FOR578: Cyber Threat Intelligence
THERE IS NO TEACHER BUT THE ENEMY!
Make no mistake: current network defense, threat hunting, and incident response practices contain a strong element of intelligence and counterintelligence that cyber analysts must understand and leverage in order to defend their networks, proprietary data, and organizations.
FOR578: Cyber Threat Intelligence will help network defenders, threat hunting teams, and incident responders to:
- Understand and develop skills in tactical, operational, and strategic level threat intelligence
- Generate threat intelligence to detect, respond to, and defeat advanced persistent threats (APTs)
- Validate information received from other organizations to minimize resource expenditures on bad intelligence
- Leverage open-source intelligence to complement a security team of any size
- Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX.
The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence - gives network defenders information superiority that is used to reduce the adversary's likelihood of success with each subsequent intrusion attempt. Responders need accurate, timely, and detailed information to monitor new and evolving attacks, as well as methods to exploit this information to put in place an improved defensive posture.
Cyber threat intelligence thus represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.
During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.
FOR578.1: Cyber Threat Intelligence
Cyber threat intelligence is a rapidly growing field. However, intelligence was a profession long before the word "cyber" entered the lexicon. Understanding the key points regarding intelligence terminology, tradecraft, and impact is vital to understanding and using cyber threat intelligence. This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, and the value they can add to organizations. As with all sections, the day includes immersive hands-on labs to ensure that students have the ability to turn theory into practice.
- Using Indicators of Compromise in Incident Response
- Creating Indicators of Compromise in OpenIOC
- Storing Indicators of Compromise in CRITS and Threat_Note
- Strategic Threat Modeling and VERIS
CPE/CMU Credits: 6
- Case-Study: Carbanak, "The Great Bank Robbery"
- Understanding Intelligence
- Intelligence Lexicon and Definitions
- Traditional Intelligence Cycle
- Sherman Kent and Intelligence Tradecraft
- Understanding Cyber Threat Intelligence
- Defining Threats
- Understanding Risk
- Cyber Threat Intelligence and Its Role
- The Expectation of Organizations and Analysts
- Indicators of Compromise
- Tactical Threat Intelligence Introduction
- The Role of a Tactical Threat Intelligence Analyst
- Expected Skills and Tradecraft
- The Kill Chain and Intrusion Analysis
- The Indicator Lifecycle
- Operational Threat Intelligence Introduction
- The Role of an Operational Threat Intelligence Analyst
- The Need for Information Sharing and Peers
- Models and Methods for Managing Intelligence
- The Diamond Model
- Campaigns and Threat Actors
- Strategic Threat Intelligence Introduction
- The Role of a Strategic Threat Intelligence Analyst
- Threat Modeling
- Organizational Change and Security Posturing
- Event Recording and Incident Sharing (VERIS)
FOR578.2: Tactical Threat Intelligence: Kill Chain for Intrusion Analysis
Tactical cyber threat intelligence requires that analysts extract and categorize indicators and adversary tradecraft from intrusions. These actions enable all other levels of threat intelligence by basing intelligence on observations and facts that are relevant to the organization. One of the most commonly used models for assessing adversary intrusions is the "kill chain." This model is a framework to understand the steps an adversary must accomplish to be successful. This section will help tactical threat intelligence develop the skills required to be successful by using the kill chain as a guide. Students will then pivot into open-source intelligence gathering tradecraft to enrich their understanding of the analyzed intrusion. The section walks students through multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process to structuring and defining adversary campaigns.
- Gathering Indicators from Logs and Network Traffic
- Pivoting to the Host With Indicators of Compromise and Identifying New Information
- Understanding the Compromise Throughout the Organization
- Diamond and Kill Chain Mapping
- Maltego Open-Source Intelligence
CPE/CMU Credits: 6
- Kill Chain Courses of Action
- Passively Discovering Activity in Historical Data and Logs
- Detecting Future Threat Actions and Capabilities
- Denying Access to Threats
- Delaying and Degrading Adversary Tactics and Malware
- Tactical Threat Intelligence Requirements
- Preparing Your Organization for Threat Intelligence
- The Role of Logs, Packet Capture, and Other Data Sources
- Keys to Success with Technology and Security Products
- Kill Chain Deep Dive
- Scenario Introduction
- Notification of Malicious Activity
- Pivoting Off of a Single Indicator to Discover Adversary Activity
- Identifying and Categorizing Malicious Actions
- Using Network and Host-Based Data
- Interacting with Incident Response Teams
- Interacting with Malware Reverse Engineers
- Effectively Leveraging Requests for Information
- Handling Multiple Kill Chains
- Identifying Different Simultaneous Intrusions
- Managing and Constructing Multiple Kill Chains
- Linking Related Intrusions
- Pivoting to Open-Source Intelligence
- Data Pivoting
- Most Pivotable Indicators
- Maltego and Data Transforms
- Enriching Internal Data
FOR578.3: Tactical/Operational Threat Intelligence: Campaigns and Open-Source Intelligence
Developing an understanding of adversary campaigns and tradecraft requires piecing together individual intrusions and data points. Organizations of any size will need to complement what they know from internal analysis with open-source intelligence (OSINT) to enrich and validate the information. This allows security personnel to understand dedicated adversaries more fully and consistently defend their environments. In this section, students learn what campaigns are, why they are important, and how to define them. From this baseline intelligence, gaps and collection opportunities are identified for fulfillment via open-source resources and methods. Common types and implementations of open-source data repositories, as well as their use, are explored in-depth through classroom discussion and exercises. These resources can produce an enormous volume of intelligence about intrusions, which may contain obscure patterns that further elucidate campaigns or actors. Tools and techniques to expose these patterns within the data through higher-order analysis will be demonstrated in narrative and exercise form. The application of the resulting intelligence will be articulated for correlation, courses of action, campaign assembly, and more.
- OSINT and Domain Pivoting in DomainTools
- Intelligence Aggregation and Pivoting in Maltego
- Data Visualization and Pivoting in Excel
- Building Campaign Heatmaps
CPE/CMU Credits: 6
- Case Study: Axiom
- OSINT Pivoting, Link Analysis, and Domains
- Utilizing Temporal Analysis to Validate OSINT
- Adversary Infrastructure Identification
- OSINT From Malware
- VirusTotal Uses and Limitations
- Malware Configuration Data Analysis
- Case Study: GlassRAT
- Intelligence Aggregation and Data Visualization
- Common Cyber Threat Intelligence Analytical Mistakes
- Maltego and Casefile Data Visualization
- Defining Campaigns
- Key Indicators and Campaign Identification
- Behavioral Tactics, Techniques, and Procedures
- Campaign Naming and Identification
- Communicating About Campaigns
- Incident One-Sliders and Metrics
- Developing Campaign Heatmaps
- Communicating to Executives about Cyber Threat Intelligence
FOR578.4: Operational Threat Intelligence: Sharing Intelligence
Many organizations seek to share intelligence but often falter in understanding the value of shared intelligence, its limitations, and the right formats to choose for each audience. This section will focus on identifying both open-source and professional tools that are available for students as well as sharing standards for each level of cyber threat intelligence both internally and externally. Students will learn about YARA and generate YARA rules to help incident responders, security operations personnel, and malware analysts. They will gain hands-on experience with STIX and understand the CybOX and TAXII frameworks for sharing information between organizations. Finally, the section will focus on sharing intelligence at the strategic level in the form of reports, briefings, and analytical assessments in order to help organizations make required changes to counter persistent threats and safeguard business operations.
- Massively Indexing and Analyzing OSINT in RecordedFuture
- Storing and Sharing Intelligence in ThreatConnect
- YARA Rule Development
- STIX Framework IOC Extraction and Development
- Critical Analysis of Threat Intelligence Reports
CPE/CMU Credits: 6
- Storing Threat Intelligence
- Storing Platform Considerations
- Best Practices for Managing Intelligence
- Malware Information Sharing Platform
- Professional Tools and ThreatConnect
- Sharing: Tactical
- Understanding the Audience and Consumer
- Threat Data Feeds and Their Limitations
- Advanced YARA Concepts and Examples
- Case Study: Sony Attack
- Sharing: Operational
- Partners and Collaboration
- Government Intelligence Sharing
- Traffic Light Protocol Standard
- Information Sharing and Analysis Centers
- CybOX, STIX, and TAXII
- STIX Elements and Projects
- TAXII Implementations
- Sharing: Strategic
- Making the Business Case for Security
- Expectations of Executives and Decision-makers
- Threat Intelligence Reports
- Estimative Language
- Confidence Assessments
- Tips on Effective Report Writing
- Critical Evaluating Intelligence Reports
FOR578.5: Strategic Threat Intelligence: Higher-Order Analysis
A core component of intelligence analysis at any level is the ability to defeat biases and analyze information. At the strategic level of cyber threat intelligence, the skills required to think critically are exceptionally important and can have organization-wide or national-level impact. In this section, students will learn about logical fallacies and cognitive biases as well as how to defeat them. They will also learn about nation-state attribution, when it can be of value, and when it is merely a distraction. Students will also learn about nation-state-level attribution from previously identified campaigns and take away a more holistic view of the cyber threat intelligence industry to date. The class will finish with a discussion on consuming threat intelligence and actionable takeaways for students to make significant changes in their organizations after class.
- Identifying Cognitive Biases in Media Reporting
- Analysis of Competing Hypotheses - HAVEX
- Analysis of Competing Hypotheses - Ukraine Cyber Attack
- Intelligence Collection and Analysis - Ukraine Cyber Attack
CPE/CMU Credits: 6
- Logical Fallacies and Cognitive Biases
- Identifying and Defeating Bias
- Logical Fallacies and Examples
- Common Cyber Threat Intelligence Informal Fallacies
- Cognitive Biases and Examples
- Analysis of Competing Hypotheses
- Analysis of Competing Hypotheses Steps
- Evoltin Threat Scenario Walkthrough
- Case Study: Stuxnet
- Human Elements of Attribution
- Attribution Uses and Limitations
- When to Seek or Avoid Attribution
- Intrusion to Campaign Attribution
- Nation-State Attribution
- Geopolitical Motivations to Cyber Attacks
- Espionage and Sabotage
- Attributing Campaigns to National Actors
- Case Study: Sofacy
- A Look Backward
- Campaigns Attributed to Nation-States
- Lessons Learned from National-level Attribution
- Case Study: Cyber Attack on the Ukrainian Power Grid
- Active Defense
- Intelligence Generation vs. Intelligence Consumption
- Consuming Intelligence in Security Operations
!IMPORTANT - BRING YOUR OWN LAPTOP CONFIGURED USING THESE DIRECTIONS!!
You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.
Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
FOR578 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5 x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- RAM: 8 GB of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory.)
- Host Operating System: Fully patched & updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
- Networking: Wireless 802.11 B, G, N, or AC
- USB 3.0 ports recommended.
- The student should have the capability to have Local Administrator Access within their host operating system and BIOS settings.
- 80GB of free space on hard drive.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Microsoft Office (2012+) - Note that you can download Office Trial Software online (free for 60 days).
- Install .NET 3.5 on your Windows system or install and verify that the latest version of Redline works
- Install VMware Workstation, VMware Fusion, or VMware Player
- If you are using an Apple Laptop/MacBook with OSX as your operating system it is required you additionally bring a Windows Virtual System (Win7 or higher Any Version) to class
If you have additional questions about the laptop specifications, please contact email@example.com.
Who Should Attend
- Incident Response Team Members who regularly respond to complex security incidents/intrusions from advanced persistent threat adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
- Threat Hunters who are seeking to understand threats more fully and how to learn from them to be able to more effectively hunt threats and counter their tradecraft
- Security Operations Center Personnel and Information Security Practitioners who support hunting operations that seek to identify attackers in their network environments.
- Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
- Federal Agents and Law Enforcement Officials who want to master advanced intrusion investigations and incident response, as well as expand their investigative skills beyond traditional host-based digital forensics.
- SANS FOR408, FOR572, FOR508, or FOR610 Graduates looking to take their analytical skills to the next level.
FOR578 is not an entry-level course. Students should have experience in incident response and information security techniques such as those covered in FOR508, FOR572, FOR610, ICS515 or equivalent experience. FOR578 is perfect for SANS Alumni with incident response experience who are looking to elevate their analytical skills. Students taking FOR578 should be comfortable with Linux as it will be used in many labs in the course.
Courses that lead in to FOR578:
- SEC511 - Continuous Monitoring and Security Operations
- FOR508 - Advanced Incident Response
- FOR572 - Advanced Network Forensics
- FOR526 - Memory Forensics In-Depth
- FOR610 - REM: Malware Analysis
- ICS515 - ICS Active Defense and Incident Response
Students who have not taken any of the above courses but have real world experience with incident response techniques and are comfortable with Linux can still expect to succeed in the course.
Please contact the authors at FOR578-Prereq@sans.org if you have any questions or concerns about the prerequisites.
What You Will Receive
- SIFT Workstation
- 64 GB Course USB
- USB loaded with threat intel exercises data, memory captures, network captures, SIFT workstation 3, tools, and documentation
- Cyber Threat Intelligence Exercise Workbook
- Exercise book with detailed step by step instructions and examples
- Cyber Threat Intelligence Poster
- MP3 audio files of the complete course lecture
Press & Reviews
We are very proud to have the FOR578: Cyber Threat Intelligence course reviewed by many of the leading minds in cyber threat intelligence helping us gather key input and recommendations from commercial, government, and DoD organizations.
FOR578 Technical Reviewers:
- Chris Anthony, Johns Hopkins University
- Rich Barger, ThreatConnect
- J. Brett Cunningham, Allsum, LLC
- Rick Holland
- Robert Huber
- Eric Hutchins
- Bertha Marasky, Verizon
- Kyle Maxwell
- Vivek Nakkady
- Scott J. Roberts
- Ray Strubinger
- Adam Vincent, ThreatConnect
- Adam Weidemann
"Cyber Threat Intelligence is an entire discipline not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study." - Bertha Marasky, Verizon
"Threat Intelligence Analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert Lee are the industry 'greybeards' that have seen it all; they are the thought leaders that should be shaping practitioners for the years to come." - Rich Barger, CIO at ThreatConnect Inc
"This is an awesome course and long overdue. I like the way you have mixed the technical with the intelligence and this is the first time I've seen this done in a meaningful way. Amazing work!" - Rowanne Mackie
"Fantastic class! I love the way the terminology was covered." - Nate DeWitt, eBay
"This training was invaluable. It provided me with insight on how to set up my own intel driven defense." - Jason Miller, Warner Bros
"This course is invaluable to organizations serious in defending their computer networks with operationalized intelligence." - Troy Wojewoda, Newport News Shipbuilding
"...You walk out different and start seeing everything from a different perspective." - Tok Yee Ching, Quann Singapore PTE LT
"I could take this course 5 times more and get something new each time! So much valuable info to take back to my organization." - Charity Willhoite, Armor Defense, Inc.
"This course gives a very smart and structured approach to CTI, something that the global community has been lacking to date." - John Geary, Citigroup
"I love and learn a lot with the course! Intense but fun, lots of practical use cases that I can bring back at work and share with my team." - John Perea, KPMG
"This course was invaluable in framing my role as a hunter in the intelligence consumption/ generation process." - Christopher Vega, Citigroup
"Stepping into an undeveloped role is very challenging. I feel the topics, materials, views covered will help me to make expert decisions and aid the industry as a whole." - Drew Maher, Energy Future Holdings
"Best discussion of CTI in a formal way I have found." - Alexander Schraut, Experian
Statements From Our Authors
The author team of Mike Cloppert, Chris Sperry, and Robert M. Lee originally developed FOR578 with the understanding that the community was in need of a single concise collection of tradecraft. Cloppert and Sperry initiated the development of the course with the understanding that their schedules would not permit them to be able to constantly teach it. However, it was through their thought leadership that the class has become what it is today. Their influence on the course development remains, and SANS thanks them for their leadership.
"When considering the value of threat intelligence, most individuals and organizations ask themselves three questions: What is threat intelligence? When am I ready for it? How do I use it? This class answers these questions and more at a critical point in the development of the field of threat intelligence in the wider community. The course will empower analysts of any technical background to think more critically and be prepared to face persistent and focused threats."
- Robert M. Lee
"Threat intelligence is a powerful tool in the hands of a trained analyst. It can provide insight to all levels of a security program, from security analysts responding to tactical threats against the network to executives reporting strategic level threats to the Board of Directors. This course will give students an understanding of the role of threat intelligence in security operations and how it can be leveraged as a game-changing resource to combat an increasingly sophisticated adversary."
- Rebekah Brown
"Before threat intelligence was a buzzword, it was something we all used to just do as part of incident response. But I'll admit that most of us used to do it badly. Or more accurately, ad hoc at best. We simply lacked structured models for intrusion analysis, campaign tracking, and consistent reporting of threats. Today, we need analysts trained in intelligence analysis techniques ready to perform proper campaign modeling, attribution, and threat analysis. The Cyber Threat Intelligence course teaches students all of that, as well as how to avoid cognitive biases in reporting and the use of alternative competing hypothesis in intelligence analysis. These are critical skills that most in industry today absolutely lack."
- Jake Williams
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method