RED × BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Severe · Act Now

2 engagements

SEVERE R-01 ↔ B-01 Credential-stuffing the named C-suite via Hunter pattern + breach corpora High confidence

Red · Adversary Vector R-01

Credential-stuffing the named C-suite via Hunter pattern + breach corpora

Recon enumerates Hunter pattern {f}{last}@iqt.org and ten named senior staff (Steve Bowsher CEO, Dan Geer CISO, Peter Bronez CDO, plus seven SVPs / Partners / Directors). Breach corpora hit 9 of 10 sampled mailboxes — sbowsher@iqt.org alone appears in DemandScience, Evite, LinkedIn, Adapt, LinkedInScrape-2021, ATT-Speculated, Twitter-Scraped, Verifications, Disqus. The plaintext linda@iqt.org:2483000q is the single highest-confidence stuffing primitive. An adversary will very likely attempt this against IQT's Duo-fronted SSO; success is unlikely there but very likely against personal-cloud and third-party SaaS where the same passwords were reused.

Blue · Defensive Control B-01

Enforce Duo SSO MFA + automated breach-aware credential rotation

IQT already runs Cisco Duo SSO across the workforce (ent_034). Add an automated rotation trigger: any @iqt.org mailbox appearing in a HIBP / commercial-breach-feed match forces a password reset within 24h. Push specifically: rotate the nine mailboxes (sbowsher, kbojack, imyauo, mchadwick, bsmith, glewis, jwilder, cfarley, vpetkoski) that surfaced in DemandScience / Adapt / Verifications / Apollo / LinkedInScrape-2021, regardless of perceived staleness. Maintain credential-rotation cadence on a 90-day basis as a baseline.

SEVERE R-02 ↔ B-02 C-suite spear-phishing with IQT-portfolio-thematic lures Moderate confidence

Red · Adversary Vector R-02

C-suite spear-phishing with IQT-portfolio-thematic lures

The combination of named roles (Hunter + LinkedIn) plus public portfolio context (Rigetti S-1/A, D-Wave SPAC, Echodyne FCC petition) gives an adversary an unusually rich lure vocabulary. A 'D-Wave Series C deck' message to sbowsher@iqt.org is very likely opened. DMARC blocks naive spoofing but does not block lookalike domains or display-name games. Confidence is moderate because IQT's defensive maturity (DMARC, Duo, OnDMARC reporting) probably raises the per-message success probability low enough that volume becomes the limiting factor.

Blue · Defensive Control B-02

Lookalike-domain detection + display-name-anomaly filter on inbound mail

DMARC p=reject already blocks direct from-self spoofing. Extend with: (1) lookalike-domain registration monitoring — alerts on iqt-org.com, iqtinc.org, iqt-corporation.com, iqt.us, etc.; (2) display-name-anomaly detection — a 'Steve Bowsher' display name arriving from any address that is not sbowsher@iqt.org; (3) executive-mailbox URL-rewriting at the Office 365 gateway so unsafe-link clicks resolve through a sandboxed proxy.

Moderate · Plan Mitigation

3 engagements

MODERATE R-05 ↔ B-05 Portfolio-supply-chain lateral movement High

Red R-05

Portfolio-supply-chain lateral movement

IQT's portfolio is a documented attack-graph edge set. Palantir's current DOGE involvement (r_06-adjacent) raises the priority. Quantum-computing portfolio companies (Rigetti, D-Wave) are nation-state targets in their own right. The vector is: 'attack the portfolio → harvest IQT-side trust → escalate.' Confidence is high that the graph is enumerable (S-1/A filings are publicly indexed); confidence in any specific exploitation path is moderate absent further trust-boundary evidence.

Blue B-05

Document and monitor portfolio trust boundaries

IQT's trust relationship with portfolio companies (Palantir, Rigetti, D-Wave, Nauticus, Exyn, Mapbox, Plotly, JuliaHub) is in the public record via SEC S-1/A filings and Wikidata. Internally, maintain an explicit register of which portfolio companies have privileged access to IQT systems (evaluation environments, shared SSO, code repositories, internal Slack/Mattermost), and monitor for IOCs on the portfolio side. Treat a portfolio-company compromise as a near-term IQT-side incident-response trigger.

MODERATE R-03 ↔ B-03 Plaintext credential reuse — linda@iqt.org:2483000q Moderate

Red R-03

Plaintext credential reuse — `linda@iqt.org:2483000q`

One plaintext credential pair surfaced in the ProxyNova Compilation of Many Breaches. The password 2483000q is short and structurally weak (8 chars, lowercase + digits). Whether it remains valid against any service is unverifiable without an active probe (out of scope), but defensive priority is high: rotate, audit downstream-SaaS reuse, and investigate the legacy single-first-name mailbox pattern. The mailbox may be a shared / legacy account; if so, decommission or migrate to a distribution list.

Blue B-03

Rotate linda@iqt.org credential; audit the legacy single-first-name pattern

The plaintext pair linda@iqt.org:2483000q is published in the ProxyNova COMB. Assume the password is in active rotation across whichever third-party services linda@iqt.org registered with. Immediate actions: (1) force a password reset on the mailbox; (2) audit downstream-SaaS where the mailbox is the login identifier; (3) determine whether the legacy first-name-only pattern reflects a shared mailbox — if so, decommission, migrate to a distribution group, or convert to a {f}{last} alias with the legacy address forwarding only.

MODERATE R-04 ↔ B-04 Pretexting via .ai WHOIS leak of NOC George Lewis Moderate

Red R-04

Pretexting via .ai WHOIS leak of NOC George Lewis

The .ai TLD via Key-Systems / Identity Digital exposes what the .org TLD redacts. George Lewis, ARIN handle LEWIS237-ARIN, IQT NOC technical contact for AS393900, 2107 Wilson Blvd Suite 1100 Arlington VA 22201, +1-202-713-5227, glewis@iqt.org. An adversary attempting an AWS support-call pretext, a Cisco Duo emergency-bypass, or a registrar-side DNS transfer has the complete contact bundle pre-validated. The mitigation is structural (privacy-preserving registrants for non-redacting TLDs), not behavioral.

Blue B-04

Use privacy-preserving registrants for non-redacting TLDs

PIR (.org) and Tucows redact registrant data by default; Identity Digital (.ai) does not, and Key-Systems GmbH did not redact iqtlabs.ai. Re-register iqtlabs.ai (and any other non-PIR/Tucows IQT domains) through a privacy service or corporate-shell registrant. Treat the existing leaked contact bundle for George Lewis as published for the lifetime of the domain — train the IQT-vendor-contact path to require out-of-band confirmation for any inbound 'we got your WHOIS info' contact.

Low · Monitor

1 engagement

LOW R-07 ↔ B-06 RFC1918 backend leakage via public CNAMEs Moderate

Red R-07

RFC1918 backend leakage via public CNAMEs

gitlab.iqt.org resolves through an opaque-named ELB to 10.204.156.85; bitwarden.iqt.org resolves to 10.205.222.{49,94,121}. From a defender's perspective this is a minor information-disclosure: an adversary with no foothold gains nothing actionable. With a foothold, the disclosure shortens the internal-discovery phase. Low severity, moderate confidence — fixable by switching to opaque internal hostnames, but a low-priority hardening item.

Blue B-06

Opaque CNAME mapping for internal services

Replace public CNAMEs that resolve to internal AWS ELB names (e.g., gitlab.iqt.org → lb-a-gitlab-1357a76da111c14b.elb.us-east-1.amazonaws.com) with opaque internal aliases (service-a.internal.iqt.local etc.). Eliminates one source of internal-topology fingerprinting for any adversary who reaches the public DNS layer. Low-effort, low-impact, but a clean hardening item.

Baseline · Surface-Wide

3 controls

B-07 Baseline

Continuous CT-log monitoring of *.iqt.org and sister domains

Subscribe to CertSpotter or equivalent CT-log monitor for iqt.org, bnext.org, iqtlabs.ai, iqtlabs.net, iqtlabs.org. Any newly-issued certificate for a previously-unseen subdomain triggers a defender alert — short-circuits the certspotter-driven adversary recon path that Corvus itself used to enumerate the IQT surface.

B-08 Baseline

Vendor-risk monitoring of CDN edge (Webflow / Fastly / CloudFront)

Public-marketing site is fronted by Webflow (Fastly-backed); B.Next is on CloudFront. CDN-side incidents (Fastly 2021 outage, CloudFront origin-leak misconfigurations) are out-of-band risks IQT cannot directly control. Monitor for Webflow / Fastly / CloudFront security advisories that materially affect the IQT properties, and maintain a fall-back static-hosting plan for at least the public iqt.org marketing surface.

B-09 Baseline

Audit legacy infrastructure declarations (192.132.59.0/24, 2001:668:112::/47)

The historic on-prem prefixes appear stale (RIPEstat not announced, no live BGP) but the public Wikidata declaration for the IPv6 prefix lingers. Formally release the prefixes back to ARIN / coordinate with upstream to clear the legacy record, or document internally why they are retained. Reduces the kj_007 ambiguity surface to zero from the defender's side.