Workshop: Threat Actor Profiling: Know Your Enemy

Syllabus 

Module 1 — Who Are Threat Actors? (30 min, Lecture) 

• The four primary threat actor groups: financially motivated, nation-state, hacktivists, thrill seekers

• Their motivations, signature behaviors, and common TTPs

• Cross-group convergence and attack chain fundamentals

Lab 1 — Threat Actor Identification & Categorization (30 min) 

• Research one actor from each category using public intelligence sources

• Identify motivations, top TTPs, notable campaigns, and one example of cross-group behavior

Module 2 — Building Threat Actor Profiles (35 min, Lecture) 

• Profile structure using the Curated Intelligence framework (who, why, how, so what)

• Profiles as living documents

• The four targeting lenses: sector, rivals, customers, and region

Lab 2 — Draft a Threat Actor Profile (35 min) 

• Build a profile for an assigned actor against a financial services scenario

• Map TTPs to MITRE ATT&CK

• Apply targeting lenses

• Write a CISO-ready executive summary

• Identify one detection gap

Module 3 — Quantifying Threat Actors with Threat Box (40 min, Lecture) 

• Andy Piazza’s Threat Box model: scoring intent and capability across four attack categories (espionage, destructive, disruptive, cybercrime)

• Willingness and novelty modifiers

• Reading the 5×5 matrix and translating scores to defense actions

Lab 3 — Threat Box Scoring Exercise (35 min) 

• Score the Lab 2 actor across all four attack categories

• Cite evidence

• Apply the willingness modifier

• Plot the matrix

• Produce three prioritized defense actions for the engineering backlog

Module 4 — From Profiles to Action & Wrap-Up (15 min, Discussion) 

• The five-step playbook: shortlist, score, translate to engineering work, measure quarterly, keep current

• Key takeaways and next steps