────────────────────────────────────────────────────────┘
Kill Chain for Campaign Analysis:
- Map observed activity to phases
- Identify where adversary was detected/stopped
- Find gaps where no visibility exists
- Compare phases across multiple incidentsKey insight: Frameworks provide structure for analysis. Diamond Model helps pivot between elements; Kill Chain maps progression.
3) Infrastructure Analysis
Understanding adversary infrastructure reveals operational patterns and enables predictive intelligence:
Infrastructure Components:
COMMAND AND CONTROL (C2):
┌─────────────────────────────────────────────────────────────┐
│ Function: Communication between adversary and implants │
│ │
│ Types: │
│ - Dedicated servers (VPS, bulletproof hosting) │
│ - Compromised legitimate servers │
│ - Cloud services (AWS, Azure, legitimate platforms) │
│ - Domain fronting / CDN abuse │
│ - Peer-to-peer networks │
│ │
│ Analysis Points: │
│ - Registration patterns (timing, registrar) │
│ - Hosting provider selection │
│ - Geographic distribution │
│ - Rotation patterns │
└─────────────────────────────────────────────────────────────┘
DELIVERY INFRASTRUCTURE:
┌─────────────────────────────────────────────────────────────┐
│ Function: Deliver payloads to victims │
│ │
│ Types: │
│ - Phishing domains (lookalike, typosquat) │
│ - Exploit kit hosting │
│ - Watering hole compromised sites │
│ - File hosting services │
│ │
│ Analysis Points: │
│ - Domain naming patterns │
│ - SSL certificate patterns │
│ - Hosting infrastructure overlap with C2 │
└─────────────────────────────────────────────────────────────┘
STAGING/EXFILTRATION:
┌─────────────────────────────────────────────────────────────┐
│ Function: Stage tools or exfiltrate data │
│ │
│ Types: │
│ - Cloud storage (Dropbox, Google Drive, OneDrive) │
│ - Paste sites (Pastebin, GitHub gists) │
│ - Dedicated exfil servers │
│ - DNS tunneling infrastructure │
│ │
│ Analysis Points: │
│ - Legitimate service abuse patterns │
│ - Data volume patterns │
│ - Timing of exfiltration │
└─────────────────────────────────────────────────────────────┘Infrastructure Tracking:
Infrastructure Pivoting Techniques:
PASSIVE DNS:
┌─────────────────────────────────────────────────────────────┐
│ What: Historical DNS resolution records │
│ │
│ Use Cases: │
│ - Find IPs a domain resolved to historically │
│ - Find domains that resolved to an IP │
│ - Discover infrastructure changes over time │
│ - Link domains through shared hosting │
│ │
│ Tools: VirusTotal, PassiveTotal, SecurityTrails, Farsight │
│ │
│ Example Pivot: │
│ evil-c2.com → historically resolved to 192.168.1.100 │
│ 192.168.1.100 → also hosted backdoor-domain.com │
│ → Two domains linked to same adversary infrastructure │
└─────────────────────────────────────────────────────────────┘
WHOIS ANALYSIS:
┌─────────────────────────────────────────────────────────────┐
│ What: Domain registration information │
│ │
│ Useful Fields: │
│ - Registrant name/email (often fake but consistent) │
│ - Registration date (clusters indicate campaigns) │
│ - Registrar (adversary preferences) │
│ - Name servers (shared infrastructure) │
│ │
│ Example Pattern: │
│ Multiple domains registered: │
│ - Same day (March 1, 2024) │
│ - Same registrar (NameCheap) │
│ - Privacy protection enabled │
│ - Similar naming convention │
│ → Likely same actor, same campaign │
└─────────────────────────────────────────────────────────────┘
SSL CERTIFICATE ANALYSIS:
┌─────────────────────────────────────────────────────────────┐
│ What: TLS certificate information │
│ │
│ Useful Fields: │
│ - Subject/issuer patterns │
│ - Certificate serial numbers │
│ - Validity periods │
│ - Self-signed vs. CA-issued │
│ │
│ Tools: Censys, Shodan, crt.sh │
│ │
│ Example: │
│ Cobalt Strike default certificate pattern │
│ → Identifies likely Cobalt Strike servers │
└─────────────────────────────────────────────────────────────┘
IP ENRICHMENT:
┌─────────────────────────────────────────────────────────────┐
│ ASN Analysis: │
│ - Adversary hosting preferences │
│ - Bulletproof hosting indicators │
│ - Geographic patterns │
│ │
│ Port/Service Scanning: │
│ - Open ports indicate purpose │
│ - Service banners reveal tools │
│ - JARM fingerprints identify C2 frameworks │
│ │
│ Tools: Shodan, Censys, GreyNoise │
└─────────────────────────────────────────────────────────────┘Infrastructure Patterns:
Adversary Infrastructure Patterns:
APT29 (Cozy Bear) Patterns:
┌─────────────────────────────────────────────────────────────┐
│ - Uses compromised legitimate websites for C2 │
│ - Domain fronting via cloud CDNs │
│ - Encrypted channels (HTTPS) │
│ - Long-lived infrastructure (months) │
│ - Geographic diversity │
└─────────────────────────────────────────────────────────────┘
Ransomware Affiliate Patterns:
┌─────────────────────────────────────────────────────────────┐
│ - Shared infrastructure across affiliates │
│ - VPS hosting (often bulletproof) │
│ - Fast rotation (days to weeks) │
│ - Tor hidden services for negotiation │
│ - Data leak sites for pressure │
└─────────────────────────────────────────────────────────────┘
Emotet/TrickBot Patterns:
┌─────────────────────────────────────────────────────────────┐
│ - Tiered C2 architecture (Tier 1, 2, 3) │
│ - Compromised WordPress sites │
│ - Epoch-based campaigns │
│ - Predictable C2 rotation schedules │
│ - Consistent port usage │
└─────────────────────────────────────────────────────────────┘
Pattern Recognition Value:
- Identify new infrastructure before use in attacks
- Predict infrastructure rotation
- Detect campaigns even with new IOCs
- Attribute activity to known actorsKey insight: Infrastructure analysis reveals the adversary's logistics. Like a military campaign, understanding supply lines and communications enables disruption.
4) Campaign Analysis Methodology
Systematic campaign analysis connects individual incidents into comprehensive understanding:
Campaign Analysis Process:
Phase 1: DATA COLLECTION
┌─────────────────────────────────────────────────────────────┐
│ Gather all available information: │
│ │
│ Internal Sources: │
│ - Incident reports and forensics │
│ - SIEM/EDR detections │
│ - Network traffic analysis │
│ - Malware samples collected │
│ │
│ External Sources: │
│ - Vendor threat reports │
│ - ISAC/ISAO sharing │
│ - Government advisories │
│ - Open source intelligence │
│ │
│ Output: Consolidated dataset of events, IOCs, reports │
└─────────────────────────────────────────────────────────────┘
Phase 2: CLUSTERING
┌─────────────────────────────────────────────────────────────┐
│ Group related activity: │
│ │
│ Clustering Criteria: │
│ - Shared infrastructure (same IPs, domains) │
│ - Shared malware (same hashes, families) │
│ - Shared TTPs (same techniques, sequences) │
│ - Target coherence (same sector, geography) │
│ - Temporal proximity (same timeframe) │
│ │
│ Methods: │
│ - Manual analysis and linking │
│ - Graph analysis (nodes and relationships) │
│ - Similarity scoring algorithms │
│ │
│ Output: Groups of related events (potential campaigns) │
└─────────────────────────────────────────────────────────────┘
Phase 3: CHARACTERIZATION
┌─────────────────────────────────────────────────────────────┐
│ Describe each campaign cluster: │
│ │
│ Campaign Profile: │
│ - Objective (espionage, financial, destructive) │
│ - Target profile (who and why) │
│ - Attack chain (how attacks progress) │
│ - Infrastructure profile (what's used) │
│ - Toolset (malware and utilities) │
│ - Timeline (when active, duration) │
│ │
│ Output: Campaign profile document │
└─────────────────────────────────────────────────────────────┘
Phase 4: ATTRIBUTION
┌─────────────────────────────────────────────────────────────┐
│ Link to known adversaries (if possible): │
│ │
│ Attribution Evidence: │
│ - Infrastructure overlaps with known actor │
│ - Malware code similarities │
│ - TTP consistency with actor profile │
│ - Targeting alignment with actor objectives │
│ - External reporting attribution │
│ │
│ Confidence Assessment: │
│ - High: Multiple strong links │
│ - Medium: Some links, plausible │
│ - Low: Circumstantial only │
│ │
│ Output: Attribution assessment with confidence │
└─────────────────────────────────────────────────────────────┘
Phase 5: OPERATIONALIZATION
┌─────────────────────────────────────────────────────────────┐
│ Produce actionable intelligence: │
│ │
│ Products: │
│ - Detection rules (Sigma, YARA, Snort) │
│ - Hunt hypotheses │
│ - Threat briefings │
│ - ATT&CK mappings │
│ - IOC packages with context │
│ │
│ Distribution: │
│ - SOC for detection │
│ - IR for response preparation │
│ - Leadership for awareness │
│ - Partners/ISAC for sharing │
│ │
│ Output: Distributed intelligence products │
└─────────────────────────────────────────────────────────────┘Campaign Timeline Analysis:
Timeline Construction:
Campaign Timeline Example:
2024-01 │ 2024-02 │ 2024-03 │ 2024-04 │
────────┼─────────┼─────────┼─────────┼────────
│ │ │ │
●────┼─────────┼─● │ │ Infra registered
│ ●────┼─────────┼─● │ Target A compromised
│ │ ●─────┼─────────┼─● Target B compromised
│ │ │ ●──────┼── Target C compromised
│ │ │ │
────────┴─────────┴─────────┴─────────┴────────
Timeline Analysis Questions:
- When did campaign activity begin?
- What was the operational tempo?
- When was infrastructure registered vs. used?
- What events might correlate (geopolitical, etc.)?
- Is the campaign ongoing or concluded?
Operational Tempo Analysis:
High Tempo (Days between events):
→ Aggressive campaign, possibly opportunistic
→ May indicate automation
→ Likely to generate more IOCs quickly
Low Tempo (Weeks/months between events):
→ Deliberate, targeted campaign
→ Likely espionage-focused
→ Patience indicates resourced actor
Variable Tempo:
→ May indicate multiple operators
→ May reflect target availability
→ Could indicate shift in objectivesKey insight: Campaign timelines reveal operational patterns. Understanding tempo helps predict future activity.
5) Producing Operational Intelligence
Operational intelligence products inform security operations and incident response:
Campaign Report Structure:
┌─────────────────────────────────────────────────────────────┐
│ CAMPAIGN REPORT: Operation Phantom Strike │
├─────────────────────────────────────────────────────────────┤
│ EXECUTIVE SUMMARY │
│ - Campaign overview (1-2 paragraphs) │
│ - Key findings │
│ - Recommendations │
├─────────────────────────────────────────────────────────────┤
│ CAMPAIGN OVERVIEW │
│ - Campaign name and aliases │
│ - Timeline (first observed, last observed, ongoing?) │
│ - Objective assessment │
│ - Attribution (with confidence level) │
├─────────────────────────────────────────────────────────────┤
│ TARGETING │
│ - Victim profile (sectors, geographies) │
│ - Targeting criteria analysis │
│ - Known victims (if shareable) │
│ - Potential future targets │
├─────────────────────────────────────────────────────────────┤
│ ATTACK CHAIN │
│ - Initial access methods │
│ - Execution techniques │
│ - Persistence mechanisms │
│ - Lateral movement │
│ - C2 communication │
│ - Actions on objectives │
│ - ATT&CK mapping │
├─────────────────────────────────────────────────────────────┤
│ INFRASTRUCTURE │
│ - C2 infrastructure profile │
│ - Delivery infrastructure │
│ - Infrastructure patterns and TTPs │
│ - Infrastructure timeline │
├─────────────────────────────────────────────────────────────┤
│ TOOLSET │
│ - Malware families used │
│ - Legitimate tools abused │
│ - Custom vs. commodity tools │
│ - Tool evolution observed │
├─────────────────────────────────────────────────────────────┤
│ DETECTION GUIDANCE │
│ - Detection opportunities by phase │
│ - Recommended signatures/rules │
│ - Hunt queries │
│ - Log sources required │
├─────────────────────────────────────────────────────────────┤
│ MITIGATIONS │
│ - Preventive controls │
│ - Detection improvements │
│ - Response preparations │
├─────────────────────────────────────────────────────────────┤
│ INDICATORS OF COMPROMISE │
│ - Network indicators (with context) │
│ - Host indicators (with context) │
│ - Email indicators │
│ - YARA rules │
├─────────────────────────────────────────────────────────────┤
│ APPENDICES │
│ - Technical analysis details │
│ - Full IOC list │
│ - References │
└─────────────────────────────────────────────────────────────┘ATT&CK-Based Campaign Mapping:
Campaign ATT&CK Mapping:
Campaign: Operation Phantom Strike
RECONNAISSANCE:
└── T1598.003 Spearphishing for Information
INITIAL ACCESS:
├── T1566.001 Spearphishing Attachment
└── T1566.002 Spearphishing Link
EXECUTION:
├── T1204.002 Malicious File
├── T1059.001 PowerShell
└── T1059.003 Windows Command Shell
PERSISTENCE:
├── T1547.001 Registry Run Keys
└── T1053.005 Scheduled Task
PRIVILEGE ESCALATION:
└── T1055.001 DLL Injection
DEFENSE EVASION:
├── T1027 Obfuscated Files
├── T1070.004 File Deletion
└── T1036.005 Match Legitimate Name
CREDENTIAL ACCESS:
├── T1003.001 LSASS Memory
└── T1558.003 Kerberoasting
DISCOVERY:
├── T1083 File and Directory Discovery
├── T1057 Process Discovery
└── T1018 Remote System Discovery
LATERAL MOVEMENT:
├── T1021.001 Remote Desktop Protocol
└── T1021.002 SMB/Windows Admin Shares
COLLECTION:
├── T1560.001 Archive via Utility
└── T1005 Data from Local System
COMMAND AND CONTROL:
├── T1071.001 Web Protocols (HTTPS)
├── T1573.002 Asymmetric Cryptography
└── T1571 Non-Standard Port
EXFILTRATION:
└── T1041 Exfiltration Over C2 Channel
Navigator Layer: [Attached JSON]Hunt Packages:
Campaign-Based Hunt Package:
HUNT PACKAGE: Operation Phantom Strike
Hunt Hypothesis 1: Initial Access Detection
┌─────────────────────────────────────────────────────────────┐
│ Hypothesis: Adversary uses macro-enabled documents │
│ │
│ Hunt Query (Splunk): │
│ index=endpoint process_name=WINWORD.EXE │
│ | join parent_process_id │
│ [search index=endpoint process_name IN │
│ (powershell.exe, cmd.exe, wscript.exe)] │
│ | table _time host user process_name command_line │
│ │
│ Data Sources: Process creation logs, EDR telemetry │
│ ATT&CK: T1204.002, T1059.001 │
└─────────────────────────────────────────────────────────────┘
Hunt Hypothesis 2: Persistence Detection
┌─────────────────────────────────────────────────────────────┐
│ Hypothesis: Adversary uses Run key persistence │
│ │
│ Hunt Query (Splunk): │
│ index=endpoint EventCode=13 │
│ TargetObject="*\\CurrentVersion\\Run*" │
│ | where NOT match(Details, "known_good_pattern") │
│ | table _time host user TargetObject Details │
│ │
│ Data Sources: Registry modification logs, Sysmon │
│ ATT&CK: T1547.001 │
└─────────────────────────────────────────────────────────────┘
Hunt Hypothesis 3: C2 Detection
┌─────────────────────────────────────────────────────────────┐
│ Hypothesis: Beaconing to known C2 patterns │
│ │
│ Hunt Query: │
│ index=proxy OR index=firewall │
│ dest_port=443 │
│ | bucket _time span=1h │
│ | stats count by src_ip dest_ip _time │
│ | where count > 20 AND count < 100 │
│ | stats stdev(count) as jitter by src_ip dest_ip │
│ | where jitter < 5 │
│ │
│ Data Sources: Proxy logs, firewall logs │
│ ATT&CK: T1071.001, T1573 │
└─────────────────────────────────────────────────────────────┘Key insight: Operational intelligence should enable action. Hunt packages and detection guidance transform analysis into defensive capability.
Real-World Context
Case Study: Tracking Emotet Campaigns
Emotet operated as a malware-as-a-service platform with distinct campaign patterns. Analysts identified "epochs"— separate botnets with independent infrastructure. Each epoch had characteristic C2 communication patterns, infrastructure preferences, and payload delivery methods. By tracking these patterns, defenders could predict campaign timing (Emotet typically went quiet on weekends), identify new infrastructure before attacks (registration patterns), and attribute new samples to specific epochs. When law enforcement took down Emotet in January 2021, the campaign intelligence enabled immediate identification of affected systems through known C2 patterns.
Case Study: SolarWinds Campaign Analysis
The SolarWinds supply chain campaign demonstrated sophisticated operational security. Campaign analysis revealed: Extremely selective targeting (of 18,000 victims with trojanized software, only ~100 received second-stage malware). Operational patience (14-day delay before C2 activation). Infrastructure that mimicked legitimate services. Technique refinement across victims. This operational intelligence enabled defenders to understand the threat was espionage-focused (not destructive), assess their own risk based on targeting criteria, and develop detection for campaign-specific patterns even as indicators changed.
Operational Intelligence Value:
Operational Intelligence Applications:
FOR SECURITY OPERATIONS:
┌─────────────────────────────────────────────────────────────┐
│ - Develop detection rules from campaign TTPs │
│ - Prioritize alerts based on campaign relevance │
│ - Prepare response playbooks for likely scenarios │
│ - Train analysts on campaign patterns │
└─────────────────────────────────────────────────────────────┘
FOR INCIDENT RESPONSE:
┌─────────────────────────────────────────────────────────────┐
│ - Accelerate attribution during incidents │
│ - Know what to look for based on campaign profile │
│ - Predict adversary next moves │
│ - Scope incidents using campaign knowledge │
└─────────────────────────────────────────────────────────────┘
FOR THREAT HUNTING:
┌─────────────────────────────────────────────────────────────┐
│ - Generate hypotheses from campaign analysis │
│ - Search for campaign-specific artifacts │
│ - Validate detection coverage against campaigns │
│ - Discover unreported campaign activity │
└─────────────────────────────────────────────────────────────┘
FOR LEADERSHIP:
┌─────────────────────────────────────────────────────────────┐
│ - Understand threat landscape at operational level │
│ - Justify security investments │
│ - Communicate risk based on relevant campaigns │
│ - Track effectiveness against known threats │
└─────────────────────────────────────────────────────────────┘Operational intelligence transforms security from reactive to proactive by enabling defenders to think like adversaries.
Guided Lab: Campaign Analysis
In this lab, you'll analyze multiple threat reports to identify and characterize a campaign.
Lab Environment:
- Multiple threat reports (provided scenario)
- ATT&CK Navigator
- Analysis template
- Timeline tool (spreadsheet or diagramming)
Exercise Steps:
- Review multiple incident reports for common elements
- Apply Diamond Model to each incident
- Identify shared infrastructure, malware, or TTPs
- Cluster related activity into campaign(s)
- Build campaign timeline
- Create ATT&CK mapping for campaign
- Develop campaign profile document
- Create hunt package based on findings
Reflection Questions:
- What elements most strongly linked incidents together?
- What gaps exist in your campaign understanding?
- How would you detect future activity from this campaign?
Week Outcome Check
By the end of this week, you should be able to:
- Define campaigns and distinguish from individual attacks
- Apply the Diamond Model to intrusion analysis
- Map activity to the Cyber Kill Chain
- Conduct infrastructure analysis using pivoting techniques
- Perform systematic campaign analysis
- Identify operational patterns in adversary behavior
- Produce campaign reports and hunt packages
- Create ATT&CK-based campaign mappings
🎯 Hands-On Labs (Free & Essential)
Practice campaign analysis before moving to reading resources.
🎮 TryHackMe: Threat Hunting
What you'll do: Apply hypothesis-driven hunting to campaign indicators.
Why it matters: Campaigns often surface through hunting patterns.
Time estimate: 1.5-2 hours
🧭 ATT&CK Navigator: Campaign Layer
What you'll do: Build a technique layer for a named campaign.
Why it matters: Visual layers reveal reuse and gaps across campaigns.
Time estimate: 60-90 minutes
📝 Lab Exercise: Campaign Timeline + Infrastructure Map
Task: Build a timeline of events and infrastructure pivots for one campaign.
Deliverable: Timeline table + graph of infrastructure relationships.
Why it matters: Operational patterns guide proactive defense.
Time estimate: 90-120 minutes
🧩 Lab: Supply Chain Campaign Tracking
What you'll do: Track a supply chain campaign across vendors and releases.
Deliverable: Timeline with affected products, versions, and remediation.
Why it matters: Supply chain campaigns move through ecosystems fast.
Time estimate: 60-90 minutes
💡 Lab Tip: Track infrastructure reuse across campaigns to spot related activity.
🧩 Supply Chain Campaigns
Supply chain campaigns often cascade across vendors, releases, and downstream customers. Operational intel must track scope.
Campaign tracking focus:
- Affected product versions
- Build pipeline compromise points
- Timeline of vendor notifications
- Downstream exposure windows📚 Building on CSY101 Week-14: Use standards to define remediation timelines.
Resources
Lab
Complete the following lab exercises to practice operational intelligence and campaign analysis.