building-threat-actor-profile-from-osint

# Building Threat Actor Profile from OSINT ## Overview Threat actor profiling using OSINT systematically gathers and analyzes publicly available information to build comprehensive profiles of adversary groups. This skill covers collecting intelligence from public sources (security vendor reports, paste sites, dark web forums, social media, code repositories), correlating indicators across platforms, mapping adversary infrastructure using tools like Maltego and SpiderFoot, and producing structured threat actor dossiers that inform defensive strategies and attribution assessments. ## When to Use - When deploying or configuring building threat actor profile from osint capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Python 3.9+ with `shodan`, `requests`, `beautifulsoup4`, `maltego-trx`, `stix2` libraries - SpiderFoot (https://github.com/smicallef/spiderfoot) or SpiderFoot HX - Maltego CE or Maltego XL for link analysis - API keys: Shodan, VirusTotal, AlienVault OTX, PassiveTotal/RiskIQ - MITRE ATT&CK knowledge for TTP mapping - Understanding of STIX 2.1 Intrusion Set, Threat Actor, and Identity SDOs ## Key Concepts ### OSINT Sources for Threat Actor Profiling Primary intelligence sources include vendor threat reports (Mandiant, CrowdStrike, Recorded Future, ...