Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

FOR578: Cyber Threat Intelligence

FOR578Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Rebekah BrownRobert M. Lee
Rebekah Brown & Robert M. Lee
Register NowCourse Preview
FOR578: Cyber Threat Intelligence
Course created by:
Rebekah BrownRobert M. Lee
Rebekah Brown & Robert M. Lee
Register NowCourse Preview
  • GIAC Cyber Threat Intelligence (GCTI)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 20 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Master tactical, operational, and strategic cyber threat intelligence skills. Improve analytic processes and incident response effectiveness to support your detection and response programs.

Featured Quote

Cyber Threat Intelligence is an entire discipline, not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study.
Bertha MaraskyVerizon

Course Overview

Cyber threat intelligence training is essential for countering today’s flexible, persistent human threats and targeted attacks. In FOR578 Cyber Threat Intelligence™, you’ll learn to assess complex scenarios and develop skills in tactical, operational, and strategic-level threat intelligence. This course empowers you to expand your existing knowledge and establish new best practices for security teams.

What You’ll Learn

  • Develop advanced analysis skills for complex scenarios
  • Master intelligence requirements gathering (e.g., threat modeling)
  • Understand threat intelligence at all levels (tactical, operational, strategic)
  • Generate actionable threat intelligence for threat detection and response
  • Become proficient in adversary data collection and exploitation
  • Validate intelligence sources and create high-fidelity IOCs (e.g., YARA, STIX/TAXII)
  • Understand and leverage analytic models (e.g., Kill Chain, Diamond Model, MITRE ATT&CK) across all security roles

Business Takeaways:

  • Understand the everchanging cyber threat landscape and what it means for your organization
  • Practice analytic techniques to inform key business leaders on how to most effectively defend themselves and the organization against targeted threats
  • Identify cost-effective ways of leveraging open-source and community threat intelligence tools, along with familiarity with some of the most impactful commercial tools available.
  • Effectively communicate threat intelligence at tactical, operational, and strategic levels
  • Become a force multiplier for other core business functions, including security operations, incident response, and business operations.

Meet Your Authors

  • Slide 1 of 2
    Rebekah Brown
    Rebekah Brown

    Rebekah Brown

    Certified Instructor Candidate

    Rebekah Brown has been instrumental in advancing cyber threat intelligence, serving as a network warfare analyst at the NSA, Operations Chief of a U.S. Marine Corps cyber unit, and training lead at U.S. Cyber Command.

    Read more about Rebekah Brown
  • Slide 2 of 2
    Robert M. Lee
    Robert M. Lee

    Robert M. Lee

    Fellow

    A former U.S. Air Force cyber warfare officer, Robert led the NSA’s first mission targeting threats to industrial infrastructure. Now at Dragos, he spearheads global defense of critical systems, shaping national policy and industry threat response.

    Read more about Robert M. Lee
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR578: Cyber Threat Intelligence.

Section 1Cyber Threat Intelligence and Requirements

This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, as well as the value they can add to organizations.

Topics covered

  • Intelligence Cycle, Tradecraft, and Analytical Techniques
  • Cyber Threat Definitions, Risk, Actors, and Threat Models
  • Threat Intelligence Collection & Generation

Labs

  • Using Structured Analytical Techniques
  • Enriching and Understanding Limitations
  • Strategic Threat Modeling

Section 2The Fundamental Skillset: Intrusion Analysis

In this section, students will be walked through and participate in multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.

Topics covered

  • Intrusion Analysis
  • Kill Chain Deep Dive
  • Handling Multiple Kill Chains

Labs

  • Collecting Indicators from Reconnaissance and Delivery
  • Pivoting to Network Data with Indicators
  • Pivoting to Memory with Indicators

Section 3Collection Sources

In this section students will learn to seek and exploit information from domains, external datasets, malware, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more. Students will also structure the data to be exploited for purposes of sharing internally and externally.

Topics covered

  • Case Studies: HEXANE, GlassRAT, Trickbots
  • Malware
  • Domains

Labs

  • Aggregating and Pivoting in Excel with Malware Samples
  • Open-Source Intelligence and Domain Pivoting in DomainTools
  • Maltego Pivoting and Open-Source Intelligence

Section 4Analysis and Production of Intelligence

In this section students will learn how to structure and store their information over the long term using tools such as MISP; how to leverage analytical tools to identify logical fallacies and cognitive biases; how to perform structured analytic techniques in groups such as analysis of competing hypotheses; and how to cluster intrusions into threat groups.

Topics covered

  • Human-Operated Ransomware
  • Storing and Structuring Data
  • Logical Fallacies and Cognitive Biases

Labs

  • Storing Threat Data in MISP
  • Identifying Types of Biases
  • Analysis of Competing Hypotheses

Section 5Dissemination and Attribution

Intelligence is useless if not disseminated and made useful to the consumer. In this section students will learn about dissemination at the various tactical, operational, and strategic levels.

Topics covered

  • Logical Fallacies and Cognitive Biases
  • Tactical Dissemination
  • Operational Dissemination

Labs

  • Developing IOCs in YARA
  • Working with STIX
  • Building a Campaign Heatmap

Section 6Capstone

The FOR578 capstone focuses on analysis. Students will be placed on teams, given outputs of technical tools and cases, and work to piece together the relevant information from a single intrusion that enables them to unravel a broader campaign.

Things You Need To Know

Relevant Job Roles

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

All-Source Collection Manager (DCWF 311)

DoD 8140: Intelligence (Cyberspace)

Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.

Explore learning path

All-Source Collection Requirements Manager (DCWF 312)

DoD 8140: Intelligence (Cyberspace)

Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.

Explore learning path

Target Digital Network Analyst (DCWF 132)

DoD 8140: Cyber Effects

Performs advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Robert M. Lee
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    San Antonio, TX, US & Virtual (live)

    Instructed by Kevin Ripa
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Andreas Sfakianakis
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Peter Szczepankiewicz
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Melbourne, VIC, AU & Virtual (live)

    Instructed by Justin Parker
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Malaga, ES

    Instructed by Andreas Sfakianakis
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Peter Szczepankiewicz
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by Jim Simpson
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
Showing 8 of 30

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 2
    Threat intelligence analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert M. Lee are the industry 'greybeards' who have seen it all. They are the thought leaders who should be shaping practitioners for years to come.
    Rich BargerThreatConnect
  • Slide 2 of 2
    This course is terrific! Class discussion and relevant case studies are extremely helpful for better understanding the content.
    Larci RobertsonEpsilon
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources