Skip to main content

Operation Desert Hydra

AI-assisted CTI pipeline: MuddyWater public sources → OpenCTI → 11 detection records → 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks → Kibana

View the Pipeline GitHub Repo
Operation Desert Hydra: CTI Pipeline

What This Is

Operation Desert Hydra is a complete CTI-to-detection pipeline focused on MuddyWater / Seedworm — widely reported by government and vendor sources as Iran-linked activity associated with MOIS, targeting Israeli government, defense, and critical infrastructure. The pipeline enforces a full chain: public sources → structured procedures → OpenCTI knowledge graph → detection rules → benign lab simulation → Kibana proof screenshots.

Everything is on GitHub: github.com/anpa1200/operation-desert-hydra. One repository contains everything needed to reproduce the full pipeline from a clean machine.

The Pipeline — 6 Phases

Phase 1: Source Gathering

AI-assisted deep research across 71 candidate sources. Parallel Gemini + OpenAI passes, review gate, 8 government/vendor sources promoted.

Read phase

Phase 2: Procedure Dataset

10 source-bound procedure records with evidence labels (Observed/Reported/Assessed), ATT&CK mappings, and detection opportunity notes.

Read phase

Phase 3: OpenCTI

Self-hosted OpenCTI 6.2 knowledge graph: MuddyWater intrusion set, 9 malware, 4 tools, 21 ATT&CK techniques, 20 source reports.

Read phase

Phase 4: Detection Atlas

11 detection records with SIEM-agnostic pseudologic, coverage scores, false positive classes, and design rationale.

Read phase

Phase 5: Validation Lab

One-command lab: Docker + Vagrant Windows 10 VM + Ansible provisioning. 11 benign simulations, 12 Kibana proof screenshots.

Read phase

Phase 6: Coverage Matrix

21 procedure techniques + 7 from source set. 16 techniques (76%) fully validated. 6 capability gates that determine your effective coverage floor.

Read phase

Key Results

Validation: 14 PASS / 1 PARTIAL / 1 FAIL

16 rule checks across 11 detection records — some detections have multiple rules tested separately. Every PASS has a Kibana screenshot. Failures are documented with root cause and fix path. 9 of 11 detections have coverage score ≥ 4 (lab-validated).

11 Detection Records

SIEM-agnostic pseudologic (Sigma, KQL, Elastic JSON, SPL). Coverage scores: 5 = lab-validated multi-source, 4 = lab-validated single-source, 3 = validation incomplete or failed (documented reason). 9 detections score ≥ 4; 2 score 3.

8 Promoted Sources

From 71 AI-assisted candidate sources, 8 government and vendor sources survived the analyst review gate: CISA AA22-055A, INCD 2023, INCD 2024, and five supporting vendor sources.

21 ATT&CK Techniques (procedure dataset)

Mapped across 8 tactics. 16 techniques (76%) fully lab-validated. 6 capability gates determine your effective coverage floor.

Reproduce It

Deploy the full stack from a single command:

git clone https://github.com/anpa1200/operation-desert-hydra.git
cd operation-desert-hydra
cp stack/.env.template stack/.env
# fill in ELASTIC_PASSWORD, OPENCTI_ADMIN_PASSWORD, OPENCTI_ADMIN_TOKEN
bash start.sh
# → OpenCTI: http://localhost:8080
# → Kibana:  http://localhost:5601

Prerequisites: Docker, VirtualBox, Vagrant, Ansible, Python 3 + pywinrm. All 11 simulations run automatically (~10 min).

Full Reproduce Instructions

Related Projects

CTI Analyst Field Manual

Practitioner tradecraft: PIRs, evidence handling, attribution, source reliability, infrastructure pivoting, hunting hypotheses, detection backlog, SOC handoff, and 10 reusable analyst templates.

Open Manual

CTI as a Code

Lab platform and structured training framework. Docker Compose stack (OpenCTI, TheHive, Cortex, Elastic SIEM) and 8 analyst assignments — including reactive exercises that cover the MuddyWater tradecraft this pipeline investigates.

Open Lab

Israel Government Threat Actors CTI

Defensive knowledge base for threat actors targeting Israeli government, public-sector, critical infrastructure, and adjacent suppliers. Actor profiles, ATT&CK mappings, and detection examples. Blue-team only.

Open Project

Customer-Driven AI CTI

Gate-controlled CTI-to-detection delivery methodology from customer requirements and PIRs/SIRs to detection backlog, SOC handoff, and measurable defensive outcomes.

Open Project

AI vs Defense

How AI-assisted offense changes the threat model: skill-floor collapse, Pyramid of Pain reanalysis, legacy detection failures, behavioral detection strategy, and the SOC 90-day adaptation playbook.

Open Guide