Track Focus
OSINT-driven threat intelligence
Threat actor research, cybercrime community analysis, MITRE ATT&CK mapping, campaign timelines, IOC validation, corporate digital hygiene, and defensive recommendations.
This track is designed for mentorship from cybercrime, OSINT, threat intelligence, and security research practitioners.
Potential Sponsor
Maria Thomas
Cybercrime and OSINT specialist — TBD
Maria brings a focus on OSINT investigations, threat actor communities, threat intelligence and analysis, corporate digital hygiene, and behavioral profiling and analysis of cybercriminals.
Research one threat actor, campaign, or cybercriminal community and build a structured profile defenders can actually use.
Students will pick one threat actor, campaign, or cybercriminal community and build a profile covering targets, motivations, tools, infrastructure, tactics, techniques, behavioral patterns, and known indicators of compromise.
The work emphasizes careful OSINT sourcing, practical MITRE ATT&CK mapping, digital hygiene lessons, and plain-language explanations of what each observed behavior means for small organizations, nonprofits, and community defenders.
Three connected workstreams: adversary profiling, OSINT investigation, and IOC collection, validation, and enrichment.
Threat Actor or Campaign Profile
Build a structured profile from public reporting.
Document targets, motivations, tools, infrastructure, tactics, techniques, known IOCs, behavioral patterns, and a timeline of known campaigns or major public reporting milestones.
OSINT and Digital Hygiene Investigation
Study public signals without crossing ethical or legal boundaries.
Use public sources to understand threat actor communities, exposed organizational data, impersonation risks, credential hygiene signals, and behavioral patterns that matter for small organizations.
MITRE ATT&CK Mapping
Translate adversary behavior into defender meaning.
Create a MITRE ATT&CK Navigator-style mapping and explain what each technique means for monitoring, hardening, detection, or response.
IOC Collection, Validation, and Enrichment Lab
Turn public indicators into a clean, useful dataset.
Collect indicators from advisories and reports, then enrich and organize domains, IPs, hashes, URLs, malware names, CVEs, and related threat actors. MISP is a useful open-source model for collecting, storing, sharing, and correlating cyber threat indicators.
Clean, sourced intelligence products with clear limits and safe-use guidance.
Hands-on threat intelligence methods for research, mapping, enrichment, and communication.
OSINT Research
Finding, comparing, and citing public threat reports, advisories, cybercrime community signals, and technical writeups.
ATT&CK Mapping
Mapping behaviors to MITRE ATT&CK and explaining practical defender implications.
Behavioral Analysis
Identifying patterns in cybercriminal behavior, targeting, tooling, claims, and operational mistakes.
IOC Handling
Validating, enriching, deduplicating, and documenting indicators with confidence and expiration notes.
MISP Model
Understanding how open-source indicator platforms collect, store, share, and correlate threat data.
Defender Writing
Turning technical research into recommendations that small organizations can safely act on.
View the full internship overview for program details, dates, and application information.