profiling-threat-actor-groups

Featured

Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Profiling Threat Actor Groups ## When to Use Use this skill when: - Updating the organization's threat model with profiles of adversary groups recently observed targeting your sector - Preparing an executive briefing on APT groups that align with geopolitical events affecting your business - Enabling SOC analysts to understand attacker objectives and TTPs to improve detection tuning **Do not use** this skill for real-time incident attribution — attribution during active incidents should be deprioritized in favor of containment. Profile refinement occurs post-incident. ## Prerequisites - Access to MITRE ATT&CK Groups database (https://attack.mitre.org/groups/) - Commercial threat intelligence subscription (Mandiant Advantage, CrowdStrike Falcon Intelligence, or Recorded Future) - Sector-specific ISAC membership for targeted intelligence (FS-ISAC, H-ISAC, E-ISAC) - Structured profile template (see workflow below) ## Workflow ### Step 1: Identify Relevant Threat Actors Cross-reference your organization's sector, geography, and technology stack against known adversary targeting patterns. Sources: - MITRE ATT&CK Groups: 130+ documented nation-state and criminal groups with TTP mappings - CrowdStrike Annual Threat Report: adversary naming by nation-state (BEAR=Russia, PANDA=China, KITTEN=Iran, CHOLLIMA=North Korea) - Mandiant M-Trends: annual report with sector-specific targeting statistics - CISA Known Exploited Vulnerabilities (KEV) catalog: identifies vulnerabilities a...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

building-threat-actor-profile-from-osint

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-threat-modeling-with-mitre-attack

Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering with threat landscape, conduct threat assessments for new environments, or justify security tool procurement.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-threat-actor-ttps-with-mitre-attack

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-threat-actor-ttps-with-mitre-navigator

Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-advanced-persistent-threats

Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments using hypothesis-driven searches across endpoint telemetry, network logs, and memory artifacts. Use when conducting scheduled threat hunting cycles, investigating anomalous behavior flagged by UEBA, or validating that known APT TTPs are not present in the environment. Activates for requests involving MITRE ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks.

12,642 Updated today
mukul975