Learn by Directing AI
Chat with Marie-Claire DesrosiersAsk questions, get feedback, discuss the project

The Brief

Marie-Claire Desrosiers runs Reseau Sante du Nord, a network of six community health clinics across northern Haiti. Primary care, maternal health, pharmacy, diagnostics. Eighty staff serving communities where a mother walks two hours to reach the nearest clinic.

Two years ago, a grant funded digitization. Electronic health records. A shared database. Pharmacy inventory tracking. All six clinics connected through a VPN to a central server in Cap-Haitien. One IT person -- Frantz -- manages everything.

The problem is the donor. A European health foundation funds 70% of operations. They had a partner organization in West Africa lose patient records to ransomware. Now they require a security assessment from every funded organization before renewing grants. No assessment, no funding. The clinics cannot shut down for this. People depend on them every day.

Marie-Claire left a voicemail. She speaks fast -- clearly between meetings. She knows patient records are in the system. She knows the donor is serious. She does not know where to start.

Your Role

You are assessing the clinic network's shared infrastructure: the EHR web application, the SSH and FTP services, the VPN connecting all six clinics. The deliverable is a report Marie-Claire can hand to the donor foundation, with technical details for Frantz.

This time, the lab has network services alongside the web application. SSH, FTP, and VPN are distinct targets with different attack vectors, different evidence, and different log signatures. You are not just testing a web application anymore -- you are assessing a system.

The Sigma rule starter template from last time is gone. You write detection rules from scratch, providing the logsource specification, field mapping, and detection logic that the template previously supplied. You also fill a STRIDE threat model template with threats specific to this healthcare network, and select ATT&CK techniques driven by that threat model. CVSS scoring enters for the first time -- severity scores adjusted for the environmental context of patient health data.

What's New

Last time you did passive OSINT reconnaissance, multi-protocol scanning, container hardening, and cross-checked detection rules with a second AI. You know that passive intelligence is a hypothesis to verify. You know that container images carry supply chain risk. You know that cross-checking catches what self-review normalizes.

Network service exploitation. SSH and FTP are different from web forms. Brute-forcing SSH credentials with Hydra produces a fundamentally different pattern in the logs than SQL injection. Exploiting anonymous FTP to access patient data is a network-level breach, not a client-side attack. The ATT&CK techniques are different. The risk narratives are different.

Metasploit Framework. Not just another tool -- a framework that formalizes the relationship between a vulnerability, the code delivered, and the connection back to the attacker. Module, payload, handler. AI assembles Metasploit commands fluently, but it makes architecture assumptions you need to verify.

Threat modelling. Your first STRIDE threat model at this level of structure. Reconnaissance findings feed the threat model. The threat model feeds the TTP selection. The TTP selection feeds the exploitation plan. Each phase informs the next.

The hard part is fix selection. For weak SSH credentials, password complexity and key-only authentication are both valid approaches. They address different aspects of the problem at different costs. AI defaults to one. You decide which is right for this system.

Tools

  • Metasploit Framework -- network service exploitation framework. New.
  • Hydra -- credential brute-forcing. New.
  • MITRE ATT&CK Navigator -- TTP selection visualization. New.
  • Nmap -- network scanning. Extended from previous projects.
  • sqlmap -- SQL injection exploitation. Continued.
  • Wireshark/tshark -- packet-level analysis. Continued.
  • Docker/Docker Compose -- multi-service lab environment.
  • Grafana -- dashboard creation and log viewing. Extended: security dashboard design.
  • Loki -- log aggregation. Continued.
  • Grafana Alloy -- log collection configuration. New interaction level: you modify the config.
  • pySigma -- Sigma rule to LogQL conversion. Continued.
  • Claude Code -- AI agent directing all tool execution.
  • Git/GitHub -- version control and project submission.

Materials

  • Scope document -- authorized targets, pivoting rules, VPN endpoint restrictions
  • Docker Compose environment -- seven services: EHR application, SSH server, FTP server, VPN simulator, Grafana, Loki, Alloy
  • STRIDE threat model template -- blank structure for system-specific threat analysis
  • ATT&CK TTP selection template -- technique selection driven by threat model
  • Report template -- extended for network findings with CVSS scoring guide
  • Alloy configuration -- initially collects only EHR web logs. SSH and FTP logs are not collected until you add them.
  • CLAUDE.md -- project governance file

Materials

View all →
riveralloy-config.rivermdCLAUDE.mdymldocker-compose.ymlpyapp.pyDockerfilepyinit_db.pytxtrequirements.txthtmlindex.htmlhtmlpatients.htmlhtmlrecord.htmlDockerfilecsvlab-results-march.csvcsvpatient-summary-q1.csvcsvpharmacy-inventory.csvconfvsftpd.confymlloki.ymlmdreport-template.mdmdscope-document.mdshcreate_user.shDockerfilesshd_configmdthreat-model-template.mdmdttp-selection-template.mdDockerfilemdREADME-internal.mdconfclinic-1.confconfclinic-2.confconfclinic-3.confconfclinic-4.confconfclinic-5.confconfclinic-6.conf
Start: The Brief and the Lab Environment