Frequently Asked Questions - SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

Frequently Asked Questions - SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

What is the class about?

Who should take the class?

What is the class layout?

I've been doing work in the field for a while. Will the course be valuable to me or is it going to be too basic?

Is this course focused on only the United States and people/data there or is it more globally scoped?

What will the class prepare you to do?

Who is the class author?

Do I need OSINT quick test

What is next for SEC487?

Question: What is the class about?

A: SEC487 will teach students legitimate and effective ways to find, gather, and analyze this data from the Internet. You'll learn about reliable places to harvest data using manual and automated methods and tools. Once you have the data, we'll show you how to ensure that it is analyzed, sound, and useful to your investigations.

This is a foundational course in open-source intelligence (OSINT) gathering and, as such, will move quickly through many areas of the field. The course will teach you current, real-world skills, techniques, and tools that law enforcement, private investigators, cyber attackers, and defenders use to scour the massive amount of information across the Internet, analyze the results, and pivot on interesting pieces of data to find other areas for investigation. Our goal is to provide the OSINT knowledge base for students to be successful in their fields whether they are cyber defenders, threat intelligence analysts, private investigators, insurance claims investigators, intelligence analysts, law enforcement personnel, or just someone curious about OSINT.

Question: Who should take the course?

A: While far from complete, we have topics in the class that would be helpful to people that are:

• Cyber Incident Responders
• Digital Forensics (DFIR)
• Penetration Testers
• Law Enforcement
• Intelligence Personnel
• Recruiters/Sources
• Private Investigators
• Insurance Investigators
• Human Resources Personnel
• Researchers
• Students
• Parents
• Parents of Students

Question: What is the course layout?

A: This is a 6-day lecture and lab course - View the upcoming course runs

• The first 4.5 days are classic lecture and lab.
• There are over 23 labs in the class. That means a LOT of hands-on work for you!
• The last part of day 5 we have a solo CTF (Capture the Flag) where you work an OSINT investigation by yourself; leveraging the labs and knowledge gained in the course. This gives students time to work an assessment, time to try out new tools and techniques, and allows for students to work at their own speeds.
• Day 6 is the group CTF where, in teams of 2-4 students, you will work on a large challenge and then present your findings to the class. And then present your findings to the class

Question: I've never done OSINT, will I get anything out of the class?

A: YES! I've been pleasantly surprised to find out how many different, non-cyber jobs use OSINT techniques but they don't call it "OSINT". A good example is in recruiting, they may refer to the "boolean searches" they use to find candidates. We may call those "Google Dorks" or advanced search engine queries (and there is a site that has thousands of them at https://www.exploit-db.com/google-hacking-database/). If you look information up on the internet, you kare most likely using OSINT and we can teach you to do it even better!

Question: I've been doing work in the (law enforcement/intel/private investigator/insurance investigator/recruiter/cyber) field for a while. Will the course be valuable to me or is it going to be too basic?

A: Everyone that has taken the class has remarked that they have learned some new trick, new tool, or new web site that they can immediately use back at work. If you have been doing this for a while, chances are good that you may know of many of the techniques and tools that we use but maybe haven't made the time to try them. In class, we give you that time. Additionally, if you've been OSINTing/recruiting/investigating for a while, lyou will know that everyone goes about the process a little differently. Learning others' techniques and site preferences can broaden your OSINT reach and help you achieve your goals. There is a detailed account of what we learn each day at https://www.sans.org/course/open-source-intelligence-gathering.

Question: Is this course focused on only the United States and people/data there or is it more globally scoped?

A: While I call the United States home, I understand that there are MANY of you that do not. And, as such, your targets, be they computers or people, may not reside in the United States. Our examples, courseware, and labs all have international components to them. Yes, there is a large amount of the courseware that covers data in the United States and how to find it but we also move around the world collecting and analyzing data.

Question: What will SEC487 prepare you to do?

• Understand the data collection life cycle
• Create a secure platform for data collection
• Analyze customer collection requirements
• Capture and record data
• Create sock puppet accounts
• Create your own OSINT process
• Harvesting web data
• Perform searches for people
• Access social media data
• Assess a remote location using online cameras and maps
• Examine geolocated social media
• Research businesses
• Use government-provided data
• Collect data from the Dark Web
• Leverage international sites and tools

Question: Who is the course author?

A: SANS Certified Instructor, Micah Hoffman

Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of hands-on, real-world OSINT, penetration testing, and incident response experience to provide excellent solutions to his customers. Micah is the author of SEC487: Open-Source Intelligence Gathering and Analysis, is a SANS Certified Instructor, and holds GIAC's GMON, GAWN, GWAPT, and GPEN certifications as well as the CISSP.

Micah is a highly active member in the cyber security and OSINT communities. When not working, teaching, or learning, Micah can be found hiking on Appalachian Trail or the many park trails in Maryland. Catch him on Twitter @WebBreacher.

Question: "Do I Need OSINT?" Test

Here is a quick test to see if you could benefit from this class.

1. Do you frequently try to find information about people on the internet?
2. Do you look up information about IP addresses, subnets, and/or domains on the internet?
3. Do you use the dark web (or want to start)?
4. Do you currently only use the simple search fields in social media sites to perform your searches?
5. Do you use the same web sites and tools for your searches and are sometimes frustrated when they don't give you positive results?
6. Do you use your own, personal accounts when performing your queries on social media sites?

If you answered "yes" to any of these questions, then SEC487 is for you.

Question: What is next for SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis?

A: SEC487 is currently being offered in BETA in Denver, CO - June 4-9, 2018
This course is being offered at the special beta pricing of $3,105 - Don't miss this great course at a great price!