homepage
Open menu
Contact Sales
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • In-Person Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Live Online Events List
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Enterprise Solutions
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Group Purchasing
    • Build Your Team
      • Assessments
      • Private Training
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webinars
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Australia
    • Brazil
    • France
    • India
    • Japan
    • Middle East & Africa
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. FOR589: Cybercrime Intelligence - NEW SANS DFIR Course coming in 2024
Sean_O_Connor_370x370.png
Sean O'Connor

FOR589: Cybercrime Intelligence - NEW SANS DFIR Course coming in 2024

Learn to traverse the cyber underground, social engineer cybercriminals and investigate illicit cryptocurrency activity.

August 31, 2023


Copy_of_SANS_Banners_(23).png

Learn the skills needed to collect, analyze and take action on cybercrime intelligence. Level up!

The cybercrime threat landscape continues to rapidly evolve due to technological advancements, increased investments in offensive cyber operations from nation-states, and a cybercriminal ecosystem that breeds new threat actors every day. "The cybercriminal underground plays a big part in the overall threat landscape as it has lowered the barriers to entry for less-sophisticated criminals to collaborate with advanced ones” says SANS FOR589 author and course lead Sean O’Connor. This is especially true in the case of ransomware, which in recent years has seen an explosion in adoption due to Ransomware-as-a-Service (RaaS) operations and the massive increase in cryptocurrency ransom payments by victims.” Although there are many legitimate use cases for the dark web, cryptocurrencies, and the blockchain, this course will focus exclusively on criminal use cases and how to generate cybercrime intelligence from them.

This course will cover how to map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal adversaries behind the keyboard. Students will learn all about the dark web economy, trace, and attribute cryptocurrency transactions, and understand money laundering schemes. This course also teaches students how to perform undercover operations, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and impact of organized cybercrime. This course is ideal for security professionals, law enforcement officers, and anyone interested in the intricacies of cybercrime intelligence and countermeasures. 

Authored by Sean O'Connor, Will Thomas & Conan Beach, the new FOR589: Cybercrime Intelligence course will teach you how to effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments to combat cybercrime and prosecute cybercriminals. FOR589 offers an in-depth understanding of the cybercrime underground and covers the wide variety of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both conventional intelligence and contemporary cybersecurity methodologies, this course will aid in augmenting any existing intelligence operations, proactively addressing risks, and enhancing an overall cybersecurity posture. 

Course Days At-A-Glance 

Day One - THE CYBERCRIME INTELLIGENCE LIFECYCLE  

 There are ways to stay ahead of the cybercrime economy – it starts with knowing the vast landscape you are up against and applying methodology to make sense of it all. Security professionals and law enforcement should be aware of the latest criminal trends. In scenarios where risk is high and room for error is low, peers and victims rely on us for help. To provide that help, our processes and methodology must be defensible. Using these standards for curating and handling cybercrime intelligence, FOR589 will be able to ensure that their selected courses of action are properly guided, decided, and applied. Section 1 introduces standards for intelligence requirements, collection plans, operating procedures, intelligence lifecycles, and knowledge frameworks that students will use to make intelligent decisions while also being mindful of operational security considerations. If we understand our elements and assets at risk, we can map them to our opposing threat actors and attack vectors. This approach allows us to repeatably anticipate emerging threats, stay ahead of cybercriminals, and mitigate risks to defend against threats. 

 Day Two - THE CYBERCRIMINAL UNDERGROUND 

 As an intelligence professional, understanding the cybercrime underground is vital to knowing the landscape and economy that you are up against. From attackers to targets, people to communities, currencies to technologies, and capabilities to infrastructure, we must have the know-how to access and traverse it all. With a solid mapping of the cybercrime underground, we meet the adversaries on their own playgrounds to gather underground intelligence at its source. This section will provide students with the resources necessary to find the “known” and explore the “unknown.” By shining a light on the cybercriminal underground, we can find both, which is fundamental to take on emerging risks and threats with identification, protection, detection, response, and recovery. This is also needed to prepare a counterintelligence response. By the end of this section, you will be able to see eye-to-eye with cybercriminals on their own playing field, opening possibilities for a strong defense or a knock-out offense. 

 Day Three - CRYPTOCURRENCY INVESTIGATIONS 

 Cryptocurrencies are often thought to be anonymous, but they are pseudonymous at best. Since criminals deal heavily in these virtual assets, we should learn to exploit this to unmask them! The prevalence of cryptocurrency in the criminal economy can neither be overstated nor overlooked. In this section, students will learn to trace through cryptocurrency, understand its underlying blockchain technology, and unravel the money laundering schemes layered atop. In addition, we translate these concepts to practical intelligence applications, such as criminal attribution. While these virtual assets have certainly played a prolific role in the funding of services within the cybercriminal underground, they are not bulletproof! Mistakes are made during transactions, creating opportunities to map out criminal counterparties and their affiliated real-life identities. This section teaches empowering cluster-analysis skills that are useful to differentiate senders from receivers, separate services from people, and understand money-laundering schemes. Finally, we explore the practical use of “know-your-customer” (KYC) requests for unmasking criminals. 

 Day Four - UNDERCOVER OPERATIONS & COUNTERMEASURES 

 We’ve assessed the cybercriminal ecosystem. Now let's infiltrate deeper to facilitate the use of countermeasures. Criminals can be disrupted using social deceit, campaign mapping, and planned takedowns. People, systems, and money possess exploitable characteristics that can be recognized by investigators with the correct access and skills.  These characteristics can be collected to inform a variety of countermeasures. This section teaches you how to spot these characteristics, collect them both manually and automatically, and leverage them for criminal investigation and disruption. This section will teach students how to use a combination of rapport and elicitation techniques that exploit core characteristics of a human intelligence (HUMINT) source. Through this process, the intelligence collector will maintain covertly structured control of the conversation to ensure that each cybercriminal source reveals topics that are relevant to the collector’s intelligence requirements. Once cybercriminals and their infrastructure are attributed, a new realm of possibility to enforce countermeasures presents itself, with opportunities ranging from forensic seizures to coordinated takedowns. 

 Day Five - CAPSTONE 

 Put everything you learned to the test by investigating the cybercriminal underground and unraveling who is behind a new kind of cyber extortion campaign. The final day of FOR589 is a capstone challenge that focuses on responding to criminal activity and launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills. Students will be presented with a fictional campaign and then be given a list of items to investigate and analyze. These will include posts, threads, and profiles from cybercriminal underground forums, markets, and leak sites, as well as leaked private chat logs, databases, and adversary infrastructure. There will also be blockchain transactions where students will trace and track threat actors and various types of activities. Students will have to think about how to fulfil intelligence requirements from both a private sector and a law enforcement perspective, using the data sets provided that emulate real-world scenarios investigated by intelligence analysts. Students will be placed on teams and asked to investigate the scenario and share their findings though a presentation for instructors and the class to showcase what they found and how they did it. 

 FOR589: Cybercrime Intelligence will help you understand: 

  • Understand how traditional intelligence collection disciplines have adapted to today's modern cyber-centric landscape and differentiate what is actionable and what is noise. 

  • Discover risks to your organization's assets and elements, mapped to cybercrime threat actors and threat vectors as priority intelligence requirements. 

  • Translate your organization's risk-guided intelligence requirements into threat-informed collection plans and operational tasks. 

  • Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive, whether to protect your organization or impose costs on criminals with counter-offensive measures. 

  • Demystify the underground threat landscape, enabling you to traverse and surveil communities, marketplaces, ransom sites, data breaches, malware logs, and more. 

  • Understand how the underground threat landscape has expanded and evolved, lowering the barrier to entry, allowing emerging actors to conduct perceivably advanced operations. 

  • Create sock puppets to gain the placement and access needed for intelligence collection use cases, whether to passively browse forums or actively elicit brokers. 

  • Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure. 

  • Vet sources by measuring their level of competence, access, and credibility. 

  • Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures. 

  • Apply practical victimology to map the adversary-target relationship observed in cyberattacks and cyber fraud incidents, useful for research and response purposes alike. 

  • Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes. 

  • Develop threat intelligence platforms as early warning systems to detect all-source digital risk exposures within the Internet ecosystem, especially the deep and dark web. 

  • Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and attribute them by using cluster analysis. 

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
  • FOR532: Enterprise Memory Forensics In-Depth

Tags:
  • Digital Forensics, Incident Response & Threat Hunting
  • Open-Source Intelligence (OSINT)

Related Content

Blog
Malware_Blogs.png
Digital Forensics, Incident Response & Threat Hunting
September 21, 2023
Latest Must-Read Malware Analysis Blogs
In this post, we present a selection of recent malware analysis write-ups to highlight individuals' passion for malware analysis
Anuj_Soni_370x370.png
Anuj Soni
read more
Blog
FOR508_Update.png
Digital Forensics, Incident Response & Threat Hunting
September 3, 2023
Next Generation FOR508
The latest FOR508 update represents a major upgrade to the courseware with a complete replacement of every hands-on exercise in the course.
370x370_Chad-Tilbury.jpg
Chad Tilbury
read more
Blog
FOR589_Blog.png
Digital Forensics, Incident Response & Threat Hunting
August 30, 2023
Evolution of Cybercriminal Operations in 2023
FOR589: Cybercrime Intelligence authors share the top cybercriminal evolutions to focus on after examining CrowdStrike's 2023 Threat Hunting Report
Will_Thomas_370x370.png
Will Thomas
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn