Back by Popular Demand: MacBook Air, $400 Amazon Gift Card, or $400 off with OnDemand Courses

London July 2021 - Live Online

Virtual, British Summer Time | Mon, Jul 5 - Sat, Jul 10, 2021

FOR578: Cyber Threat Intelligence

Mon, July 5 - Sat, July 10, 2021

Associated Certification: GIAC Cyber Threat Intelligence (GCTI)

 Watch a free preview of this course

Course Syllabus  ·  36 CPEs  ·   Lab Requirements
Instructor: Peter Szczepankiewicz  ·  Price: 6,695 EUR

FOR578: Cyber Threat Intelligence course author Robert M. Lee explains recent updates


All security practitioners should attend FOR578: Cyber Threat Intelligence to sharpen their analytical skills. This course is unlike any other technical training you have ever experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills. The course will help practitioners from across the security spectrum:

  • Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
  • Identify and create intelligence requirements through practices such as threat modeling
  • Understand and develop skills in tactical, operational, and strategic-level threat intelligence
  • Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
  • Learn the different sources to collect adversary data and how to exploit and pivot off of those data
  • Validate information received externally to minimize the costs of bad intelligence
  • Create Indicators of Compromise (IOCs) in formats such as YARA and STIX/TAXII
  • Understand and exploit adversary tactics, techniques, and procedures, and leverage frameworks such as the Kill Chain, Diamond Model, and MITRE ATT&CK
  • Establish structured analytical techniques to be successful in any security role

It is common for security practitioners to call themselves analysts. But how many of us have taken structured analysis training instead of simply attending technical training? Both are important, but very rarely do analysts focus on training on analytical ways of thinking. This course exposes analysts to new mindsets, methodologies, and techniques to complement their existing knowledge and help them establish new best practices for their security teams. Proper analysis skills are key to the complex world that defenders are exposed to on a daily basis.

The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that addresses an organization's key knowledge gaps, pain points, or requirements. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.

Cyber threat intelligence thus represents a force multiplier for organizations looking to establish or update their response and detection programs to deal with increasingly sophisticated threats. Malware is an adversary's tool, but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.

Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.

In other words, cyber threat intelligence informs all security practices that deal with adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization with the level of tactical, operational, and strategic cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and accurately and effectively counter those threats.

Course Syllabus

Peter Szczepankiewicz
Mon Jul 5th, 2021
9:00 AM - 5:00 PM BST


Cyber threat intelligence is a rapidly growing field. However, intelligence was a profession long before the word "cyber" entered the lexicon. Understanding the key points regarding intelligence terminology, tradecraft, and impact is vital to understanding and using cyber threat intelligence. This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, as well as the value they can add to organizations. It also focuses on getting your intelligence program off to the right start with planning, direction, and the generation of intelligence requirements. As with all sections, this course section includes immersive hands-on labs to ensure that students have the ability to turn theory into practice.

  • Using Structured Analytical Techniques
  • Enriching and Understanding Limitations
  • Strategic Threat Modeling

CPE/CMU Credits: 6

  • Case Study: MOONLIGHT MAZE
  • Understanding Intelligence
    • Intelligence Lexicon and Definitions
    • Traditional Intelligence Cycle
    • Richards Heuer, Jr., Sherman Kent, and Intelligence Tradecraft
    • Structured Analytical Techniques
  • Case Study: Operation Aurora
  • Understanding Cyber Threat Intelligence
    • Defining Threats
    • Understanding Risk
    • Cyber Threat Intelligence and Its Role
    • Expectation of Organizations and Analysts
    • Diamond Model and Activity Groups
    • Four Types of Threat Detection
  • Threat Intelligence Consumption
    • Sliding Scale of Cybersecurity
    • Consuming Intelligence for Different Goals
    • Enabling Other Teams with Intelligence
  • Positioning the Team to Generate Intelligence
    • Building an Intelligence Team
    • Positioning the Team in the Organization
    • Prerequisites for Intelligence Generation
  • Planning and Direction (Developing Requirements)
    • Intelligence Requirements
    • Priority Intelligence Requirements
    • Beginning the Intelligence Lifecycle
    • Threat Modeling

Peter Szczepankiewicz
Tue Jul 6th, 2021
9:00 AM - 5:00 PM BST


Intrusion analysis is at the heart of threat intelligence. It is a fundamental skillset for any security practitioner who wants to use a more complete approach to addressing security. Three of the most commonly used models for assessing adversary intrusions are the Kill Chain, the Diamond Model, and MITRE ATT&CK. These models serve as a framework and structured scheme for analyzing intrusions and extracting patterns such as adversary behaviors and malicious indicators. In this section students will be walked through and participate in multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.

  • Collecting Indicators from Reconnaissance and Delivery
  • Pivoting to Network Data with Indicators
  • Pivoting to Memory with Indicators
  • Understanding the Actions on Objective in an Intrusion
  • Satisfying Priority Intelligence Requirements

CPE/CMU Credits: 6

  • Primary Collection Source: Intrusion Analysis
    • Intrusion Analysis as a Core Skillset
    • Methods to Performing Intrusion Analysis
    • Intrusion Kill Chain
    • Diamond Model
  • Kill Chain Courses of Action
    • Passively Discovering Activity in Historical Data and Logs
    • Detecting Future Threat Actions and Capabilities
    • Denying Access to Threats
    • Delaying and Degrading Adversary Tactics and Malware
  • Kill Chain Deep Dive
    • Scenario Introduction
    • Notification of Malicious Activity
    • Pivoting Off of a Single Indicator to Discover Adversary Activity
    • Identifying and Categorizing Malicious Actions
    • Using Network and Host-Based Data
    • Interacting with Incident Response Teams
    • Interacting with Malware Reverse Engineers
    • Effectively Leveraging Requests for Information
  • Handling Multiple Kill Chains
    • Identifying Different Simultaneous Intrusions
    • Managing and Constructing Multiple Kill Chains
    • Linking Related Intrusions
    • Extracting Knowledge from the Intrusions for Long-Term Tracking

Peter Szczepankiewicz
Wed Jul 7th, 2021
9:00 AM - 5:00 PM BST


Cyber threat Intelligence analysts must be able to interrogate and fully understand their collection sources. As an example, analysts do not have to be malware reverse engineers, but they must at least understand that work and know what data can be sought. This section continues from the previous one in identifying key collection sources for analysts. The considerable amount of what is commonly referred to as open-source intelligence (OSINT) is also presented. In this section students will learn to seek and exploit information from domains, external datasets, malware, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more. Students will also structure the data to be exploited for purposes of sharing internally and externally.

  • Aggregating and Pivoting in Excel with Malware Samples
  • Open-Source Intelligence and Domain Pivoting in DomainTools
  • Maltego Pivoting and Open-Source Intelligence
  • Sifting Through Massive Amounts of Open-Source Intelligence in RecordedFuture
  • TLS Certificate Pivoting

CPE/CMU Credits: 6

  • Case Study: HEXANE
  • Collection Source: Malware
      • Data from Malware Analysis
      • Key Data Types to Analyze and Pivot On
      • VirusTotal and Malware Parsers
      • Identifying Intrusion Patterns and Key Indicators
  • Collection Source: Domains
    • Domain Deep Dive
    • Different Types of Adversary Domains
    • Pivoting Off of Information in Domains
  • Case Study: GlassRAT
  • Collection Source: External Datasets
      • Building Repositories from External Datasets
      • Open-Source Intelligence Collection Tools and Frameworks
  • Collection Source: TLS Certificates
    • TLS/SSL Certificates
    • Tracking New Malware Samples and C2 with TLS
    • Pivoting off of Information in TLS Certificates
  • Case Study: Trickbots

Peter Szczepankiewicz
Thu Jul 8th, 2021
9:00 AM - 5:00 PM BST


With great data comes great analysis expectations. Now that students are familiar with different sources of intrusions and collection, it is important to apply analytical rigor to how this information is used in order to satisfy intelligence requirements for long-term analysis. Taking a single intrusion and turning it into a group, and tracking the adversary√ʬ¬s campaigns, are critical to staying ahead of adversaries. In this section students will learn how to structure and store their information over the long term using tools such as MISP; how to leverage analytical tools to identify logical fallacies and cognitive biases; how to perform structured analytic techniques in groups such as analysis of competing hypotheses; and how to cluster intrusions into threat groups.

  • Storing Threat Data in MISP
  • Identifying Types of Biases
  • Analysis of Competing Hypotheses
  • Visual Analysis in Maltego
  • The Rule of 2 and Threat Groups

CPE/CMU Credits: 6

  • Case Study: Human-Operated Ransomware
  • Exploitation: Storing and Structuring Data
    • Storing Threat Data
    • Threat Information Sharing
    • MISP as a Storage Platform
  • Analysis: Logical Fallacies and Cognitive Biases
    • Logical Fallacies
    • Cognitive Biases
    • Common Cyber Threat Intelligence Informal Fallacies
  • Analysis: Exploring Hypotheses
    • Analysis of Competing Hypotheses
    • Hypotheses Generation
    • Understanding and Identifying Knowledge Gaps
  • Analysis: Different Types of Analysis
    • Visual Analysis
    • Data Analysis
    • Temporal Analysis
    • Case Study: Panama Papers
    • Analysis: Clustering Intrusions
    • Style Guide
    • Names and Clustering Rules
  • ACH for Intrusions
  • Activity Groups and Diamond Model for Clusters
    • Style Guide
    • Names and Clustering Rules
    • ACH for Intrusions
    • Activity Groups and Diamond Model for Clusters

Peter Szczepankiewicz
Fri Jul 9th, 2021
9:00 AM - 5:00 PM BST


Intelligence is useless if not disseminated and made useful to the consumer. In this section students will learn about dissemination at the various tactical, operational, and strategic levels. Labs will expose students to creating YARA rules, leveraging STIX/TAXII, building campaign heat maps for tracking adversaries over the long term, and analyzing intelligence reports. Students will also learn about state adversary attribution, including when it can be of value and when it is merely a distraction. We√ʬ¬ll cover state-level attribution from previously identified campaigns, and students will take away a more holistic view of the Cyber Threat Intelligence industry to date. The section will finish with a discussion on consuming threat intelligence and actionable takeaways so that students will be able to make significant changes in their organizations once they complete the course.

  • Developing IOCs in YARA
  • Working with STIX
  • Building a Campaign Heatmap
  • Analysis of Intelligence Reports
  • Building an Attribution Intelligence Model

CPE/CMU Credits: 6

  • Logical Fallacies and Cognitive Biases
    • Identifying and Defeating Bias
    • Logical Fallacies and Examples
    • Common Cyber Threat Intelligence Informal Fallacies
    • Cognitive Biases and Examples
  • Dissemination: Tactical
    • Understanding the Audience and Consumer
    • Threat Data Feeds and Their Limitations
    • YARA
    • YARA Concepts and Examples
  • Dissemination: Operational
    • Different Methods of Campaign Correlation
    • Understanding Perceived Adversary Intentions
    • Leveraging the Diamond Model for Campaign Analysis
    • STIX and TAXII
    • Government and Partner Collaboration
  • Dissemination: Strategic
    • Report Writing Pitfalls
    • Report Writing Best Practices
    • Different Types of Strategic Output
  • Case Study: APT10 and Cloud Hopper
  • A Specific Intelligence Requirement: Attribution
    • Identifying and Remedying New Intelligence Requirements
    • Tuning the Collection Management Framework
    • Types of Attribution
    • Building an Attribution Model
    • Conducting Attribution Assessments
  • Case Study: Lazarus Group

Peter Szczepankiewicz
Sat Jul 10th, 2021
9:00 AM - 5:00 PM BST


The FOR578 capstone focuses on analysis. Students will be placed on teams, given outputs of technical tools and cases, and work to piece together the relevant information from a single intrusion that enables them to unravel a broader campaign. Students will get practical experience satisfying intelligence requirements ranging from helping the incident response team to satisfying state-level attribution goals. This analytical process will put the students' minds to the test instead of placing a heavy emphasis on using technical tools. At the end of the day the teams will present their analyses on the multi-campaign threat they have uncovered.

CPE/CMU Credits: 6

Additional Information

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT".
  • Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
  • 16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.
  • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
  • 100 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs we distribute
  • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 Capability


  • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
  • Must have a Windows OS for the class either as your host or as a VM
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
  • Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.


  1. Microsoft Office (2012+) - Note that you can download Office Trial Software online (free for 60 days).
  2. Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  3. Download and install 7Zip (for Windows Hosts) or Keka (macOS).

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

  • Security Practitioners, should attend. This course is perfect match to any security skill set from red teamers to incident responders. The course is focused on analysis skills.
  • Incident Response Team Members who respond to complex security incidents/intrusions and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Threat Hunters who are seeking to understand threats more fully and how to learn from them to be able to more effectively hunt threats and counter the tradecraft behind them.
  • Security Operations Center Personnel and Information Security Practitioners who support hunting operations that seek to identify attackers in their network environments.
  • Digital Forensic Analysts and Malware Analysts who want to consolidate and expand their understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
  • Federal Agents and Law Enforcement Officials who want to master advanced intrusion investigations and incident response, as well as expand their investigative skills beyond traditional host-based digital forensics.
  • Technical Managers who are looking to build intelligence teams or leverage intelligence in their organizations building off of their technical skillsets.
  • SANS Alumni looking to take their analytical skills to the next level.

"SANS training never fails to impress. Instructors who are in the trenches sharing current data, tools, and techniques, bring such value to these courses." - Jessie Prevost, Trend Micro

FOR578 is a good course for anyone who has had security training or prior experience in the field. Students should be comfortable with using the command line in Linux for a few labs (though a walkthrough is provided) and be familiar with security terminology.

Some of the courses that lead in to FOR578:

Students who have not taken any of the above courses but have real-world experience or have attended other security training, such as any other SANS class, will be comfortable in the course. New students and veterans will be exposed to new concepts given the unique style of the class focused on analysis training.

We are proud that the FOR578: Cyber Threat Intelligence course has been reviewed by many of the leading minds in cyber threat intelligence, providing us with key input and recommendations from commercial, government, and DoD organizations.

FOR578 Technical Reviewers have included:

  • Chris Anthony, Johns Hopkins University
  • Rich Barger, ThreatConnect
  • J. Brett Cunningham, Allsum, LLC
  • Rick Holland
  • Robert Huber
  • Eric Hutchins
  • Bertha Marasky, Verizon
  • Kyle Maxwell
  • Vivek Nakkady
  • Scott J. Roberts
  • Ray Strubinger
  • Adam Vincent, ThreatConnect
  • Adam Weidemann

"Cyber Threat Intelligence is an entire discipline, not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study." - Bertha Marasky, Verizon

"Threat Intelligence Analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert M. Lee are the industry 'greybeards' who have seen it all. They are the thought leaders who should be shaping practitioners for years to come." - Rich Barger, CIO, ThreatConnect

"This is an awesome course and long overdue. I like the way you have mixed the technical with the intelligence and this is the first time I've seen this done in a meaningful way. Amazing work!" - Rowanne Mackie

"Fantastic class! I love the way the terminology was covered." - Nate DeWitt, eBay

"This training was invaluable. It provided me with insight on how to set up my own intel-driven defense." - Jason Miller, Warner Brothers

"This course is invaluable to organizations serious about defending their computer networks with operationalized intelligence." - Troy Wojewoda, Newport News Shipbuilding

"...You walk out different and start seeing everything from a different perspective." - Tok Yee Ching, Quann Singapore PTE LT

"I could take this course 5 times more and get something new each time! So much valuable info to take back to my organization." - Charity Willhoite, Armor Defense, Inc.

"This course gives a very smart and structured approach to CTI, something that the global community has been lacking to date." - John Geary, Citigroup

"I love and learn a lot with the course! Intense but fun, lots of practical-use cases that I can bring back to work and share with my team." - John Perea, KPMG

"This course was invaluable in framing my role as a hunter in the intelligence consumption/generation process." - Christopher Vega, Citigroup

"Stepping into an undeveloped role is very challenging. I feel the topics, materials, and views covered will help me to make expert decisions and aid the industry as a whole." - Drew Maher, Energy Future Holdings

"Best discussion of CTI in a formal way I have found." - Alexander Schraut, Experian

"Only course of its kind, and it is actually good info that I can use on day 1 when I get back to work." - Markis Vines, BB&T

"This course helps you get comfortable using a variety of tools for analysis so you can go back to work and immediately start using them." - Jessica Lee, Leidos

See also:

Statements From Our Authors

The author team of Mike Cloppert, Chris Sperry, and Robert M. Lee originally developed FOR578: Cyber Threat Intelligence with the understanding that the community was in need of a single concise collection of tradecraft. Cloppert and Sperry initiated the development of the course with the understanding that their schedules would not permit them to be able to constantly teach it. However, it was through their thought leadership that the class has become what it is today. Their influence on the development of the course remains relevant today, and SANS thanks them for their leadership.

"When considering the value of threat intelligence, most individuals and organizations ask themselves three questions: What is threat intelligence? When am I ready for it? How do I use it? This class answers these questions and more at a critical point in the development of the field of threat intelligence in the wider community. The course will empower analysts of any technical background to think more critically and be prepared to face persistent and focused threats."

- Robert M. Lee

"Threat intelligence is a powerful tool in the hands of a trained analyst. It can provide insight to all levels of a security program, from security analysts responding to tactical threats against the network to executives reporting strategic-level threats to the Board of Directors. This course will give students an understanding of the role of threat intelligence in security operations and how it can be leveraged as a game-changing resource to combat an increasingly sophisticated adversary."

- Rebekah Brown

"This has been one of the most interesting and exciting courses I've taken as a student-turned-professional of cyber security. Rob M. Lee does a fantastic job of getting one prepared for the role of a CTI analyst, and having recently read the book "Sandworm," I'm geeking out really hard knowing that he's the one teaching this course. I enjoy the fact that not only does he provide insight into the world of CTI, but he provides case studies to identify both the pitfalls and big victories of threat analysis. I could not be more excited to continue this course." - James H, US State Gov