homepage
Open menu
Contact Sales
Go one level top
  • Train and Certify
    Free Course Demos

    Free course demos allow you to see course content, watch world-class instructors in action, and evaluate course difficulty.

    Train and Certify
    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
    Learn More
    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • In-Person Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Live Online Events List
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Enterprise Solutions
    New Cyber Trends & Training in 2023

    This eBook offers a glimpse into the key threats that are expected to emerge as forecasted by SANS experts.

    Enterprise Solutions

    Build a world-class cyber team with our workforce development programs.

    Learn More
    • Overview
    • Group Purchasing
    • Build Your Team
      • Assessments
      • Private Training
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    2023 Security Awareness Report

    Empowering Security Awareness teams with industry benchmarking, program growth, and career development.

    Security Awareness
    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk
    Learn More
    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Security Policy Templates

    In collaboration with security subject-matter experts, SANS has developed a set of security policy templates for your use.

    Resources
    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis
    Browse Here
    • Overview
    • Webcasts
      • Webinars
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Join the Community

    Membership of the SANS.org Community grants you access to cutting edge cyber security news, training, and free tools that can't be found elsewhere.

    Get Involved
    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.
    Learn More
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    Our Mission

    To empower current and future cybersecurity practitioners around the world with immediately useful knowledge and capabilities, we deliver industry-leading community programs, resources and training.

    About
    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills
    Learn More
    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • SANS Sites
    • Australia
    • Brazil
    • France
    • India
    • Japan
    • Middle East & Africa
    • Singapore
    • United Kingdom
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  • Contact Sales
  1. Home >
  2. Blog >
  3. Evolution of Cybercriminal Operations in 2023
Will_Thomas_370x370.png
Will Thomas

Evolution of Cybercriminal Operations in 2023

FOR589: Cybercrime Intelligence authors share the top cybercriminal evolutions to focus on after examining CrowdStrike's 2023 Threat Hunting Report

August 30, 2023

On 8 August 2023, cybersecurity vendor CrowdStrike released their annual Threat Hunting Report. It shared the trending tactics, techniques, and procedures (TTPs) leveraged by adversaries against victim organizations observed by the CrowdStrike Threat Hunting team in the last 12 months. The report shared multiple new insights into the current cybercriminal threat landscape. 

Key Findings: 

  • Cybercriminals have gotten faster at intrusions: In 2023, the average amount of breakout time – how long it takes to go from initial access to lateral movement – for cybercriminals is 79 minutes, a five-minute drop from 2022. Plus, breakout time for cybercriminals has been as fast as seven minutes. 

  • Intrusions have gotten easier for cybercriminals: 2023 saw a 312% increase in the usage of legitimate remote monitoring and management (RMM) tools and close to 14% of all intrusions saw an RMM tool deployed. These are free or open-source tools that can be used to efficiently evade detection and blend in with common software in the target environment. 

  • Cybercriminals increasingly outsource the first phase of intrusions: CrowdStrike Intelligence tracked initial access broker (IAB) advertisements across the cybercriminal underground and found a 147% increase compared to 2022, highlighting the rising demand for this type of work and the need to monitor these activities for early warning detection. 

Cybercrime: Threat to Every Sector

When compared to state-sponsored adversaries, cybercriminals pose a much broader and omnipresent threat to any type of organization, no matter the size, due to the opportunistic nature of their targeting (see Figure 1). CrowdStrike observed that the most prominent threats include ransomware, data theft extortion, as well as the initial access brokers (IABs) that enable them. 

Both the financial and technology sectors are two of the most targeted by cybercriminals. This is because these sectors are the most likely to pay a ransom or possess valuable data to steal and sell to others. 

Figure 1: Intrusion activity by threat actor heat map, July 2022 to June 2023. (Source: CrowdStrike)

Increased adoption of RMM tools

In the last 12 months, there has been rampant usage of legitimate remote monitoring and management (RMM) tools, such as AnyDesk and TeamViewer, by cybercriminals. RMM tools are attractive programs for threat actors because they offer ease of use and lack of effort required, when compared to developing their own custom tooling and malware.  

While designed to make an IT admin’s job easier, RMM tools have been increasingly leveraged by cybercriminals to avoid detection for protracted periods of time. RMM software are also self-contained, portable executables, that can bypass both administrative privilege requirements and software management control policies. This enables cybercriminals to maintain privileged and persistent access to sensitive data and support the delivery of ransomware payloads.  

CrowdStrike highlighted that the most common RMM tool used by adversaries, by far, was AnyDesk and in up to 73% of intrusions where AnyDesk was deployed it was attributed to cybercriminal activity. Another interesting finding was that multiple RMM tools are frequently observed in a single intrusion by a cybercriminal. Common methods to deliver RMM tools by cybercriminals involves command-line ingress procedures including curl, wget or PowerShell, and if an active remote desktop protocol (RDP) session has been established, they can use standard web browsers or RDP clipboard redirection. 

The most common RMM tools observed by CrowdStrike in the last 12 months include: AnyDesk, ConnectWise ScreenConnect, Atera Agent, TeamViewer, RemoteDesktopPlus, RustDesk, Splashtop, Fleetdeck, TightVNC, and N-Able. CrowdStrike recommended that if these RMMs tools are not already in use in an organization’s environment, their unexpected delivery and installation should be treated as a potential indicator of attack (IOA). 

In January 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) shared an advisory on protecting against the malicious use of RMM tools. In October 2022, CISA observed a widespread phishing campaign spreading AnyDesk and ScreenConnect, which cybercriminals were using in refund scams to steal money from victim bank accounts.  

In December 2022, CrowdStrike reported on the financially motivated and English-speaking threat group dubbed Scattered Spider, who are known for their unique style of attacks. The initial part of their intrusions can involve SMS phishing, social engineering targets over the phone, multi-factor authentication (MFA) fatigue attacks, and SIM swapping. These operators then often deploy multiple RMM tools from a list of up to 20 RMM tools to the victim’s system. The reason for this is because if one is blocked, then the adversary will rapidly deploy another to regain control. In July 2023, the Canadian Centre for Cybersecurity (CCCS) also reported on a suspected Scattered Spider campaign, this time deploying BlackCat (ALPHV) ransomware, marking a significant shift in the adversary’s TTPs. 

Increased Initial Access Broker Advertisements

Initial Access Brokers (IABs) are an expanding and core part of the cybercrime economy. These types of threat actors make a living compromising vulnerable systems and selling that access to others, enabling a myriad of activities. CrowdStrike Intelligence observed that many IABs have established relationships with big game hunting ransomware operations and individual affiliates that use Ransomware-as-a-Service (RaaS) programs. 

There are several ways to decide the value of the access offered. Prices fluctuate considerably among sectors, countries, and per IAB. The most valuable and coveted types of access, which include a higher price on offer, are footholds with elevated privileges to large corporations with significant annual revenues.  

Interestingly, IABs appear to exhibit similar characteristics and operational commonalities to state-sponsored adversaries. This is because IABs will attempt to gain initial access through exploiting internet-facing systems or stolen credentials and will remain hidden until follow-up actions begin. 

Ultimately, IAB sales are available to the highest bidder. This enables a variety of types of cybercrime and has a notable impact on the ecosystem. IABs also lower the barrier to entry for other threat actors starting new intrusions and allow other cybercriminals, such as ransomware operators, to focus efforts on their main objectives more efficiently. 

New Initial Access Br0k3r Emerges

As the IAB work has become increasingly popular among cybercriminals on the underground, some threat actors are beginning to innovate with their own IAB single-vendor shops on the darknet. In June 2023, the SANS FOR589 authors identified a new IAB threat actor had emerged called “Br0k3r” on multiple forums. This new IAB has a neutral reputation among the underground community but appears to be credible.  

It is important to note that there are several factors to consider when assessing the credibility of a threat actor offering access to a compromised system. This includes checking the public reputation score of the members on their forum profile. Many forums have systems that allow members to rate each other, based on their interactions. Another way is to look at the member's post history and see if they have a history of successful transactions and engagement with other members. Some cybercrime forums also have an arbitration or escrow system. These are designed to ensure that fair deals can take place and consequences are dealt for failed transactions, which provides additional protection for members. If the cybercriminal offering access or a service is willing to use an escrow system, they are likely to be more credible. 

Figure 2: Threat actor “Br0ker” offering initial accesses on RAMP Forum

The threat actor uses TOX (aka qTox) and XMPP (aka Jabber) for encrypted communications with other members on cybercriminal forums. It is also possible to track the posts by “Br0k3r” via their identifiers as they use them across multiple forums:

TOX ID 

B761680E23F2EBB5F6887D315EBD05B2D7C365731E093B49ADB059C3DCCAA30C30D8E65B0D58 

Jabber ID 

br0k3r[@]xmpp[.]jp 

 It is possible to tell if an identifier is a TOX ID as they are always a random string of 76 hexadecimal characters. Jabber IDs are also quick to identify as they look like email addresses, but the domain belongs to a Jabber server, rather than domain with a Mail Exchange (MX) server. 

Figure 3: Threat actor “Br0ker” offering initial accesses on Exploit Forum

In Br0k3r’s case and at the time of investigating the threat actor, they have a neutral score because they are new. Br0k3r is using a paid account and has deposited funds into the forum’s escrow system. The threat actor also takes a professional approach, using a custom self-made Tor website and setting up TOX and Jabber encrypted communications channels, which are preferred by members of top-tier forums. These factors point to signs that they are likely credible but are trying hard to build their new account’s reputation as their operation is just starting out. 

Br0k3r’s Shop

Br0k3r has taken a new approach to the IAB business model by using a single vendor Tor-hosted site to advertise their accesses across multiple forums. This Tor site includes instructions for inquiries and how to purchase access. According to Br0k3r, every access sale includes Windows domain administrator (DA) credentials, active directory (AD) user credentials and password hashes, DNS zones and objects, as well as Windows domain trusts. 

The site and system developed by Br0k3r is reportedly operated by Br0k3r himself and is not connected to other threat actors. This is by design, so that Br0k3r can build trust with their cybercriminal clientele. It is a one-to-many service and not a market. In the future, however, an initial access market of this nature may appear following the success of Br0k3r’s Shop. 

Figure 4: Old Tor website used by Br0k3r

Around 1 August 2023, Br0k3r decided to update the Tor Shop with a new design. Additional information and details were shared on the pages of this new version of the site. 

Figure 5: New Tor website used by Br0k3r

Br0k3r now states on the website that “numerous of active ransomware gangs working with me in a fair percentage [sic].” This highlights how Br0k3r exemplifies that the relationship between ransomware operators and initial access brokers (IABs) is one of mutual benefit. Br0k3r's Shop allows ransomware operators to focus on lateral movement, data theft, ransomware payload deployment, and extortion, rather than spending time on the time-consuming work of achieving network access. The ransomware operators also provide a constant revenue stream for Br0k3r. The cost for access is negligible compared with the ransom that is demanded of the victims, which has caused the number of offers to sell access to compromise organizations to explode. 

Further, the Frequently Asked Questions (FAQs) section of the site also includes other details, such as base price of access being 0.5 BTC (worth around 13,000 USD as of August 2023). This is a considerably higher amount than most offerings on cybercriminal forums, but Br0k3r appears to be open for negotiations.  

Threat actors who decide to buy access from Br0k3r Shop are also given a preview of the network they are purchasing. This includes the victim’s domain(s) and a summary of the victim organization from ZoomInfo. To prove the access is legit, Br0k3r also offers to provide proof of Domain Admin privileges, enterprise access level, size of the network, and which antivirus or endpoint detection and response (EDR) system is in use. Once the potential buyer confirms they have a wallet with available funds, the deal is then made.  

Recommended Best Practices

In the last 12 months, the speed and ease of cybercriminal intrusions have increased considerably. This is a reminder that organizations should be monitoring the amount of time it takes them to detect, stop, and remediate attacks as adversaries are only getting faster and launching more efficient attacks. 

RMM tools are a key driver in making attacks more time efficient. Cybercriminals no longer need to spend time developing malware that enables remote control over victim devices, when freely available tools online can do it for them that blend seamlessly into legitimate traffic and events. This enables them to shift their resources and time into launching more attacks. 

It is recommended by CrowdStrike and the SANS FOR589: Cybercrime Intelligence course authors that organizations should take inventory and review what RMM tools are currently being used inside the environment and begin to monitor for signs of suspicious activities. This includes the installation of an RMM tool not used anywhere else in the organization. That could be a sign that a threat actor has gained initial access and is performing ingress tool transfer (T1105). Threat hunting for this type of behavior is key to preventing these types of attacks. 

How SANS FOR589: Cybercrime Intelligence can help

Mitigating the threat of initial access brokers requires a multi-pronged approach. Ransomware threat actors typically ingress one of several ways. This includes via credentials stolen through infostealer malware, brute-forcing external systems with the remote desktop port (RDP) open, exploitation of public-facing vulnerable servers, as well as traditional malicious spam (malspam) that leads to malware loaders and follow-up payloads, such as Cobalt Strike or, more recently, Brute Ratel C4. 

In the SANS FOR589: Cybercrime Intelligence course, however, we will show students the process of how to intercept IAB sales by monitoring posts to underground forums and attributing the victim offered by the attacker. Due to IABs often describing their targets in forum adverts to attract customers, it is possible for cybercrime intelligence analysts to figure out who that target is. Once it is known who the target is, then it is possible to warn the victim of an impending ransomware attack – if contact can be made in time. On the other hand, knowing who is most likely to be the next ransomware victim in advance can help organizations reduce the potential impact of a severe third-party supply chain breach. Plus, from a strategic intelligence perspective, understanding the current trends in ransomware targeting can provide advanced warning and assist in preparing to combat this threat. 

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • SEC501: Advanced Security Essentials - Enterprise Defender
  • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
Linux_IR_-_syslog.png
Digital Forensics, Incident Response & Threat Hunting
November 26, 2023
Linux Incident Response - A Guide to syslog-ng
Syslog-ng stands as a sophisticated evolution of the syslog protocol, designed to offer advanced logging capabilities within Linux systems.
Taz_Wake_2.png
Tarot (Taz) Wake
read more
Blog
Linux_IR_-SS.png
Digital Forensics, Incident Response & Threat Hunting
November 22, 2023
Linux Incident Response - Using ss for Network Analysis
Understanding the ss command is crucial for analyzing network connections & traffic, to identify and investigate potentially malicious activities.
Taz_Wake_2.png
Tarot (Taz) Wake
read more
Blog
Linux_IR_-_Rootkits.png
Digital Forensics, Incident Response & Threat Hunting
November 22, 2023
Linux Incident Response - Introduction to Rootkits
Learn about intricacies of Linux rootkits, the diverse types they encompass, their intricate construction techniques, & their historical evolution.
Taz_Wake_2.png
Tarot (Taz) Wake
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn