From cybersecurity-skills
Develops threat actor profiles for APT groups, criminals, and hacktivists using MITRE ATT&CK, Mandiant, CrowdStrike data on TTPs, campaigns, and tooling. For threat modeling, briefings, and defense prioritization.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use this skill for real-time incident attribution — attribution during active incidents should be deprioritized in favor of containment. Profile refinement occurs post-incident.
Cross-reference your organization's sector, geography, and technology stack against known adversary targeting patterns. Sources:
Shortlist 5–10 groups most likely to target your organization based on sector alignment and recent activity.
For each adversary, document across standard dimensions:
Identity: ATT&CK Group ID (e.g., G0016 for APT29), aliases (Cozy Bear, The Dukes, Midnight Blizzard), suspected nation-state sponsor
Motivations: Espionage, financial gain, disruption, intellectual property theft
Targeting: Sectors, geographies, organization sizes, technology targets (OT/IT, cloud, supply chain)
Capabilities: Custom malware (e.g., APT29's SUNBURST, MiniDuke), exploitation of 0-days vs. known CVEs, supply chain attack capability
Campaign History: Notable operations with dates (SolarWinds 2020, Exchange Server 2021, etc.)
TTPs by ATT&CK Phase: Document top 5 techniques per tactic phase
Using mitreattack-python:
from mitreattack.stix20 import MitreAttackData
mitre = MitreAttackData("enterprise-attack.json")
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
techniques = mitre.get_techniques_used_by_group(apt29)
profile = {}
for item in techniques:
tech = item["object"]
tid = tech["external_references"][0]["external_id"]
tactic = [p["phase_name"] for p in tech.get("kill_chain_phases", [])]
profile[tid] = {"name": tech["name"], "tactics": tactic}
Compare the adversary's technique list against your detection coverage matrix (from ATT&CK Navigator layer). Identify:
Structure the final profile for different audiences:
Classify TLP:AMBER for internal distribution; seek ISAC approval before external sharing.
| Term | Definition |
|---|---|
| APT | Advanced Persistent Threat — well-resourced, sophisticated adversary (typically nation-state or sophisticated criminal) conducting long-term targeted operations |
| TTPs | Tactics, Techniques, Procedures — behavioral fingerprint of an adversary group, more durable than IOCs which change frequently |
| Aliases | Threat actors receive different names from different vendors (APT29 = Cozy Bear = The Dukes = Midnight Blizzard = YTTRIUM) |
| Attribution | Process of associating an attack with a specific threat actor; requires multiple independent corroborating data points and carries inherent uncertainty |
| Cluster | A group of related intrusion activity that may or may not be attributable to a single actor; used when attribution is uncertain |
| Intrusion Set | STIX SDO type representing a grouped set of adversarial behaviors with common objectives, even if actor identity is unknown |