About a month ago, we wrapped up yet another superb running of the FOR578 course during the Rocky Mountain Summer 2022 event with several students remarking that the course is a must for individuals new to or looking to transition into a cyber threat intelligence analyst role. As the week progressed and I reflected on the course material, war stories I recounted, and student questions, I realized that it has been about two months since myself and the team at Mandiant released the CTI Analyst Core Competencies Framework. I have been humbled by the amount of positive feedback we have received for its publication by the CTI community. It is incredible to hear from so many CTI leads, organizational leaders, and aspirant analysts how they have been able to use it to support team design decisions, career development planning, and hiring decisions. Given this and coming off of the SANS FOR578 teach, I decided to write a short blog post mapping the areas in the FOR578 course to the Mandiant CTI Analyst Core Competencies Framework.
What is the Mandiant CTI Analyst Core Competency Framework?
The framework enumerates and bins the knowledge, skills, and ability (KSA) requirements often sought in CTI analysts into 4 logical, overarching categories, called pillars, which contain individual competencies (see graphic below). Fully enumerated, the framework contains approximately 150 KSAs. The specific job demands, role, and responsibilities will dictate the breadth and depth an analyst requires across the various KSAs. The framework was designed with the intended purpose of empowering organizations determine proper KSA coverage across their CTI team; promote growth pathways for existing analysts; lower the barriers of entry for aspirant analysts seeking to break into the field; and assist other cyber security disciplines identify opportunities to collaborate with CTI analysts in the future.
Figure 1: Pillars and Competencies in Mandiant’s Framework
What content is covered in FOR578?
FOR578 covers a multitude of topics spanning traditional intelligence analysis foundations to tracking and communicating cyber threat activity group operations. For ease of consumption, I created a mental model mind map to illustrate course coverage into three predicate categories—Intelligence Acumen, Information Technology (IT), and Cyber Security—which feed into the composite category, Cyber Threat Intelligence. Throughout the course, students are exposed to each of these in various depth with instructors electing to amplify and augment critical teaching points in each. For instance, during one of our labs, we review network traffic to determine how the adversary remotely accessed content on the organization’s domain controller and pilfered files. I use the lab as an opportunity to discuss the some of the salient points SEC301 and SEC504 cover, which students using this course as an entry point into SANS may not understand to include the role of the Domain Controller, its benefit to adversaries if they compromise it, and other foundational concepts surrounding Active Directory and Kerberos.
Beyond the functional topics covered, the FOR578 course uses case studies to familiarize students with the history and evolution of cyber operations by nation-states, emplacing a heavy focus on Russia and China as the two of the first adopters. These case studies cover MOONLIGHT MAZE and Operation Aurora to highlight seminal points in the CTI discipline’s history where nation-state actors first conducted cyber espionage operations against government networks as early as the late 1990s and then broadened their aperture against private sector, non-defense contractor targets and individuals circa 2009. Our course authors also ensured we had coverage on cybercrime activities with a focus on recent trends in human operated ransomware and multi-faceted extortion schemes as well as the proliferation of turnkey cyber operation platforms like NSO Group’s Pegasus tool.
We also use the labs and in-class scenarios to expand student familiarity beyond the Windows environment to include Linux, industrial control systems (ICS), and operational technology (OT) networks. As designed, the FOR578 squarely fits the definition of an exploratory course, masterfully combining elements of each area a CTI analyst can expect to encounter as part of their work.
One Map to Rule Them All
Did I bury the BLUF or find a clever way to entice you to read the whole blog post? Without further ado, we present to you the master mapping between the FOR578 course and the Mandiant CTI Analyst Core Competency Framework. Here we map concept coverage in a given competency to its placement within the course material.
We have also included a PDF version of the framework that highlights all the of the topics covered in the SANS FOR578 course. We look forward to seeing you all in an upcoming running of the FOR578 course.