SANS FOR578 Cyber Threat Intelligence PDF
– Sale page –
What You Will Learn
THERE IS NO TEACHER BUT THE ENEMY!
Every security practitioner should attend the FOR578: Cyber Threat Intelligence course. This course is unlike any other technical training you have experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills. The course will help practitioners from across the security spectrum to:
Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
Identify and create intelligence requirements through practices such as threat modeling
Understand and develop skills in tactical, operational, and strategic-level threat intelligence
Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
Learn the different sources to collect adversary data and how to exploit and pivot off of it
Validate information received externally to minimize the costs of bad intelligence
Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX
Move security maturity past IOCs into understanding and countering the behavioral tradecraft of threats
Establish structured analytical techniques to be successful in any security role
It is common for security practitioners to call themselves analysts. But how many of us have taken structured analysis training instead of simply attending technical training? Both are important, but very rarely do analysts focus on training on analytical ways of thinking. This course exposes analysts to new mindsets, methodologies, and techniques that will complement their existing knowledge as well as establish new best practices for their security teams. Proper analysis skills are key to the complex world that defenders are exposed to on a daily basis.
The analysis of an adversary’s intent, opportunity, and capability to do harm is known as cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or requirement of an organization. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.
Cyber threat intelligence thus represents a force multiplier for organizations looking to establish or update their response and detection programs to deal with increasingly sophisticated threats. Malware is an adversary’s tool, but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.
Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries’ methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.
In other words, cyber threat intelligence informs all security practices that deal with adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to accurately and effectively counter those threats.
What You Will Receive
SIFT Workstation
Electronic Download package containing:
Threat intel exercise data, memory captures, network captures, SIFT Workstation 3, tools, and documentation
Cyber Threat Intelligence Electroninc Exercise Workbook
Electronic Exercise book with detailed, step-step instructions and examples
Cyber Threat Intelligence Poster
MP3 audio files of the complete course lecture
SANS Video
Syllabus (30 CPEs)
Download PDF
Overview
Cyber threat intelligence is a rapidly growing field. However, intelligence was a profession long before the word “cyber” entered the lexicon. Understanding the key points regarding intelligence terminology, tradecraft, and impact is vital to understanding and using cyber threat intelligence. This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, and the value they can add to organizations. It also focuses on getting your intelligence program off to the right start with planning, direction, and the generation of intelligence requirements. As with all sections, the day includes immersive hands-on labs to ensure that students have the ability to turn theory into practice.
Exercises
Using Structured Analytical Techniques
Consuming Along the Sliding Scale
Enriching and Understanding Limitations
Strategic Threat Modeling
Topics
Case-Study: Carbanak, “The Great Bank Robbery”
Understanding Intelligence
Intelligence Lexicon and Definitions
Traditional Intelligence Cycle
Sherman Kent and Intelligence Tradecraft
Structured Analytical Techniques
Understanding Cyber Threat Intelligence
Defining Threats
Understanding Risk
Cyber Threat Intelligence and Its Role
Expectation of Organizations and Analysts
Four Methods of Threat Detection
Threat Intelligence Consumption
Sliding Scale of Cybersecurity
Consuming Intelligence for Different Goals
Enabling Other Teams with Intelligence
Positioning the Team to Generate Intelligence
Building an Intelligence Team
Positioning the Team in the Organization
Prerequisites for Intelligence Generation
Planning and Direction (Developing Requirements)
Intelligence Requirements
Priority Intelligence Requirements
Beginning the Intelligence Lifecycle
Threat Modeling
Overview
Intrusion analysis is at the heart of threat intelligence. It is a fundamental skillset for any security practitioner who wants to use a more complete approach to addressing security. Two of the most commonly used models for assessing adversary intrusions are the “kill chain” and the “Diamond Model”. These models serve as a framework and structured scheme for analyzing intrusions and extracting patterns such as adversary behaviors and malicious indicators. In this section students will participate in and be walked through multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.
Exercises
Using Structured Analytical Techniques
Consuming Along the Sliding Scale
Enriching and Understanding Limitations
Strategic Threat Modeling
Topics
Primary Collection Source: Intrusion Analysis
Intrusion Analysis as a Core Skillset
Methods to Performing Intrusion Analysis
Intrusion Kill Chain
Kill Chain Courses of Action
Passively Discovering Activity in Historical Data and Logs
Detecting Future Threat Actions and Capabilities
Denying Access to Threats
Delaying and Degrading Adversary Tactics and Malware
Kill Chain Deep Dive
Scenario Introduction
Notification of Malicious Activity
Pivoting Off of a Single Indicator to Discover Adversary Activity
Identifying and Categorizing Malicious Actions
Using Network and Host-Based Data
Interacting with Incident Response Teams
Interacting with Malware Reverse Engineers
Effectively Leveraging Requests for Information
Handling Multiple Kill Chains
Identifying Different Simultaneous Intrusions
Managing and Constructing Multiple Kill Chains
Linking Related Intrusions
Collection Source: Malware
Data from Malware Analysis
Key Data Types to Analyze and Pivot On
VirusTotal and Malware Parsers
Identifying Intrusion Patterns and Key Indicators
Overview
Cyber Threat Intelligence analysts must be able to interrogate and fully understand their collection sources. Analysts do not have to be malware reverse engineers as an example but they must at least understand that work and know what data can be sought. This section continues from the previous one in identifying key collection sources for analysts. There is also a lot of available information on what is commonly referred to as open-source intelligence (OSINT). In this section students will learn to seek and exploit information from Domains, External Datasets, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more while also structuring the data to be exploited for purposes of sharing internally and externally.
Exercises
Open-Source Intelligence and Domain Pivoting in DomainTools
Maltego Pivoting and Open-Source Intelligence
Sifting Through Massive Amounts of Open-Source Intelligence in RecordedFuture
TLS Certificate Pivoting
Storing Threat Data and Information in a Malware Information Sharing Platform (MISP)
Topics
Case Study: Axiom
Collection Source: Domains
Domain Deep Dive
Different Types of Adversary Domains
Pivoting off of Information in Domains
Case Study: GlassRAT
Collection Source: External Datasets
Building Repositories from External Datasets
Open-Source Intelligence Collection Tools and Frameworks
Collection Source: TLS Certificates
TLS/SSL Certificates
Tracking New Malware Samples and C2 with TLS
Pivoting off of Information in TLS Certificates
Case Study: Trickbots
Exploitation: Storing and Structuring Data
Storing Threat Data
Threat Information Sharing
MISP as a Storage Platform
Overview
Many organizations seek to share intelligence but often fail to understand its value, its limitations, and the right formats to choose for each audience. Additionally, indicator and information shared without analysis is not intelligence. Structured analytical techniques such as the Analysis of Competing Hypotheses can help add considerable value to intelligence before it is disseminated. This section will focus on identifying both open-source and professional tools that are available for students as well as on sharing standards for each level of cyber threat intelligence both internally and externally. Students will learn about YARA and generate YARA rules to help incident responders, security operations personnel, and malware analysts. Students will gain hands-on experience with STIX and understand the CybOX and TAXII frameworks for sharing information between organizations. Finally, the section will focus on building the singular intrusions into campaigns and being able to communicate about those campaigns.
Exercises
Analysis of Competing Hypotheses
Visual Analysis in Maltego
The Rule of 2
YARA Rule Development
STIX Framework IOC Extraction and Development
Building a Campaign Heat Map
Topics
Analysis: Exploring Hypotheses
Analysis of Competing Hypotheses
Hypotheses Generation
Understanding and Identifying Knowledge Gaps
Analysis: Building Campaigns
Different Methods of Campaign Correlation
Understanding Perceived Adversary Intentions
Leveraging the Diamond Model for Campaign Analysis
Dissemination: Tactical
Understanding the Audience and Consumer
Threat Data Feeds and Their Limitations
YARA
Advanced YARA Concepts and Examples
Case Study: Sony Attack
Dissemination: Operational
Partners and Collaboration
Government Intelligence Sharing
Traffic Light Protocol Standard
Information Sharing and Analysis Centers
CybOX, STIX, and TAXII
STIX Elements and Projects
TAXII Implementations
Threat Intelligence Metrics
Communicating About Campaigns
Campaign Heat Maps and Tracking Adversaries
Overview
A core component of intelligence analysis at any level is the ability to defeat biases and analyze information. The skills required to think critically are exceptionally important and can have an organization-wide or national-level impact. In this section, students will learn about logical fallacies and cognitive biases as well as how to defeat them. They will also learn about nation-state attribution, including when it can be of value and when it is merely a distraction. Students will also learn about nation-state-level attribution from previously identified campaigns and take away a more holistic view of the cyber threat intelligence industry to date. The class will finish with a discussion on consuming threat intelligence and actionable takeaways for students to make significant changes in their organizations once they complete the course.
Exercises
Identifying Cognitive Biases in Media Reporting
Analysis of Intelligence Reports
Capstone Exercise: Debating and Attributing Election Influencing – Part 1
Capstone Exercise: Debating and Attributing Election Influencing – Part 2
Topics
Logical Fallacies and Cognitive Biases
Identifying and Defeating Bias
Logical Fallacies and Examples
Common Cyber Threat Intelligence Informal Fallacies
Cognitive Biases and Examples
Dissemination: Strategic
Report Writing Pitfalls
Report Writing Best Practices
Different Types of Strategic Output
Case Study: Stuxnet
Fine-Tuning Analysis
Identifying and Remedying New Intelligence Requirements
Tuning the Collection Management Framework
Case Study: Sofacy
Attribution
Different Types of Attribution
Group Attribution
Campaign Attribution
Intrusion Set Attribution
True Attribution
Geopolitical Motivations for Cyber Attacks
GIAC Cyber Threat Intelligence
“The GIAC Cyber Threat Intelligence (GCTI) certification, to me, marks an important moment in our field where we begin to move the art of cyber threat intelligence to science and codify our knowledge. In our complex and ever changing threat landscape it is important for all analysts to earn the GCTI whether or not they are directly involved in generating intelligence. Technical training has become common and helped further our security field the same has not been true for structured analysis training, until now. Many of security practitioners consider themselves analysts but have not fully developed analysis skills in a way that can help us think critically and amplify our technical knowledge. It is in this structured analysis that we can challenge our biases, question our sources, and perform core skills such as intrusion analysis to better consume and generate intelligence. It is through cyber threat intelligence that organizations and their personnel can take on focused human adversaries and ensure that security is maintained. Intelligence impacts us all and we are furthering the field together in a way that will extraordinarily limit the success of adversaries.” – Robert M. Lee, Course Author FOR578: Cyber Threat Intelligence
Strategic, operational, and tactical cyber threat intelligence application & fundamentals
Open source intelligence and campaigns
Intelligence applications and intrusion analysis
Analysis of intelligence, attribution, collecting and storing data sets
Kill chain, diamond model, and courses of action matrix
Malware as a collection source, pivoting, and sharing intelligence
Prerequisites
FOR578 is a good course for anyone who has had security training or prior experience in the field. Students should be comfortable with using the command line in Linux for a few labs (though a walkthrough is provided) and be familiar with security terminology.
Some of the courses that lead in to FOR578:
SEC401 – Security Essentials Bootcamp Style
SEC511 – Continuous Monitoring and Security Operations
FOR508 – Advanced Digital Forensics, Incident Response & Threat Hunting
FOR572 – Advanced Network Forensics
FOR526 – Memory Forensics In-Depth
FOR610 – REM: Malware Analysis
ICS515 – ICS Active Defense and Incident Response
Students who have not taken any of the above courses but have real-world experience or have attended other security training, such as any other SANS class, will be comfortable in the course. New students and veterans will be exposed to new concepts given the unique style of the class focused on analysis training.
Laptop Requirements
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can’t responsible for your system or data.
MANDATORY FOR578 SYSTEM HARDWARE REQUIREMENTS
CPU: 64-bit Intel i5/i7 (4th generation+) – x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important – Please Read: a 64-bit system processor is mandatory)
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
BIOS settings must be set to enable virtualization technology, such as “Intel-VT”.
Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important – Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.
USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices – test your system with a USB drive before class to ensure you can load the course data.)
100 Gigabytes of Free Space on your System Hard Drive – Free Space on Hard Drive is critical to host the VMs we distribute
Local Administrator Access is required. This is absolutely required. Don’t let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
Wireless 802.11 Capability
MANDATORY FOR578 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
Host Operating System: Latest version of Windows 10 or macOS 10.15.x
Must have a Windows OS for the class either as your host or as a VM
Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
Microsoft Office (2012+) – Note that you can download Office Trial Software online (free for 60 days).
Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
Download and install 7Zip (for Windows Hosts) or Keka (macOS).
Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
Author Statement
The author team of Mike Cloppert, Chris Sperry, and Robert M. Lee originally developed FOR578: Cyber Threat Intelligence with the understanding that the community was in need of a single concise collection of tradecraft. Cloppert and Sperry initiated the development of the course with the understanding that their schedules would not permit them to be able to constantly teach it. However, it was through their thought leadership that the class has become what it is today. Their influence on the development of the course remains relevant today, and SANS thanks them for their leadership.
“When considering the value of threat intelligence, most individuals and organizations ask themselves three questions: What is threat intelligence? When am I ready for it? How do I use it? This class answers these questions and more at a critical point in the development of the field of threat intelligence in the wider community. The course will empower analysts of any technical background to think more critically and be prepared to face persistent and focused threats.”
– Robert M. Lee
“Threat intelligence is a powerful tool in the hands of a trained analyst. It can provide insight to all levels of a security program, from security analysts responding to tactical threats against the network to executives reporting strategic-level threats to the Board of Directors. This course will give students an understanding of the role of threat intelligence in security operations and how it can be leveraged as a game-changing resource to combat an increasingly sophisticated adversary.”
– Rebekah Brown
“Before threat intelligence was a buzzword, it was something we all used to just do as part of incident response. But I’ll admit that most of us used to do it badly. Or more accurately, ad hoc at best. We simply lacked structured models for intrusion analysis, campaign tracking, and consistent reporting of threats. Today, we need analysts trained in intelligence analysis techniques ready to perform proper campaign modeling, attribution, and threat analysis. The Cyber Threat Intelligence course teaches students all of that, as well as how to avoid cognitive biases in reporting and the use of the alternative competing hypothesis in intelligence analysis. These are critical skills that most in industry today absolutely lack.”
– Jake Williams
“This has been one of the most interesting and exciting courses I’ve taken as a student-turned-professional of cyber security. Rob M. Lee does a fantastic job of getting one prepared for the role of a CTI analyst, and having recently read the book “Sandworm,” I’m geeking out really hard knowing that he’s the one teaching this course. I enjoy the fact that not only does he provide insight into the world of CTI, but he provides case studies to identify both the pitfalls and big victories of threat analysis. I could not be more excited to continue this course.” – James H, US State Gov
Instant Access SANS FOR578 Cyber Threat Intelligence PDF
The Course Is Available For Immediate Download
All These Courses Are Instant Delivery Using Our Private Server (Mega.nz, Google Drive)
- Instant Access
- Easy fast One-Click download
- No wait times and DON’T need premium accounts
- The courses are up to date and will receive ALL the updates from the creators
1. After payment, you will instant receive a link from our PRIVATE server to download all the content from the course (videos, audios, docs, pdf, screenshots, etc.)
2. You only need to click on the link, and you will have access to an online folder with the content of the course. You can download the whole course as a zip file or you can choose a specific file to download.
ABOUT INSTRUCTOR
