Passive Reconnaissance and Threat Modelling

Step 1: DNS Reconnaissance

Before you run any scans against the target, start with what you can learn without sending a single packet to Marie-Claire's infrastructure.

Direct Claude to perform DNS reconnaissance on the target domain. Start with a zone transfer attempt:

Attempt a DNS zone transfer against the target. Show me the results whether it succeeds or fails.

A successful zone transfer reveals every DNS record the server knows about -- subdomains, mail servers, nameservers, the full map. A failed transfer is not "no result." It tells you the target has zone transfer restrictions configured. That is a finding about DNS security maturity. AI commonly treats a failed query as an empty result. You interpret it as information.

Step 2: Multi-Source Intelligence Correlation

A single reconnaissance source gives you data. Multiple sources correlated give you intelligence.

Direct Claude to check DNS records, certificate transparency logs, and technology stack indicators. Correlate the findings: which services exist, what technologies are in use, where the attack surface extends beyond what a simple port scan would show.

Technology stack fingerprinting from public sources -- job postings, GitHub repositories, configuration files, README documents -- reveals internal infrastructure without touching the target. This is how real adversaries build target profiles before deciding how to attack.

Historical DNS data matters too. If the target recently moved from one hosting provider to another, residual configurations or old DNS records pointing to decommissioned servers may create security gaps. The current state is only part of the picture.

Step 3: Introduce the STRIDE Threat Model Template

Open materials/threat-model-template.md. This is your first structured threat model at this level.

STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each category represents a different type of threat to a system. The template provides the framework. Your job is to fill it with threats specific to Marie-Claire's healthcare network -- not generic threats from a textbook.

The template is not the work. Filling it with system-specific content is the work. The presence of the template does not make this simple -- it means the structure is provided so you can focus on the analysis.

Step 4: Build the Threat Model

Direct Claude to help populate the STRIDE threat model using your reconnaissance findings and what you know about the system architecture: six clinics connected by VPN, a shared EHR database, SSH and FTP services, a single IT person.

Help me populate the STRIDE threat model template for Marie-Claire's healthcare network. Use the reconnaissance findings and the system architecture we know about.

AI commonly applies STRIDE generically -- producing 40 or more threats, all equally weighted, most of them irrelevant to a small healthcare network in northern Haiti. A denial-of-service threat against a clinic that sees patients by appointment is different from a denial-of-service threat against a high-traffic e-commerce site. Spoofing a healthcare worker's credentials has consequences that include access to patient HIV diagnoses. The threats must reflect this system, not every system.

Steer the output. Remove generic threats. Add threats that reflect the specific architecture: shared VPN key, single IT administrator, patient data sensitivity, donor compliance requirements.

Step 5: Prioritize Threats

Not every threat in the STRIDE analysis deserves equal attention. Prioritize based on the system's architecture and business context.

Information disclosure of patient health records is a different severity in a small Haitian community than in an anonymous urban hospital. The VPN connecting six clinics with a shared key means one compromise could reach all sites. The single IT administrator means there is no backup if Frantz's credentials are compromised.

Fill in the Threat Prioritisation section of the template. AI may resist prioritization -- it tends to rate everything as "High." Push for system-specific justification for each rating.

Step 6: ATT&CK TTP Selection

Open materials/ttp-selection-template.md. This template structures your technique selection.

The threat model you just built identifies what could go wrong. The TTP selection identifies how you will test for it. Each ATT&CK technique you select should trace back to a specific threat in your STRIDE analysis.

Direct Claude to help select ATT&CK techniques:

Based on the STRIDE threat model, help me select ATT&CK techniques for the TTP selection template. Each technique should map to a specific threat we identified.

AI commonly selects far too many techniques when asked for a TTP selection. It pulls from the full ATT&CK matrix regardless of what is relevant. Your threat model is the filter -- if a technique does not address an identified threat, it does not belong in this selection.

Step 7: Visualize in ATT&CK Navigator

Load your selected techniques into the MITRE ATT&CK Navigator to create a visual heat map of where the engagement will focus.

The Navigator shows which tactics and techniques are covered. Gaps in the heat map are acceptable -- you are testing specific threats, not trying to cover the entire matrix. The visualization helps you see the overall engagement shape: are you focused on initial access and credential exploitation, or spread across multiple tactics?