learntodriveai.dev/Cybersecurity/Hybrid Exploitation Campaign with a Living Threat Model
Cybersecurity·Project 18·6 units

Hybrid Exploitation Campaign with a Living Threat Model

**Track:** Cybersecurity

§ Brief

You're running a six-week security assessment for Summit Trails Resort Group — a US boutique resort operator with six wellness properties and a central Azure platform — and the surface is hybrid: cloud, on-prem, and ISP-managed transit between them.

The discipline skills: running an exploitation campaign across cloud and on-prem in concert; treating the threat model as a living document that updates during the engagement, with three versioned models shipped as deliverables; designing a hybrid detection strategy with quantitative targets across both paradigms; and mapping findings coherently across PCI DSS, CIS Azure Benchmarks, and NIST CSF at once.

The AI-direction lesson: cross-paradigm work needs a context architecture that crosses paradigms, and the engagement is long enough that the context lifecycle is the discipline. Six scoped agents — cloud-exploitation, on-prem-exploitation, threat-model-update, hybrid-detection, remediation, executive-report — each get the context their phase needs and nothing else. The assumption-based plan from week one is archived before the post-discovery model runs. And the cross-paradigm judgment calls — which surface to prioritise after a model update, how to frame the shared-credentials issue, what the engagement can and can't say about a year-old credit-card incident — those don't delegate.

Your Role

You're the assessor. The engagement approach, the campaign plan, the three threat-model versions, the hybrid detection strategy, the cross-paradigm SIEM architecture, the PCI DSS + CIS Azure + NIST CSF compliance mapping, the remediation programme with its documented exceptions, the executive board report in guest-trust voice — yours.

Scaffolding is thin across the engagement. No exploitation-campaign template for hybrid surfaces, no living-threat-model rubric, no PCI-to-CIS-Azure-to-NIST-CSF crosswalk, no shared-credential-remediation flow, no executive-report voice guide. The first contact is a Slack thread — six scattered messages from Margaret Larsen at 11:32 PM from a hotel room. No review beats are staged; a senior colleague is on-demand if you need a sounding board, but they won't volunteer — the campaign is yours to drive.

The campaign is bounded — you stop at "this finding demonstrates the risk," not at "maximum compromise achieved." TTPs are selected to test whether the hybrid detection strategy works, not to maximise the finding count. Some judgments are explicitly yours: the surface-prioritisation calls after each threat-model update, the diplomatic framing of the shared-credentials conversation, the ISP-vendor conversation, the acknowledgment that a year-old credit-card incident may not be definitively answerable from this engagement.

What's New

Last time, the assessment was cloud-only — one corporate Azure tenant with three subscriptions, methodology was the new terrain, and the cloud surface itself was a guided experience.

Hybrid scope. Cloud and on-prem run together in one campaign, distributed across six remote properties connected by ISP-managed transit. Cross-property lateral movement — property to central platform to another property — is a single attack path the campaign documents end-to-end. Neither a cloud-only nor an on-prem-only assessment would surface it.

A living threat model. Three versions land in the deliverables: v1 written at engagement start from assumptions; v2 after the hidden constraints surface in discovery; v3 after exploitation reveals threats the earlier models didn't anticipate. The diff between v1 and v3 is itself part of the assessment narrative.

Scope creep mid-engagement. Margaret asks about a seventh property — an Oregon oceanfront acquisition that closed last month. The decision is yours: in scope, out of scope, or in scope under a defined boundary.

No staged colleague review. P17 ran without one too; P18 continues the pattern. The cloud terrain is familiar enough that you drive the campaign without scaffolding on it — a senior colleague is reachable on-demand for a hybrid-campaign or threat-model question, but they won't volunteer and no review beat is authored.

The hard part: the threat model moves under your feet and AI doesn't notice. Without an explicit framing, AI runs the whole campaign against the week-one assumption model and produces something that looks comprehensive and misses the point. Margaret reads in guest-trust language; findings in compliance-audit-speak glaze her over. The shared-credential practice at the front desks needs diplomatic handling — her staff are not the problem; the architecture is.

Tools

  • Claude Code, Codex CLI — driving the six scoped hybrid agents across the engagement and the explicit "do not delegate" boundaries for the cross-paradigm and diplomatic judgments.
  • Summit Trails hybrid lab (Docker + Azure fixtures) — six property infrastructures (PMS server, POS, Wi-Fi, guest-room automation, front-desk terminals), the central Azure platform, the Montana ISP-managed WAN transit, the legacy unencrypted PMS at Vermont and Montana, the shared-credentials state, and the cross-property lateral-movement paths.
  • Azure CLI in dry-run / fixture-replay mode — familiar. Authentic syntax, authentic response shapes, no real subscription.
  • Microsoft Defender for Cloud (simulated) — familiar. Pre- and post-remediation posture snapshots that you compose against the exploit re-test result.
  • Sigma + Loki + Grafana + Wazuh + Suricata + osquery — defender stack carried forward from P11-P17. P18 integrates Azure Activity Log alongside per-property forwarders and authors Sigma rules spanning on-prem, cloud, and cross-paradigm correlation.
  • Living-threat-model authoring — three versioned models as engagement deliverables; v2 supersedes v1, v3 supersedes v2, each referencing its predecessor so the diff is auditable.
  • PCI DSS v4.0, CIS Azure Benchmarks v2, NIST CSF v2.0 — PCI DSS is new at this depth in the track. PCI DSS for the credit-card scope, CIS Azure for the central platform, NIST CSF for the executive narrative.
  • ATT&CK Enterprise + ATT&CK Cloud Matrix — used together; the gap analysis between the two matrices is part of the hybrid-coverage heatmap.
  • Engagement-memory infrastructureengagement-memory/ with the engagement approach, the three threat-model versions, the campaign plan, the detection strategy, the SIEM architecture, the remediation programme, and the per-phase scoped-agent specs. CLAUDE.md and AGENTS.md carry forward.
  • Python, Markdown, YAML, Mermaid, GitHub — assessment and compliance reports, remediation programme, threat-model diffs, heatmaps, diagrams, the executive board report.

Materials

  • First-contact Slack thread (first-contact.md) — Margaret's six scattered late-night messages. Read the cadence as carefully as the content.
  • Summit Trails hybrid lab (hybrid-lab/) — Docker compositions for six properties, Azure fixtures for the central platform, the Montana ISP transit fixture, the legacy-PMS unencrypted-traffic fixtures, the shared-credentials state, and the cross-property lateral-movement paths.
  • Regulatory-context brief (regulatory-context.md) — PCI DSS v4.0 scope-and-mapping primer, CIS Azure Benchmarks v2 reference, NIST CSF v2.0 reference.
  • Engagement-memory templates (engagement-memory/) — engagement-approach, threat-model, campaign-plan, detection-strategy, remediation-programme, and exception templates, plus per-phase scoped-agent specs (engagement-memory/agents/).
  • Detection-rule templates (detection-rules/sigma-templates/) — on-prem, cloud, and cross-paradigm correlation templates.
  • AGENTS.md and CLAUDE.md — carried forward. CLAUDE.md carries P18's verification targets (three threat-model versions referenced in sequence, campaign plan names stopping criteria per TTP, detection strategy carries quantitative targets, remediation programme documents exceptions consciously).

Everything else — the engagement approach, the living-threat-model framing for Margaret, the campaign design, the surface-prioritisation calls, the seventh-property scope decision, the executive report voice — is yours.

Materials

View all →
Hybrid Lab/
azure-fixtures/bin/azazure-fixtures/bin/imds-serverjsonazure-fixtures/central-platform/activity-log-diag-settings.jsonjsonazure-fixtures/central-platform/defender-for-cloud-findings-baseline.jsonjsonazure-fixtures/central-platform/iam-role-assignments.jsonjsonazure-fixtures/central-platform/imds-instance-metadata.jsonjsonazure-fixtures/central-platform/imds-token-response.jsonjsonazure-fixtures/central-platform/nsg-list.jsonjsonazure-fixtures/central-platform/storage-list.jsonjsonazure-fixtures/central-platform/vm-list.jsonjsoncross-property-lateral-paths.jsonmddefender-stack-references/README.mdjsonguest-room-automation/colorado-adjacency.jsonjsonguest-room-automation/montana-adjacency.jsonjsonguest-room-automation/oregon-adjacency.jsonjsonguest-room-automation/utah-adjacency.jsonjsonguest-room-automation/vermont-adjacency.jsonjsonguest-room-automation/wyoming-adjacency.jsonriverloki-azure-activity-log-route/alloy.riverjsonloki-azure-activity-log-route/grafana-hybrid-panel.jsonjsonmontana-isp-transit/transit-fixture.jsonjsonpost-remediation-snapshots/defender-for-cloud-findings-post-remediation.jsonjsonpost-remediation-snapshots/per-finding-retest-fixtures.jsonymlproperties/colorado/docker-compose.ymljsonproperties/colorado/seed/frontdesk.jsonjsonproperties/colorado/seed/gra.jsonjsonproperties/colorado/seed/pms.jsonjsonproperties/colorado/seed/pos.jsonjsonproperties/colorado/seed/wan.jsonjsonproperties/colorado/seed/wifi.jsonymlproperties/montana/docker-compose.ymljsonproperties/montana/seed/frontdesk.jsonjsonproperties/montana/seed/gra.jsonjsonproperties/montana/seed/pms.jsonjsonproperties/montana/seed/pos.jsonjsonproperties/montana/seed/wan.jsonjsonproperties/montana/seed/wifi.jsonymlproperties/oregon/docker-compose.ymljsonproperties/oregon/seed/frontdesk.jsonjsonproperties/oregon/seed/gra.jsonjsonproperties/oregon/seed/pms.jsonjsonproperties/oregon/seed/pos.jsonjsonproperties/oregon/seed/wan.jsonjsonproperties/oregon/seed/wifi.jsonymlproperties/utah/docker-compose.ymljsonproperties/utah/seed/frontdesk.jsonjsonproperties/utah/seed/gra.jsonjsonproperties/utah/seed/pms.jsonjsonproperties/utah/seed/pos.jsonjsonproperties/utah/seed/wan.jsonjsonproperties/utah/seed/wifi.jsonymlproperties/vermont/docker-compose.ymljsonproperties/vermont/seed/frontdesk.jsonjsonproperties/vermont/seed/gra.jsonjsonproperties/vermont/seed/pms.jsonjsonproperties/vermont/seed/pos.jsonjsonproperties/vermont/seed/wan.jsonjsonproperties/vermont/seed/wifi.jsonymlproperties/wyoming/docker-compose.ymljsonproperties/wyoming/seed/frontdesk.jsonjsonproperties/wyoming/seed/gra.jsonjsonproperties/wyoming/seed/pms.jsonjsonproperties/wyoming/seed/pos.jsonjsonproperties/wyoming/seed/wan.jsonjsonproperties/wyoming/seed/wifi.jsonmdREADME.md