Stats
Actions
Tags
From cybersecurity-skills
Aggregates TTP documentation, campaign data, and attribution indicators to build detailed profiles of APT groups, criminal organizations, and hacktivists. Use for threat modeling, executive briefings, and defensive prioritization.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:profiling-threat-actor-groupsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when:
Use this skill when:
Do not use this skill for real-time incident attribution — attribution during active incidents should be deprioritized in favor of containment. Profile refinement occurs post-incident.
Cross-reference your organization's sector, geography, and technology stack against known adversary targeting patterns. Sources:
Shortlist 5–10 groups most likely to target your organization based on sector alignment and recent activity.
For each adversary, document across standard dimensions:
Identity: ATT&CK Group ID (e.g., G0016 for APT29), aliases (Cozy Bear, The Dukes, Midnight Blizzard), suspected nation-state sponsor
Motivations: Espionage, financial gain, disruption, intellectual property theft
Targeting: Sectors, geographies, organization sizes, technology targets (OT/IT, cloud, supply chain)
Capabilities: Custom malware (e.g., APT29's SUNBURST, MiniDuke), exploitation of 0-days vs. known CVEs, supply chain attack capability
Campaign History: Notable operations with dates (SolarWinds 2020, Exchange Server 2021, etc.)
TTPs by ATT&CK Phase: Document top 5 techniques per tactic phase
Using mitreattack-python:
from mitreattack.stix20 import MitreAttackData
mitre = MitreAttackData("enterprise-attack.json")
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
techniques = mitre.get_techniques_used_by_group(apt29)
profile = {}
for item in techniques:
tech = item["object"]
tid = tech["external_references"][0]["external_id"]
tactic = [p["phase_name"] for p in tech.get("kill_chain_phases", [])]
profile[tid] = {"name": tech["name"], "tactics": tactic}
Compare the adversary's technique list against your detection coverage matrix (from ATT&CK Navigator layer). Identify:
Structure the final profile for different audiences:
Classify TLP:AMBER for internal distribution; seek ISAC approval before external sharing.
| Term | Definition |
|---|---|
| APT | Advanced Persistent Threat — well-resourced, sophisticated adversary (typically nation-state or sophisticated criminal) conducting long-term targeted operations |
| TTPs | Tactics, Techniques, Procedures — behavioral fingerprint of an adversary group, more durable than IOCs which change frequently |
| Aliases | Threat actors receive different names from different vendors (APT29 = Cozy Bear = The Dukes = Midnight Blizzard = YTTRIUM) |
| Attribution | Process of associating an attack with a specific threat actor; requires multiple independent corroborating data points and carries inherent uncertainty |
| Cluster | A group of related intrusion activity that may or may not be attributable to a single actor; used when attribution is uncertain |
| Intrusion Set | STIX SDO type representing a grouped set of adversarial behaviors with common objectives, even if actor identity is unknown |
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsAggregates TTP documentation, campaign data, and attribution indicators to build detailed profiles of APT groups, criminal organizations, and hacktivists. Use for threat modeling, executive briefings, and defensive prioritization.
Builds threat actor profiles for APT groups, criminal orgs, and hacktivists by aggregating TTPs, campaign data, and attribution indicators. Use for executive briefings, threat model updates, and defensive prioritization.
Develops threat actor profiles for APT groups, criminals, and hacktivists by aggregating TTPs, campaigns, tooling, and attribution from MITRE ATT&CK, Mandiant, CrowdStrike. For threat modeling, executive briefings, defensive controls.