Capstone Overview
This capstone integrates everything you've learned throughout CSY301 into a comprehensive threat intelligence product. You will select a threat actor relevant to a specific organization or sector, conduct thorough research using OSINT and available intelligence sources, analyze their tactics and operations, and produce a professional intelligence report with actionable recommendations.
This is not an academic exercise—it's the type of work professional threat intelligence analysts produce for real organizations. Your report should be suitable for distribution to security operations, executive leadership, and peer organizations (with appropriate TLP handling).
The capstone represents 35% of your course grade and demonstrates mastery across all eight learning outcomes.
Key deliverable: A complete threat intelligence report that could be used by a real organization to improve their defenses.
Learning Outcomes Assessed
This capstone assesses all course learning outcomes:
Learning Outcome Mapping:
LO1: Intelligence Lifecycle Application
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Following structured intelligence process │
│ - Defining requirements before collection │
│ - Processing and analyzing collected data │
│ - Producing actionable intelligence product │
│ - Incorporating feedback considerations │
└─────────────────────────────────────────────────────────────┘
LO2: Threat Actor Profiling and Attribution
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Comprehensive threat actor profile │
│ - Motivation and capability assessment │
│ - Attribution analysis with confidence levels │
│ - Historical activity documentation │
└─────────────────────────────────────────────────────────────┘
LO3: MITRE ATT&CK Framework Application
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Complete TTP mapping to ATT&CK │
│ - Navigator layer visualization │
│ - Detection recommendations per technique │
│ - Gap analysis against ATT&CK coverage │
└─────────────────────────────────────────────────────────────┘
LO4: Tactical Intelligence (IOCs)
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - IOC collection and validation │
│ - Context and confidence for indicators │
│ - STIX-formatted indicator package │
│ - Operationalization recommendations │
└─────────────────────────────────────────────────────────────┘
LO5: OSINT Gathering
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Multi-source OSINT research │
│ - Infrastructure analysis │
│ - Source documentation and validation │
│ - Ethical collection practices │
└─────────────────────────────────────────────────────────────┘
LO6: Threat Hunting with Intelligence
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Hunt hypotheses based on actor TTPs │
│ - Hunt queries for key techniques │
│ - Detection rule recommendations │
│ - Purple team exercise suggestions │
└─────────────────────────────────────────────────────────────┘
LO7: Strategic Intelligence Production
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Executive summary for leadership │
│ - Risk assessment and business impact │
│ - Strategic recommendations │
│ - Trend analysis and future outlook │
└─────────────────────────────────────────────────────────────┘
LO8: Stakeholder Communication
┌─────────────────────────────────────────────────────────────┐
│ Demonstrated by: │
│ - Multi-audience report structure │
│ - Appropriate TLP designation │
│ - Clear, professional writing │
│ - Actionable recommendations │
│ - Proper confidence language │
└─────────────────────────────────────────────────────────────┘Capstone Requirements
Your threat intelligence report must include the following components:
Required Report Sections:
1. EXECUTIVE SUMMARY (1-2 pages)
┌─────────────────────────────────────────────────────────────┐
│ □ Bottom-line assessment │
│ □ Key findings (3-5 bullets) │
│ □ Risk level for target organization/sector │
│ □ Top recommendations │
│ □ Confidence statement │
│ │
│ Audience: C-suite, board, non-technical leadership │
│ LOs Assessed: LO7, LO8 │
└─────────────────────────────────────────────────────────────┘
2. THREAT ACTOR PROFILE (3-5 pages)
┌─────────────────────────────────────────────────────────────┐
│ □ Actor name and known aliases │
│ □ Attribution assessment with confidence │
│ □ Motivation analysis │
│ □ Capability assessment (technical, resources, operational) │
│ □ Target profile (sectors, geographies, victim types) │
│ □ Historical activity timeline │
│ □ Notable operations/campaigns │
│ □ Relationships to other actors │
│ │
│ Audience: Security leadership, threat intel team │
│ LOs Assessed: LO1, LO2, LO5 │
└─────────────────────────────────────────────────────────────┘
3. TACTICS, TECHNIQUES & PROCEDURES (4-6 pages)
┌─────────────────────────────────────────────────────────────┐
│ □ Complete attack chain description │
│ □ ATT&CK technique mapping (all observed techniques) │
│ □ Technique details with procedure examples │
│ □ Tool and malware analysis │
│ □ Infrastructure patterns │
│ □ ATT&CK Navigator layer (JSON + visualization) │
│ │
│ Audience: SOC, detection engineering, threat hunters │
│ LOs Assessed: LO2, LO3, LO5 │
└─────────────────────────────────────────────────────────────┘
4. INDICATORS OF COMPROMISE (2-3 pages + appendix)
┌─────────────────────────────────────────────────────────────┐
│ □ Validated IOCs with context │
│ □ Confidence ratings per indicator │
│ □ Validity timeframes │
│ □ Operationalization recommendations │
│ □ STIX 2.1 formatted IOC package (appendix) │
│ │
│ Audience: SOC, security operations │
│ LOs Assessed: LO4, LO5 │
└─────────────────────────────────────────────────────────────┘
5. DETECTION & HUNTING GUIDANCE (3-4 pages)
┌─────────────────────────────────────────────────────────────┐
│ □ Detection opportunities by kill chain phase │
│ □ Sigma rules for key techniques (minimum 3) │
│ □ Hunt hypotheses (minimum 5) │
│ □ Hunt queries with expected outcomes │
│ □ Data source requirements │
│ □ Purple team exercise recommendations │
│ │
│ Audience: Detection engineers, threat hunters │
│ LOs Assessed: LO3, LO6 │
└─────────────────────────────────────────────────────────────┘
6. RISK ASSESSMENT & RECOMMENDATIONS (2-3 pages)
┌─────────────────────────────────────────────────────────────┐
│ □ Likelihood assessment for target organization │
│ □ Potential impact analysis │
│ □ Current defense gap analysis │
│ □ Prioritized mitigation recommendations │
│ □ Quick wins vs. strategic investments │
│ □ Metrics for measuring improvement │
│ │
│ Audience: Security leadership, executive team │
│ LOs Assessed: LO7, LO8 │
└─────────────────────────────────────────────────────────────┘
7. APPENDICES
┌─────────────────────────────────────────────────────────────┐
│ □ A: Full IOC list (STIX JSON) │
│ □ B: ATT&CK Navigator layer (JSON) │
│ □ C: Sigma detection rules │
│ □ D: Hunt query package │
│ □ E: Source bibliography │
│ □ F: Methodology notes │
│ │
│ LOs Assessed: LO1, LO3, LO4, LO6 │
└─────────────────────────────────────────────────────────────┘
TOTAL LENGTH: 20-30 pages (excluding appendices)Threat Actor Selection
Select one threat actor from the approved list or propose an alternative for approval:
Approved Threat Actors:
NATION-STATE / APT:
┌─────────────────────────────────────────────────────────────┐
│ APT29 (Cozy Bear) │
│ - Russian espionage group │
│ - Targets: Government, think tanks, healthcare │
│ - Good for: Sophisticated TTPs, well-documented │
│ │
│ APT41 (Double Dragon) │
│ - Chinese dual espionage/financial group │
│ - Targets: Healthcare, telecom, gaming, technology │
│ - Good for: Blended motivation, supply chain focus │
│ │
│ Lazarus Group │
│ - North Korean state-sponsored │
│ - Targets: Financial, cryptocurrency, defense │
│ - Good for: Financial motivation, destructive capability │
│ │
│ APT28 (Fancy Bear) │
│ - Russian military intelligence (GRU) │
│ - Targets: Government, military, media │
│ - Good for: Information operations, destructive attacks │
│ │
│ MuddyWater │
│ - Iranian state-sponsored │
│ - Targets: Telecom, government, oil & gas │
│ - Good for: Middle East focus, evolving TTPs │
└─────────────────────────────────────────────────────────────┘
CYBERCRIMINAL:
┌─────────────────────────────────────────────────────────────┐
│ LockBit │
│ - Ransomware-as-a-Service operation │
│ - Targets: Cross-sector, opportunistic │
│ - Good for: Affiliate model, prolific activity │
│ │
│ BlackCat/ALPHV │
│ - Sophisticated ransomware group │
│ - Targets: Critical infrastructure, healthcare │
│ - Good for: Technical sophistication, Rust malware │
│ │
│ FIN7 │
│ - Financially motivated cybercrime group │
│ - Targets: Retail, hospitality, financial │
│ - Good for: Social engineering, POS malware │
│ │
│ Scattered Spider │
│ - Social engineering focused group │
│ - Targets: Telecom, technology, BPO │
│ - Good for: SIM swapping, identity attacks │
└─────────────────────────────────────────────────────────────┘
SELECTION CRITERIA:
- Sufficient public documentation exists
- Active in past 24 months
- Relevant to a specific sector you'll analyze
- Multiple sources available for research
ALTERNATIVE PROPOSALS:
If proposing alternative actor, submit:
- Actor name and brief description
- Why this actor is relevant
- Evidence of sufficient documentation
- Sector relevanceTarget Organization Context
Your report must be written for a specific organizational context. Select or define your target:
Organization Context Options:
OPTION A: SELECT PREDEFINED SCENARIO
Scenario 1: Regional Healthcare System
┌─────────────────────────────────────────────────────────────┐
│ Organization: MedCare Regional Health │
│ Sector: Healthcare │
│ Size: 5,000 employees, 3 hospitals, 20 clinics │
│ Geography: Midwest United States │
│ Key Assets: EHR systems, medical devices, research data │
│ Current Security: Moderate maturity, basic EDR, SIEM │
│ Concerns: Ransomware, patient data theft, compliance │
└─────────────────────────────────────────────────────────────┘
Scenario 2: Mid-Size Financial Services
┌─────────────────────────────────────────────────────────────┐
│ Organization: Cornerstone Financial Group │
│ Sector: Financial Services │
│ Size: 2,000 employees, $50B AUM │
│ Geography: US East Coast, London office │
│ Key Assets: Trading systems, client data, wire transfer │
│ Current Security: Higher maturity, multiple security tools │
│ Concerns: Financial theft, espionage, regulatory │
└─────────────────────────────────────────────────────────────┘
Scenario 3: Technology Manufacturing
┌─────────────────────────────────────────────────────────────┐
│ Organization: TechFab Industries │
│ Sector: Technology / Manufacturing │
│ Size: 8,000 employees, global operations │
│ Geography: US HQ, manufacturing in Asia │
│ Key Assets: IP, designs, supply chain systems, OT/ICS │
│ Current Security: Mixed maturity, IT/OT convergence issues │
│ Concerns: IP theft, supply chain, nation-state espionage │
└─────────────────────────────────────────────────────────────┘
Scenario 4: Government Agency
┌─────────────────────────────────────────────────────────────┐
│ Organization: State Department of Transportation │
│ Sector: State/Local Government │
│ Size: 3,500 employees │
│ Geography: Single US state │
│ Key Assets: Critical infrastructure, citizen data, OT │
│ Current Security: Lower maturity, limited resources │
│ Concerns: Ransomware, state-sponsored threats, insider │
└─────────────────────────────────────────────────────────────┘
OPTION B: DEFINE YOUR OWN
If defining custom organization:
□ Organization description (sector, size, geography)
□ Key assets and crown jewels
□ Current security posture
□ Primary threat concerns
□ Why selected threat actor is relevantResearch Guidance
Quality research is the foundation of quality intelligence. Follow these guidelines:
Research Requirements:
SOURCE DIVERSITY:
┌─────────────────────────────────────────────────────────────┐
│ Required Source Types (minimum): │
│ │
│ □ Government advisories (CISA, FBI, NSA) - minimum 3 │
│ □ Vendor threat reports (CrowdStrike, Mandiant, etc.) - 3 │
│ □ Academic/research papers - 1 │
│ □ MITRE ATT&CK documentation │
│ □ OSINT sources (VirusTotal, Shodan, etc.) │
│ □ News/media reporting - 2 │
│ │
│ Total sources: Minimum 15 │
└─────────────────────────────────────────────────────────────┘
SOURCE EVALUATION:
┌─────────────────────────────────────────────────────────────┐
│ For each major source, assess: │
│ │
│ - Reliability (track record, expertise) │
│ - Currency (when published, still relevant?) │
│ - Corroboration (confirmed by other sources?) │
│ - Bias (vendor selling something? political angle?) │
│ │
│ Document source evaluation in methodology appendix │
└─────────────────────────────────────────────────────────────┘
OSINT ACTIVITIES:
┌─────────────────────────────────────────────────────────────┐
│ Required OSINT research: │
│ │
│ □ Infrastructure analysis (passive DNS, WHOIS, etc.) │
│ □ Malware sample review (VirusTotal, MalwareBazaar) │
│ □ Social media/forum monitoring │
│ □ Code repository search │
│ │
│ Document OSINT methodology and findings │
└─────────────────────────────────────────────────────────────┘
WHAT TO AVOID:
┌─────────────────────────────────────────────────────────────┐
│ ✗ Single-source claims without corroboration │
│ ✗ Outdated information presented as current │
│ ✗ Unattributed claims or speculation │
│ ✗ Over-reliance on one vendor's perspective │
│ ✗ Copying content without proper citation │
│ ✗ IOCs without validation │
└─────────────────────────────────────────────────────────────┘Quality Standards
Your report will be evaluated against professional intelligence standards:
Evaluation Criteria:
ANALYTICAL QUALITY (35%):
┌─────────────────────────────────────────────────────────────┐
│ □ Accurate threat actor characterization │
│ □ Complete TTP coverage with ATT&CK mapping │
│ □ Validated IOCs with appropriate context │
│ □ Sound attribution with proper confidence levels │
│ □ Logical risk assessment methodology │
│ □ Evidence-based conclusions │
│ │
│ Excellent: Thorough analysis, multi-source validation, │
│ appropriate analytical tradecraft │
│ Good: Solid analysis, some gaps in coverage │
│ Adequate: Basic analysis, limited depth │
│ Poor: Superficial, unvalidated, or inaccurate │
└─────────────────────────────────────────────────────────────┘
ACTIONABILITY (25%):
┌─────────────────────────────────────────────────────────────┐
│ □ Detection rules that would work in practice │
│ □ Hunt queries with clear methodology │
│ □ Prioritized, implementable recommendations │
│ □ Clear operationalization guidance │
│ □ Relevant to target organization context │
│ │
│ Excellent: Immediately actionable by recipient │
│ Good: Actionable with some additional work │
│ Adequate: General guidance, limited specificity │
│ Poor: Not actionable or impractical │
└─────────────────────────────────────────────────────────────┘
COMMUNICATION (20%):
┌─────────────────────────────────────────────────────────────┐
│ □ Clear executive summary for leadership │
│ □ Technical sections for operational teams │
│ □ Professional writing and formatting │
│ □ Appropriate TLP and handling markings │
│ □ Proper use of confidence language │
│ □ Effective visualizations │
│ │
│ Excellent: Publication-quality, multi-audience effective │
│ Good: Clear, professional, minor issues │
│ Adequate: Understandable but rough │
│ Poor: Unclear, unprofessional, or poorly organized │
└─────────────────────────────────────────────────────────────┘
TECHNICAL ARTIFACTS (20%):
┌─────────────────────────────────────────────────────────────┐
│ □ Valid STIX 2.1 IOC package │
│ □ Functional ATT&CK Navigator layer │
│ □ Working Sigma detection rules │
│ □ Executable hunt queries │
│ □ Complete source documentation │
│ │
│ Excellent: All artifacts valid, complete, usable │
│ Good: Minor issues, mostly functional │
│ Adequate: Some artifacts incomplete or have errors │
│ Poor: Artifacts missing, invalid, or unusable │
└─────────────────────────────────────────────────────────────┘Timeline and Milestones
The capstone is completed over Week 12 with the following recommended milestones:
Capstone Timeline:
DAY 1-2: PLANNING & SELECTION
┌─────────────────────────────────────────────────────────────┐
│ □ Select threat actor │
│ □ Select target organization context │
│ □ Initial source identification │
│ □ Create research plan │
│ □ Set up documentation structure │
│ │
│ Checkpoint: Actor and context selected │
└─────────────────────────────────────────────────────────────┘
DAY 3-4: RESEARCH & COLLECTION
┌─────────────────────────────────────────────────────────────┐
│ □ Gather all available sources │
│ □ Conduct OSINT research │
│ □ Collect and validate IOCs │
│ □ Map TTPs to ATT&CK │
│ □ Document infrastructure patterns │
│ │
│ Checkpoint: Research complete, sources documented │
└─────────────────────────────────────────────────────────────┘
DAY 5-6: ANALYSIS & DRAFTING
┌─────────────────────────────────────────────────────────────┐
│ □ Draft threat actor profile │
│ □ Complete TTP analysis │
│ □ Develop detection and hunting guidance │
│ □ Conduct risk assessment │
│ □ Create technical appendices │
│ │
│ Checkpoint: First draft complete │
└─────────────────────────────────────────────────────────────┘
DAY 7: REFINEMENT & SUBMISSION
┌─────────────────────────────────────────────────────────────┐
│ □ Write executive summary │
│ □ Review and edit all sections │
│ □ Validate technical artifacts │
│ □ Ensure all requirements met │
│ □ Final formatting and submission │
│ │
│ SUBMIT: Complete report package │
└─────────────────────────────────────────────────────────────┘Report Template
Use the following structure for your report:
THREAT INTELLIGENCE REPORT TEMPLATE:
═══════════════════════════════════════════════════════════════
[THREAT ACTOR NAME]
THREAT INTELLIGENCE ASSESSMENT
═══════════════════════════════════════════════════════════════
TLP: [AMBER/GREEN as appropriate]
Date: [Date]
Version: 1.0
Prepared by: [Your Name]
Prepared for: [Target Organization]
───────────────────────────────────────────────────────────────
TABLE OF CONTENTS
───────────────────────────────────────────────────────────────
1. Executive Summary
2. Threat Actor Profile
2.1 Overview and Attribution
2.2 Motivation and Objectives
2.3 Capability Assessment
2.4 Target Profile
2.5 Historical Activity
3. Tactics, Techniques, and Procedures
3.1 Attack Chain Overview
3.2 Initial Access
3.3 Execution
3.4 Persistence
3.5 Privilege Escalation
3.6 Defense Evasion
3.7 Credential Access
3.8 Discovery
3.9 Lateral Movement
3.10 Collection
3.11 Command and Control
3.12 Exfiltration/Impact
3.13 Tools and Malware
3.14 Infrastructure Patterns
4. Indicators of Compromise
4.1 Network Indicators
4.2 Host Indicators
4.3 Email Indicators
4.4 IOC Validity and Confidence
5. Detection and Hunting
5.1 Detection Opportunities
5.2 Sigma Detection Rules
5.3 Hunt Hypotheses
5.4 Hunt Queries
5.5 Purple Team Recommendations
6. Risk Assessment and Recommendations
6.1 Likelihood Assessment
6.2 Impact Analysis
6.3 Gap Analysis
6.4 Mitigation Recommendations
6.5 Success Metrics
7. Appendices
A. STIX IOC Package
B. ATT&CK Navigator Layer
C. Sigma Rules
D. Hunt Query Package
E. Source Bibliography
F. Methodology Notes
───────────────────────────────────────────────────────────────Submission Requirements
Submit the following deliverables:
Submission Package:
PRIMARY DOCUMENT:
┌─────────────────────────────────────────────────────────────┐
│ Filename: [YourName]_CSY301_Capstone_[ActorName].pdf │
│ │
│ Format: PDF │
│ Length: 20-30 pages (excluding appendices) │
│ Include: All main report sections │
└─────────────────────────────────────────────────────────────┘
TECHNICAL APPENDICES (separate files):
┌─────────────────────────────────────────────────────────────┐
│ A. IOC_Package.json │
│ - STIX 2.1 formatted bundle │
│ - All indicators with context │
│ │
│ B. ATT&CK_Layer.json │
│ - Navigator layer file │
│ - Color-coded by detection confidence │
│ │
│ C. Sigma_Rules.yml │
│ - Minimum 3 detection rules │
│ - Valid Sigma format │
│ │
│ D. Hunt_Queries.md │
│ - Minimum 5 hunt hypotheses │
│ - Queries with documentation │
└─────────────────────────────────────────────────────────────┘
SUBMISSION CHECKLIST:
□ PDF report with all required sections
□ STIX IOC package (valid JSON)
□ ATT&CK Navigator layer (valid JSON)
□ Sigma detection rules (valid YAML)
□ Hunt query documentation
□ All sources properly cited
□ TLP markings applied
□ Naming conventions followedExample Excerpts
The following examples illustrate expected quality:
EXAMPLE: Executive Summary Excerpt
EXECUTIVE SUMMARY
Bottom Line: APT41 represents a HIGH threat to TechFab
Industries. We assess with MODERATE CONFIDENCE that APT41
will likely (60-70% probability) target TechFab within the
next 12 months based on sector alignment, geographic presence,
and observed targeting patterns.
Key Findings:
- APT41 actively targets technology manufacturing for
intellectual property theft, with 7 confirmed operations
against similar organizations in the past 18 months.
- Their attack chain exploits common vulnerabilities in
internet-facing systems, then leverages legitimate tools
for lateral movement—exactly matching TechFab's current
security gaps in network segmentation and EDR coverage.
- Current detection coverage against APT41's documented
techniques is estimated at 45%, leaving significant gaps
in defense evasion and lateral movement detection.
Recommendations:
1. IMMEDIATE: Patch Citrix and VPN systems (primary initial
access vectors) - addresses 3 critical techniques
2. SHORT-TERM: Deploy enhanced PowerShell logging and
Sysmon to all endpoints - enables detection of 12
additional techniques
3. STRATEGIC: Implement network segmentation between
IT and OT environments - reduces blast radius
---
EXAMPLE: TTP Section Excerpt
3.4 PERSISTENCE
APT41 employs multiple persistence mechanisms, often
establishing 3-4 independent persistence methods per
compromised system.
T1547.001 - Registry Run Keys
┌─────────────────────────────────────────────────────────────┐
│ APT41 creates registry Run keys to execute malware at │
│ system startup. Observed keys include: │
│ │
│ Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run│
│ Value: "WindowsUpdate" or "SecurityHealth" │
│ Data: Path to HIGHNOON or CROSSWALK loader │
│ │
│ Detection Opportunity: │
│ Monitor registry modifications to Run keys, especially │
│ values pointing to unusual locations or unsigned binaries. │
│ │
│ Data Sources: Windows Registry (Sysmon Event 13) │
│ Confidence: HIGH (observed in multiple incidents) │
└─────────────────────────────────────────────────────────────┘
T1053.005 - Scheduled Task
┌─────────────────────────────────────────────────────────────┐
│ APT41 creates scheduled tasks for persistence, often │
│ disguised as legitimate Windows tasks. │
│ │
│ Example Task: │
│ Name: \Microsoft\Windows\Maintenance\WinSAT │
│ Action: Execute PowerShell with encoded command │
│ Trigger: Daily at 2:00 AM │
│ │
│ Detection: Monitor schtasks.exe execution and task │
│ creation in Task Scheduler operational logs. │
│ │
│ Confidence: HIGH │
└─────────────────────────────────────────────────────────────┘
---
EXAMPLE: Hunt Hypothesis
HUNT HYPOTHESIS 3: APT41 Cobalt Strike Beaconing
Hypothesis Statement:
APT41 may have deployed Cobalt Strike beacons in our
environment that are communicating with C2 infrastructure
using HTTPS with regular beaconing intervals.
ATT&CK Mapping: T1071.001 (Web Protocols), T1573.002
(Asymmetric Cryptography)
Intelligence Basis:
- APT41 uses Cobalt Strike in 80%+ of observed operations
- Default beacon interval: 60 seconds with 10-20% jitter
- C2 often uses legitimate-looking domains
Data Sources Required:
- Proxy logs with full URL
- Firewall logs with connection timing
- EDR network telemetry
Hunt Query (Splunk):
index=proxy
| bucket _time span=1h
| stats count by src_ip, dest_host, _time
| where count > 30 AND count < 120
| stats stdev(count) as jitter, avg(count) as avg_count
by src_ip, dest_host
| where jitter < 15 AND avg_count > 40
| lookup threat_domains domain AS dest_host OUTPUT threat_score
| where isnull(threat_score)
| sort -avg_count
Expected Outcomes:
- True Positive: Regular HTTPS connections with low jitter
to unknown external domains
- False Positive: Legitimate services with regular polling
(updates, monitoring)
Investigation Steps if Suspicious:
1. Check process making connections (EDR)
2. Analyze domain registration and hosting
3. Check for related process activity
4. Look for lateral movement from source IP🎯 Hands-On Labs (Free & Essential)
Use these labs to assemble capstone evidence and outputs.
🧭 ATT&CK Navigator: Actor Technique Layer
What you'll do: Build a layer for your chosen actor and highlight key TTPs.
Why it matters: A technique map makes your report defensible and clear.
Time estimate: 90-120 minutes
🧪 Malpedia + MalwareBazaar: Tooling Profile
What you'll do: Identify two tools used by your actor and capture IOCs.
Why it matters: Tooling evidence strengthens your assessment.
Time estimate: 90-120 minutes
📝 Capstone Draft: Executive Summary + IOC Appendix
Task: Write a 1-page executive summary and attach an IOC appendix.
Why it matters: Decision-makers need clarity and actionability.
Time estimate: 2-3 hours
💡 Lab Tip: Cite every claim with a source and confidence level.
Supply Chain Intelligence Appendix
Add a focused appendix that translates your actor research into third-party risk insights. Highlight supplier exposure, likely intrusion paths through vendors, and defensive checkpoints for procurement and IT teams.
Deliverable: A 1-2 page appendix with vendor risk findings, mapped TTPs, and recommended control checks.
🧩 Supply Chain Risk Appendix
Task: Produce a supplier-focused appendix
with top exposure paths, high-risk vendor types, and
mitigation checkpoints.
Why it matters: Supply chain context
helps leadership prioritize vendor defenses.
Time estimate: 90-120 minutes
Resources for Capstone
Reference these resources during your research:
Capstone Reflection
In addition to your report, submit a brief reflection (300-400 words) addressing:
- What was the most challenging aspect of producing this intelligence report? How did you overcome it?
- What sources proved most valuable for your research? What gaps did you encounter in available intelligence?
- If this were a real organizational engagement, what additional information would you want access to? What follow-on work would you recommend?
- How has this course changed your understanding of threat intelligence as a discipline? What skills will you continue developing?
Week 12 Quiz
Test your understanding of Threat Intelligence Reporting and Capstone concepts.
Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.
Take QuizCourse Completion
Upon successful completion of this capstone and the course, you will have demonstrated:
CSY301 Competencies:
ANALYTICAL COMPETENCIES:
┌─────────────────────────────────────────────────────────────┐
│ ✓ Apply intelligence lifecycle methodology │
│ ✓ Profile threat actors with attribution analysis │
│ ✓ Map adversary behavior to ATT&CK framework │
│ ✓ Collect, validate, and enrich indicators │
│ ✓ Conduct OSINT investigations │
│ ✓ Develop threat-informed hunt hypotheses │
│ ✓ Assess organizational risk from specific threats │
└─────────────────────────────────────────────────────────────┘
PRODUCTION COMPETENCIES:
┌─────────────────────────────────────────────────────────────┐
│ ✓ Create tactical intelligence products (IOCs, rules) │
│ ✓ Develop operational intelligence (campaign analysis) │
│ ✓ Produce strategic intelligence (executive reporting) │
│ ✓ Build detection and hunting content │
│ ✓ Communicate effectively across audiences │
└─────────────────────────────────────────────────────────────┘
OPERATIONAL COMPETENCIES:
┌─────────────────────────────────────────────────────────────┐
│ ✓ Integrate intelligence with security operations │
│ ✓ Conduct purple team exercises │
│ ✓ Participate in intelligence sharing communities │
│ ✓ Measure and demonstrate intelligence program value │
└─────────────────────────────────────────────────────────────┘
These competencies prepare you for roles including:
- Threat Intelligence Analyst
- Cyber Threat Analyst
- Security Operations Analyst
- Threat Hunter
- Detection Engineer
- Security ConsultantCongratulations on completing CSY301: Threat Intelligence & Adversary Modelling. The skills you've developed enable you to understand, anticipate, and counter sophisticated cyber threats.
Verified Resources & Videos
- MITRE ATT&CK Groups Database — Primary threat actor reference
- Mandiant Resource Center — Threat research reports
- CrowdStrike Adversary Universe — Threat actor profiles
- The DFIR Report — Detailed intrusion analysis
- Sigma Rules Repository — Detection rule examples