RED×BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Severe · Act Now

1 engagement

SEVERER-01↔B-02Mobileye HudsonRock Cavalier indicator — priority credential-exposure leadModerate confidence

Red · Adversary VectorR-01

Mobileye HudsonRock Cavalier indicator — priority credential-exposure lead

Single concrete credential-exposure lead in the entire surfaced surface. The HudsonRock Cavalier endpoint https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-username?username=mobileye returned HTTP 200, which is very unlikely to be a clean negative. Adversary path: authenticate Cavalier → retrieve records → exploit reused credentials against Mobileye and (via SSO bleed) Intel parent SSO / SaaS / VPN endpoints. Operator should perform authenticated retrieval as b_02 before drawing operational conclusions.

Blue · Defensive ControlB-02

Authenticated HudsonRock Cavalier retrieval and Mobileye credential rotation

Perform authenticated retrieval against HudsonRock Cavalier for the mobileye username and any adjacent indicators (mobileye.com domain, Mobileye executive emails). For any returned infostealer record, force credential rotation for the implicated account, audit downstream SSO trust between Mobileye tenant and Intel parent SSO, and check for evidence of token-replay / session-hijack. Confirm whether the SSO topology shares trust between Mobileye and Intel — if yes, treat as Intel-wide exposure; if no, contain at Mobileye tenant. Repeat the enumeration on related brand usernames (mobileyeglobal, mobileye-intel, MBLY-named accounts).

Moderate · Plan Mitigation

5 engagements

MODERATER-03↔B-03Spear-phishing of publicly identified Intel executive rosterHigh

RedR-03

Spear-phishing of publicly identified Intel executive roster

Recon names the full current and immediate-past Intel executive roster and surfaces initials/full-name handles across X, Bluesky, Substack. Standard firstname.lastname@intel.com patterns are inferable. Adversary path: scrape → derive pattern → deliver targeted lures referencing the leadership transition, CHIPS Act news, or the Tan/China story. Confidence that the vector is operationally available is high; ultimate effectiveness depends on Intel's defensive controls (DMARC, gateway filtering, training) which were not surfaced. Paired with b_03.

BlueB-03

DMARC p=reject + MFA across SSO / M365 / GitHub / AWS + executive-tier protection

Confirm DMARC enforcement at p=reject on intel.com and major subsidiary domains. Confirm MFA across SSO, M365 / Google Workspace, GitHub Enterprise, AWS / Azure / GCP tenants, and any developer-tool SaaS used by the Intel design organization (Jira, Confluence, GitLab, Slack). For named executives (ent_002, ent_003, ent_004, ent_005), enable highest-tier account protection (advanced protection program / passkeys / hardware MFA), and require out-of-band verification for any policy-exception request bearing their name. Email gateway should sandbox attachments and rewrite URLs for executive-tier accounts.

MODERATER-02↔B-01Executive / brand impersonation on Bluesky, Telegram, HuggingFaceModerate

RedR-02

Executive / brand impersonation on Bluesky, Telegram, HuggingFace

Surfaced impersonation-prone surface includes a 2024-11-25 DID-confirmed Bluesky account (patgelsinger.bsky.social, content unverified — could be authentic principal or satirical impersonator), a Telegram channel explicitly flagged by recon as likely impersonation (t.me/patrickgelsinger), and unverified corporate-name handles across Bluesky, TikTok, HuggingFace. Adversary path: weaponize an existing impersonation handle, publish under the Intel / Mobileye / executive name, drive phishing, disinformation, or partner-vendor social engineering. Likely high effectiveness against audiences without an authoritative verified-roster reference. See b_01.

BlueB-01

Verified-handle registry and impersonation monitoring across Bluesky / Telegram / HuggingFace

Maintain an authoritative verified-handle registry for Intel, Mobileye, Intel Foundry, and named executives across Bluesky, Telegram, HuggingFace, X, TikTok, Substack, Flipboard. Reach out for platform verification (Bluesky DID verification, Telegram official-channel claim, HuggingFace organization claim) on all known handles; file takedowns or platform-impersonation reports against unverified squatters. Publish the canonical handle list on a corporate-owned domain so partners, press, and employees can authenticate content. Specifically targets the Gelsinger-Bluesky (ent_021), t.me/patrickgelsinger, t.me/intelfoundry, and intelcorporation cross-platform surfaces.

MODERATER-04↔B-07Geopolitical-narrative-themed lures (CHIPS Act / China / Tan story)Moderate

RedR-04

Geopolitical-narrative-themed lures (CHIPS Act / China / Tan story)

The reversed Trump-Tan resignation episode and CHIPS-Act-vs-China-nexus tension are uniquely usable lure material — adversary crafts pretexts around imminent leadership change, congressional subpoena, BIS/OFAC expansion, or CHIPS compliance correspondence. Likely high believability against Intel staff, supply-chain partners, and CHIPS Program Office counterparties actively tracking the story. Paired with b_07.

BlueB-07

Geopolitical-narrative-aware phishing simulation and awareness program

Run phishing-simulation campaigns themed on the active China-nexus / CHIPS Act / Trump-Tan narrative — those are the lures actually circulating in the threat environment per r_04. Brief the workforce, especially supply-chain partners and government-affairs staff, on the believable templates derived from the public story. Update awareness training to cover narrative-driven pretexting rather than generic IT-help-desk pretexts.

MODERATER-06↔B-08Influence operations targeting Intel leadership credibilityModerate

RedR-06

Influence operations targeting Intel leadership credibility

Unique narrative-attack opportunity from (a) active China-nexus debate, (b) the reversed Presidential resignation call, (c) the Cadence penalty, (d) impersonation-prone social handles. Adversary path: coordinated inauthentic amplification of the China-nexus story, manufactured Tan documents seeded to congressional staff / press, push for renewed resignation pressure. Likely material to share price and CHIPS Act tranche disbursement cadence. Paired with b_08.

BlueB-08

Brand and narrative monitoring / counter-influence watch

Stand up continuous monitoring for coordinated inauthentic activity targeting Intel leadership credibility — particularly amplification of the China-nexus narrative, manufactured Tan documents, or simulated congressional pressure. Watch the surfaced platforms (Bluesky, Telegram, X, HuggingFace, TikTok) and the underrepresented ones (Mastodon, where Intel currently has no surfaced presence per ev_027). Coordinate with Intel's investor relations and government-affairs teams on rapid-rebuttal capacity.

MODERATER-05↔B-04Supply-chain compromise via Cadence (EDA vendor) trust relationshipLow

RedR-05

Supply-chain compromise via Cadence (EDA vendor) trust relationship

Cadence is both Intel's CEO's former employer and a major EDA tool vendor to Intel's design organization. The $140M Cadence export-control penalty (ev_015) demonstrates Cadence is on US-enforcement radar. Adversary path: compromise Cadence build/distribution infrastructure → ship implant via trusted EDA toolchain → access in-flight chip-design IP and signing material. Unlikely easy for opportunistic adversaries; roughly even chance within reach of sophisticated state actors. No specific compromise is surfaced — vector based on relationship topology, not observed indicators. Paired with b_04.

BlueB-04

EDA-vendor supply-chain audit (Cadence + peers) with artifact signing and build-time integrity

Audit the chain of trust between Intel's chip-design organization and Cadence (plus Synopsys, Mentor, Ansys, and other EDA vendors). Confirm reproducible build / signed artifact controls for EDA tool deployments. Restrict tool-update channels to operator-approved registries; require dual-control review for any out-of-cycle vendor update. Engage Cadence's product-security team on shared monitoring for build-system anomalies. Treat the Cadence relationship as elevated-trust given the July 2025 enforcement penalty (ev_015) and CEO-tenure overlap.

Low · Monitor

1 engagement

LOWR-07↔B-06Regulatory-shadow disclosure pretext attacks (BIS / OFAC / Hill correspondence)Low

RedR-07

Regulatory-shadow disclosure pretext attacks (BIS / OFAC / Hill correspondence)

Cadence's July 2025 penalty is documented pretext for impersonated BIS / OFAC / DOJ / congressional correspondence requesting Tan-related disclosures. Adversary path: phish Intel legal / compliance / CHIPS-program-office liaisons → trigger drafted disclosure response → exfiltrate sensitive draft material. Standalone severity is low; combines synergistically with r_03 and r_04. Paired with b_06.

BlueB-06

CHIPS Act compliance audit + executive-disclosure pretext awareness

Verify that all CHIPS Act compliance correspondence with the Department of Commerce / NIST CHIPS Program Office goes through a single named operational channel with cryptographic counter-signing (PGP / S/MIME). Brief Intel legal, compliance, and CHIPS-program liaisons on impersonated-government-correspondence pretext patterns that leverage the Cadence enforcement story (ev_015). Maintain a documented authoritative point of contact list on the DoC side; require out-of-band verification (phone-back to a known number) before responding to enforcement-styled requests.

Baseline · Surface-Wide

2 controls

B-05Baseline

Insider-threat / privileged-disclosure monitoring around the executive-transition window

Leadership-transition windows historically correlate with elevated insider-threat risk (departing-executive data exfil, transition-period access-control drift). Run focused insider-threat detection sweeps on the December 2024 Gelsinger departure and the March 2025 Tan onboarding windows: access reviews, mass-download alerts, privileged-account-creation audits, and unusual M&A / IP / financial data movement. Apply the same discipline to any future C-suite change.

B-09Baseline

Public-asset inventory across Intel and majority-owned subsidiaries

Recon surfaced zero technical attack-surface for Intel — no subdomains, IPs, repositories, or vulnerabilities — which almost certainly reflects the limits of the enabled tool set rather than the absence of surface. Build and maintain an authoritative external-asset inventory across Intel, Mobileye, Intel Foundry Services, Altera, and any other majority-owned subsidiary domain. Subject the inventory to scheduled DMARC / TLS / WAF posture review. The absence of evidence here is itself the audit finding: until the inventory exists, the operational security posture cannot be assessed.