OD1.3 Constraint Analysis — Budget, Time, and Capability

Operational Objective

You're investigating an incident. You can't ask the attacker who they are. You have to infer it from what they do — and what they do is shaped by their constraints.

Classifying the attacker matters because a ransomware affiliate with a 48-hour timeline requires a different response from a state-sponsored operator with unlimited patience. The four constraints — budget, time, capability, and risk tolerance — combine into recognizable profiles you can identify from telemetry within the first hours of an investigation. The profile tells you the likely objective, the expected pace, and what the attacker will do next.

Learning Objectives

By the end of this sub you will be able to:

• Assess all four constraints (budget, time, capability, risk tolerance) from operational telemetry — the same framework that CrowdStrike's threat intelligence team uses to classify adversary groups into tiers before formal attribution is available. This matters because constraint profiling gives you an actionable adversary classification within hours, while formal threat intelligence attribution takes weeks.

• Map a constraint profile to a predicted operational pattern — whether the attacker will move fast or slow, use commodity or custom tools, accept noise or prioritize stealth, and adapt or abandon when blocked. This matters because the profile determines your response urgency and strategy: immediate containment for a short-timeline financial operator, careful scoping for a long-timeline intelligence operator.

• Recognize the five standard constraint profiles (ransomware affiliate, RaaS operator, state-sponsored espionage, initial access broker, insider threat) from operational behavior. This matters because each profile has a different detection opportunity — dense telemetry clusters for ransomware, time-series anomalies for espionage, data-handling patterns for insiders.

Budget determines tooling

An attacker's budget determines what tools they can afford and what infrastructure they can sustain. This relationship is direct and observable.

A low-budget attacker uses commodity tools: leaked copies of Cobalt Strike, open-source C2 frameworks like Sliver or Mythic, publicly available exploit code, free cloud infrastructure with stolen credentials or trial accounts. The tooling is functional but recognizable. Your detection rules probably cover the default configurations because the same tools have been observed in thousands of previous incidents.

A high-budget attacker uses custom tools: purpose-built implants with unique communication protocols, zero-day exploits acquired from vulnerability researchers or developed in-house, dedicated infrastructure on commercial hosting with legitimate business fronts. The tooling is designed to evade the detection rules that catch commodity tools.

Defensive translation: the tool sophistication tells you the budget. Cobalt Strike with default malleable profile = low budget. Custom implant with a novel communication protocol = high budget. But there's a nuance — commodity tools used cleverly can be as effective as custom tools. A Cobalt Strike beacon with a carefully crafted malleable profile and domain-fronted C2 is harder to detect than a custom implant with sloppy OPSEC. Budget correlates with capability but doesn't determine it.

Time determines pace

The timeline constraint is the most visible in telemetry.

Short-timeline attackers move fast. Ransomware affiliates typically aim to move from initial access to encryption within one to three days. They run discovery commands in rapid succession — whoami, net group "Domain Admins", nltest /dclist: — all within minutes of landing. They dump credentials aggressively, move laterally to as many systems as they can reach quickly, and begin staging ransomware before the SOC has finished triaging the initial alert.

Long-timeline attackers move slowly. Espionage operators may wait days between actions. They run one discovery command, analyse the output, wait 48 hours, then run the next. They schedule their activity during business hours to blend with legitimate traffic. Their persistence mechanisms are designed for months of operation: web shells in rarely audited directories, scheduled tasks with innocuous names, dormant accounts with just enough permissions.

Defensive translation: the time between events in your telemetry is a direct indicator. Minutes between events = short timeline (likely financial). Hours to days = long timeline (likely intelligence or access). The pace is one of the most reliable indicators because it's the hardest thing for an attacker to fake — a ransomware affiliate can't afford to wait three days between steps, and an espionage operator doesn't need to rush.

Capability determines sophistication

Capability is the attacker's technical depth — what they can build, adapt, and execute.

Low-capability attackers follow documented procedures. They use tools with default configurations, execute attacks as described in blog posts, and struggle when something unexpected happens. If their primary tool is blocked, they don't adapt — they move to the next target.

High-capability attackers adapt in real time. They modify tools to evade specific defenses, develop new techniques when existing ones fail, and understand the target's security architecture well enough to navigate around monitored paths. When a rule detects their activity, they analyse the detection and adjust.

Defensive translation: technique novelty is the indicator. If every technique maps cleanly to known ATT&CK entries with documented detection, you're facing a low-to-medium capability adversary. If you observe techniques that don't map cleanly, or known techniques with novel evasion, you're facing higher capability. Against high-capability adversaries, your detection rules need continuous adaptation because the adversary is adapting to them.

Risk tolerance determines noise

Risk tolerance is the attacker's willingness to accept the possibility of detection.

High risk tolerance means the attacker accepts noise. Ransomware operators in the final stages don't care if they trigger alerts — the encryption is running before the SOC responds. Destructive operators accept detection because the damage is done before the response can prevent it.

Low risk tolerance means stealth above speed. Espionage operators abort at the first sign of detection. Supply chain operators protect their access because it took months to establish. State-sponsored actors protect their custom tools because each represents significant R&D investment.

Defensive translation: loud operations — mass credential dumping, rapid lateral movement, tools with default configurations — indicate high risk tolerance and a short-timeline objective. Quiet operations — minimal discovery, slow movement, careful cleanup — indicate low risk tolerance and a long-timeline objective.

Constraint profiles in practice

The four constraints combine into profiles you can recognise during investigations.

Ransomware affiliate. Low-to-medium budget. Short time (24–72 hours). Medium capability. High risk tolerance. Detection opportunity: the rapid pace creates dense telemetry clusters detectable through temporal correlation — many events on few systems in short timeframes.

RaaS operator. Medium budget. Short-to-medium time (1–7 days). High capability (the RaaS developers are skilled even if affiliates aren't). Medium-to-high risk tolerance. Detection opportunity: the tooling is recognizable (RaaS platforms have known signatures) but deployment is customized per target.

State-sponsored espionage. High budget. Long time (months to years). High capability. Low risk tolerance. Detection opportunity: long dwell time means more opportunities for behavioral detection if you're looking at time-series patterns rather than individual events.

Initial access broker. Medium budget. Medium time (weeks). High capability in initial access techniques. Medium risk tolerance. Detection opportunity: brokers establish access and then go quiet — the persistence mechanism is often the only artifact until a buyer activates.

Insider threat. Zero external budget (using existing access). Variable time. Variable capability. Low risk tolerance (employment and legal consequences). Detection opportunity: the detection challenge shifts from "anomalous access" to "anomalous data handling" — volume, timing, and destination of data movement.

STEP 1 — Select an incident
   Use the same report from OD1.1/1.2, or select a new one.
   The report must describe: tools used, timeline of activity,
   and whether the attacker adapted when blocked.

STEP 2 — Assess each constraint
   Budget: What tools did the attacker use?
     Commodity (Cobalt Strike, Mimikatz, PsExec) → low/medium
     Custom implant, novel C2 protocol → high
     Write: "Budget assessment: [low/medium/high] because [evidence]"

   Time: How fast between phases?
     Initial access → lateral movement in hours → short
     Days between actions → long
     Write: "Time assessment: [short/medium/long] because [evidence]"

   Capability: Did the attacker adapt when blocked?
     Stopped or moved to next target → low
     Changed technique and continued → high
     Write: "Capability assessment: [low/medium/high] because [evidence]"

   Risk tolerance: How noisy was the operation?
     Mass credential dump, rapid movement, default configs → high
     Minimal footprint, slow movement, careful cleanup → low
     Write: "Risk tolerance: [high/medium/low] because [evidence]"

STEP 3 — Match to a profile
   Compare your four assessments to the five standard profiles.
   Write: "This matches the [profile] because [reasoning]."

STEP 4 — Predict from the profile
   Based on the matched profile, predict:
   a. The attacker's likely objective (financial, intelligence,
      disruption, or access)
   b. What they would do next if not contained
   c. Whether they would return if evicted