About the course
THERE IS NO TEACHER BUT THE ENEMY!
Every security practitioner should attend the FOR578: Cyber Threat Intelligence course . This course is unlike any other technical training you have experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills. The course will help practitioners from across the security spectrum to:
- Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
- Identify and create intelligence requirements through practices such as threat modeling
- Understand and develop skills in tactical, operational, and strategic-level threat intelligence
- Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
- Learn the different sources to collect adversary data and how to exploit and pivot off of it
- Validate information received externally to minimize the costs of bad intelligence
- Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX
- Move security maturity past IOCs into understanding and countering the behavioral tradecraft of threats
- Establish structured analytical techniques to be successful in any security role
It is common for security practitioners to call themselves analysts. But how many of us have taken structured analysis training instead of simply attending technical training? Both are important, but very rarely do analysts focus on training on analytical ways of thinking. This course exposes analysts to new mindsets, methodologies, and techniques that will complement their existing knowledge as well as establish new best practices for their security teams. Proper analysis skills are key to the complex world that defenders are exposed to on a daily basis.
The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or requirement of an organization. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.
Cyber threat intelligence thus represents a force multiplier for organizations looking to establish or update their response and detection programs to deal with increasingly sophisticated threats. Malware is an adversary's tool, but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.
Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.
In other words, cyber threat intelligence informs all security practices that deal with adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to accurately and effectively counter those threats.
Course Syllabus
FOR578.1: Cyber Threat Intelligence and Requirements
Overview
Cyber threat intelligence is a rapidly growing field. However, intelligence was a profession long before the word "cyber" entered the lexicon. Understanding the key points regarding intelligence terminology, tradecraft, and impact is vital to understanding and using cyber threat intelligence. This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, and the value they can add to organizations. It also focuses on getting your intelligence program off to the right start with planning, direction, and the generation of intelligence requirements. As with all sections, the day includes immersive hands-on labs to ensure that students have the ability to turn theory into practice.
Exercises
- Using Structured Analytical Techniques
- Consuming Along the Sliding Scale
- Enriching and Understanding Limitations
- Strategic Threat Modeling
CPE/CMU Credits: 6
Topics
- Case-Study: Carbanak, "The Great Bank Robbery"
- Understanding Intelligence
- Intelligence Lexicon and Definitions
- Traditional Intelligence Cycle
- Sherman Kent and Intelligence Tradecraft
- Structured Analytical Techniques
- Understanding Cyber Threat Intelligence
- Defining Threats
- Understanding Risk
- Cyber Threat Intelligence and Its Role
- Expectation of Organizations and Analysts
- Four Methods of Threat Detection
- Threat Intelligence Consumption
- Sliding Scale of Cybersecurity
- Consuming Intelligence for Different Goals
- Enabling Other Teams with Intelligence
- Positioning the Team to Generate Intelligence
- Building an Intelligence Team
- Positioning the Team in the Organization
- Prerequisites for Intelligence Generation
- Planning and Direction (Developing Requirements)
- Intelligence Requirements
- Priority Intelligence Requirements
- Beginning the Intelligence Lifecycle
- Threat Modeling
FOR578.2: The Fundamental Skillset: Intrusion Analysis
Overview
Intrusion analysis is at the heart of threat intelligence. It is a fundamental skillset for any security practitioner who wants to use a more complete approach to addressing security. Two of the most commonly used models for assessing adversary intrusions are the "kill chain" and the "Diamond Model". These models serve as a framework and structured scheme for analyzing intrusions and extracting patterns such as adversary behaviors and malicious indicators. In this section students will participate in and be walked through multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.
Exercises
- Using Structured Analytical Techniques
- Consuming Along the Sliding Scale
- Enriching and Understanding Limitations
- Strategic Threat Modeling
CPE/CMU Credits: 6
Topics
- Primary Collection Source: Intrusion Analysis
- Intrusion Analysis as a Core Skillset
- Methods to Performing Intrusion Analysis
- Intrusion Kill Chain
- Kill Chain Courses of Action
- Passively Discovering Activity in Historical Data and Logs
- Detecting Future Threat Actions and Capabilities
- Denying Access to Threats
- Delaying and Degrading Adversary Tactics and Malware
- Kill Chain Deep Dive
- Scenario Introduction
- Notification of Malicious Activity
- Pivoting Off of a Single Indicator to Discover Adversary Activity
- Identifying and Categorizing Malicious Actions
- Using Network and Host-Based Data
- Interacting with Incident Response Teams
- Interacting with Malware Reverse Engineers
- Effectively Leveraging Requests for Information
- Handling Multiple Kill Chains
- Identifying Different Simultaneous Intrusions
- Managing and Constructing Multiple Kill Chains
- Linking Related Intrusions
- Collection Source: Malware
- Data from Malware Analysis
- Key Data Types to Analyze and Pivot On
- VirusTotal and Malware Parsers
- Identifying Intrusion Patterns and Key Indicators
FOR578.3: Collection Sources
Overview
Cyber Threat Intelligence analysts must be able to interrogate and fully understand their collection sources. Analysts do not have to be malware reverse engineers as an example but they must at least understand that work and know what data can be sought. This section continues from the previous one in identifying key collection sources for analysts. There is also a lot of available information on what is commonly referred to as open-source intelligence (OSINT). In this section students will learn to seek and exploit information from Domains, External Datasets, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more while also structuring the data to be exploited for purposes of sharing internally and externally.
Exercises
- Open-Source Intelligence and Domain Pivoting in DomainTools
- Maltego Pivoting and Open-Source Intelligence
- Sifting Through Massive Amounts of Open-Source Intelligence in RecordedFuture
- TLS Certificate Pivoting
- Storing Threat Data and Information in a Malware Information Sharing Platform (MISP)
CPE/CMU Credits: 6
Topics
- Case Study: Axiom
- Collection Source: Domains
-
- Domain Deep Dive
- Different Types of Adversary Domains
- Pivoting off of Information in Domains
- Case Study: GlassRAT
- Collection Source: External Datasets
- Building Repositories from External Datasets
- Open-Source Intelligence Collection Tools and Frameworks
- Collection Source: TLS Certificates
- TLS/SSL Certificates
- Tracking New Malware Samples and C2 with TLS
- Pivoting off of Information in TLS Certificates
- Case Study: Trickbots
- Exploitation: Storing and Structuring Data
- Storing Threat Data
- Threat Information Sharing
- MISP as a Storage Platform
FOR578.4: Analysis and Dissemination of Intelligence
Overview
Many organizations seek to share intelligence but often fail to understand its value, its limitations, and the right formats to choose for each audience. Additionally, indicator and information shared without analysis is not intelligence. Structured analytical techniques such as the Analysis of Competing Hypotheses can help add considerable value to intelligence before it is disseminated. This section will focus on identifying both open-source and professional tools that are available for students as well as on sharing standards for each level of cyber threat intelligence both internally and externally. Students will learn about YARA and generate YARA rules to help incident responders, security operations personnel, and malware analysts. Students will gain hands-on experience with STIX and understand the CybOX and TAXII frameworks for sharing information between organizations. Finally, the section will focus on building the singular intrusions into campaigns and being able to communicate about those campaigns.
Exercises
- Analysis of Competing Hypotheses
- Visual Analysis in Maltego
- The Rule of 2
- YARA Rule Development
- STIX Framework IOC Extraction and Development
- Building a Campaign Heat Map
CPE/CMU Credits: 6
Topics
- Analysis: Exploring Hypotheses
- Analysis of Competing Hypotheses
- Hypotheses Generation
- Understanding and Identifying Knowledge Gaps
- Analysis: Building Campaigns
- Different Methods of Campaign Correlation
- Understanding Perceived Adversary Intentions
- Leveraging the Diamond Model for Campaign Analysis
- Dissemination: Tactical
- Understanding the Audience and Consumer
- Threat Data Feeds and Their Limitations
- YARA
- Advanced YARA Concepts and Examples
- Case Study: Sony Attack
- Dissemination: Operational
- Partners and Collaboration
- Government Intelligence Sharing
- Traffic Light Protocol Standard
- Information Sharing and Analysis Centers
- CybOX, STIX, and TAXII
- STIX Elements and Projects
- TAXII Implementations
- Threat Intelligence Metrics
- Communicating About Campaigns
- Campaign Heat Maps and Tracking Adversaries
FOR578.5: Higher-Order Analysis and Attribution
Overview
A core component of intelligence analysis at any level is the ability to defeat biases and analyze information. The skills required to think critically are exceptionally important and can have an organization-wide or national-level impact. In this section, students will learn about logical fallacies and cognitive biases as well as how to defeat them. They will also learn about nation-state attribution, including when it can be of value and when it is merely a distraction. Students will also learn about nation-state-level attribution from previously identified campaigns and take away a more holistic view of the cyber threat intelligence industry to date. The class will finish with a discussion on consuming threat intelligence and actionable takeaways for students to make significant changes in their organizations once they complete the course.
Exercises
Identifying Cognitive Biases in Media Reporting
Analysis of Intelligence Reports
Capstone Exercise: Debating and Attributing Election Influencing - Part 1
Capstone Exercise: Debating and Attributing Election Influencing - Part 2
CPE/CMU Credits: 6
Topics
- Logical Fallacies and Cognitive Biases
- Identifying and Defeating Bias
- Logical Fallacies and Examples
- Common Cyber Threat Intelligence Informal Fallacies
- Cognitive Biases and Examples
- Dissemination: Strategic
- Report Writing Pitfalls
- Report Writing Best Practices
- Different Types of Strategic Output
- Case Study: Stuxnet
- Fine-Tuning Analysis
- Identifying and Remedying New Intelligence Requirements
- Tuning the Collection Management Framework
- Case Study: Sofacy
- Attribution
- Different Types of Attribution
- Group Attribution
- Campaign Attribution
- Intrusion Set Attribution
- True Attribution
- Geopolitical Motivations for Cyber Attacks
Who Should Attend
- Security Practitioners, should attend. This course is perfect match to any security skill set from red teamers to incident responders. The course is focused on analysis skills.
- Incident Response Team Members who respond to complex security incidents/intrusions and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
- Threat Hunters who are seeking to understand threats more fully and how to learn from them to be able to more effectively hunt threats and counter the tradecraft behind them.
- Security Operations Center Personnel and Information Security Practitioners who support hunting operations that seek to identify attackers in their network environments.
- Digital Forensic Analysts and Malware Analysts who want to consolidate and expand their understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
- Federal Agents and Law Enforcement Officials who want to master advanced intrusion investigations and incident response, as well as expand their investigative skills beyond traditional host-based digital forensics.
- Technical Managers who are looking to build intelligence teams or leverage intelligence in their organizations building off of their technical skillsets.
- SANS Alumni looking to take their analytical skills to the next level.
Prerequisites
FOR578 is a good course for anyone who has had security training or prior experience in the field. Students should be comfortable with using the command line in Linux for a few labs (though a walkthrough is provided) and be familiar with security terminology.
Some of the courses that lead in to FOR578:
- SEC401 - Security Essentials Bootcamp Style
- SEC511 - Continuous Monitoring and Security Operations
- FOR508 - Advanced Digital Forensics, Incident Response & Threat Hunting
- FOR572 - Advanced Network Forensics
- FOR526 - Memory Forensics In-Depth
- FOR610 - REM: Malware Analysis
- ICS515 - ICS Active Defense and Incident Response
Students who have not taken any of the above courses but have real-world experience or have attended other security training, such as any other SANS class, will be comfortable in the course. New students and veterans will be exposed to new concepts given the unique style of the class focused on analysis training.
What You Will Receive
- SIFT Workstation
- 64 GB Course USB
- USB loaded with threat intel exercise data, memory captures, network captures, SIFT Workstation 3, tools, and documentation
- Cyber Threat Intelligence Exercise Workbook
- Exercise book with detailed, step-by-step instructions and examples
- Cyber Threat Intelligence Poster
- MP3 audio files of the complete course lecture