# Red Team Threat Intel * Threat Intelligence (TI) or CyberThreat Intelligence (CTI) is the information, or TTPs(Tactics,Techniques,and Procedures), attributed to an adversary,commonly used by defenders to aid in detection measures. * Red Cell(Red Team) can levarage CTI from an offensive perspective to assist in adversary emulation. ## What is threat Intelligence * Cyber Threat Intelligence is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. * Traditionally,defenders use threat intelligence to provide context to the ever-changing threat landscape and qualify findings. * IOCs are quantified by traces left by adversaries such as domains,Ips,files strings,etc. * The blue team can utilize various IOCs to build detections and analyze behaviour. * In a Red team POV, TI is an analysis of the blue team's ability to properly leverage their CTI for detections. ## Applying Threat Intel to the Red Team * To aid in consuming CTI and collecting TTPs,red teams will often use threat intelligence platforms and frameworks suck as MITRE ATT&CK, TIBER-EU and OST Map * These cyber frameworks will collect known TTPs and categirize them based on varyibg characteristics such as : 1. Threat group 2. Kill chain phase 3. Tactic 4. Objective/Goal > Leveraging TTPs is used as a planning technique rather than something a team will focus on during engagement execution. Depending on the size of the team, a CTI team or threat intelligence operator may be employed to gather TTPs for the red team. During the execution of an engagement, the red team will use threat intelligence to craft tooling, modify traffic and behavior, and emulate the targeted adversary ## TTP Mapping * TTP Mapping is employed by the red cell to map advaseries' collected TTPs to a standard cyber kill chain. > Mapping TTPs to a kill chain aids the red team in planning an engagement to emulate an adversary. * To begin the process of mapping, an adversary must be selected as the target. An adversary can be chosen based on, 1. Target Industry 2. Employed Attack Vectors 3. Country ofOrigin 4. Other Factors