Establishing a Cyber Threat Intelligence Program Playbook

December 16, 20235 min read

Playbook Objectives:

  • To develop and validate a comprehensive cyber threat intelligence (CTI) program.
  • To simulate realistic attack scenarios for improving the threat detection and response capabilities of the organization.
  • To increase the awareness and preparedness of the security team in identifying and mitigating advanced persistent threats.
  • To refine the processes and technologies used to collect, analyze, and disseminate threat intelligence.

Difficulty Level:

  • Advanced


  • In this exercise, we will focus on a high-profile financial services company named “Global Finance Inc.” which has recently been the target of increasingly sophisticated cyber-attacks. The company has recognized the need for an actionable and effective CTI program to protect its vast network and sensitive customer data from future threats.
  • Company Overview: Global Finance Inc. is an international financial firm with headquarters in New York City, providing services in investment banking, asset management, and retail banking. It operates a multi-layered network infrastructure with several data centers across the globe, interconnected by a mix of private and public cloud services.
  • Key Players: CEO: Johnathan Swift CTO: Emily Rogers CISO: Derek Yung Threat Intelligence Lead: Sofia Ramirez
  • The team at Global Finance Inc. has outlined concerns after witnessing an uptick in reconnaissance activities on their networks. They fear a looming cyber-assault which could cripple their operations and cause irreparable damage to their reputation.
  • The CISO, Derek Yung, aware of the importance of a proactive defense, has mandated the creation of an immersive Cyber Range exercise to establish a robust CTI program that continuously evolves based on the latest threat intelligence. The playbook will aim to ensure real-time threat detection and swift incident response by dissecting a simulated but realistically crafted advanced persistent threat (APT) attack.


  • Cyber Threat Intelligence (CTI)

Exercise Attack Steps:

  1. Reconnaissance:
    • Attackers profile the company, identifying key personnel and network information through social engineering and network scanning.
    • A phishing campaign is launched aiming to compromise an employee’s credentials within the financial department.
  2. Initial Compromise:
    • A successful spear-phishing email tricks an employee into downloading malicious software disguised as a legitimate financial report.
    • The malware establishes a foothold on the employee’s computer, allowing for persistent access.
  3. Establishing Presence:
    • The threat actors escalate their privileges using discovered vulnerabilities within the outdated systems deployed on the employee’s network segment.
    • They establish a backdoor for continued access and exfiltration of data.
  4. Exploration & Pivoting:
    • With the foothold secured, attackers begin lateral movement across the network, probing for high-value targets, such as servers containing customer financial data.
    • Network traffic is closely monitored by attackers to avoid detection and establish patterns for evasion.
  5. Data Harvesting:
    • Financial databases are accessed, and sensitive information is identified for extraction.
    • Custom encryption is used by attackers to exfiltrate the data undetected.
  6. Covering Tracks:
    • Attackers aim to erase logs and use anti-forensics techniques to obscure their presence and activities within the network.
    • A distraction is created using a DDoS attack on the company’s public-facing services to divert the security team’s attention.
  7. Exit Strategy:
    • The APT group prepares for withdrawal, leaving behind a few stealthy backdoors for future accesses.
    • A time bomb is set to delete certain traces of their activities upon a final command.
Throughout the Cyber Range exercise, Global Finance Inc.’s security team will engage in detection and response activities facilitated by the CTI program, which includes the deployment of intrusion detection systems, security information and event management (SIEM) solutions, and end-point protection platforms. The training aims to empower the incident response team to effectively identify the attack pattern, isolate compromised systems, and neutralize the threat actors’ presence within the network. The exercise will also emphasize the continual improvement of the CTI program, involving the sharing of intelligence with peer organizations and industry-specific Information Sharing and Analysis Centers (ISACs) to enhance collective security posture.