Final Week to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand & vLive!


Baltimore, MD | Sat, Jun 13 - Sat, Jun 20, 2015
This event is over,
but there are more training opportunities.

FOR578: Cyber Threat Intelligence Sold Out

Sat, June 13 - Sun, June 14, 2015

This course is excellent! Canít wait to share with my team and start implementing the methodologies.

Rich Ferguson, Refinitiv

Great information on TLS cert pivoting. Will be using this as soon as I get back to work.

Rich Ferguson, Refinitiv

Make no mistake: current computer network defense and incident response contains a strong element of intelligence and counterintelligence that analysts must understand and leverage in order to defend their computers, networks, and proprietary data.

FOR578: Cyber Threat Intelligence will help network defenders and incident responders determine:

  • The role of cyber threat intelligence in their jobs
  • When the analysis of an intrusion by a sophisticated actor is complete
  • How to identify, extract, prioritize, and leverage intelligence from advanced persistent threat (APT) intrusions
  • How to expand upon existing intelligence to build profiles of adversary groups
  • Ways to leverage collected intelligence to improve success in defending against and responding to future intrusions
  • How to manage, share, and receive intelligence on APT actors

Conventional network defenses such as intrusion detection systems and anti-virus tools focus on the vulnerability component of risk, and traditional incident response methodology presupposes a successful intrusion. However, the evolving goals and sophistication of computer network intrusions has rendered these approaches insufficient to address the threats faced by many modern networked organizations. Today's adversaries accomplish their goals using advanced tools and techniques designed to circumvent most conventional computer network defense mechanisms, go undetected during the intrusion, and then remain undetected on networks over long periods of time.

Incident response techniques that collect, classify, and exploit knowledge about these adversaries - collectively known as cyber threat intelligence - enable network defenders to establish a state of information superiority that decreases the adversary's likelihood of success with each subsequent intrusion attempt. Threat intelligence can be a force multiplier as organizations look to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Responders need accurate, timely, and detailed information to monitor new and evolving attacks, as well as methods to exploit this information to put in place an improved defensive posture.

During a targeted attack, an organization needs the best incident response and hunting team in the field, poised to combat these threats and armed with intelligence about how they operate. FOR578: Cyber Threat Intelligence will train you and your team to respond, detect, scope, and stop intrusions and data breaches.

Course Syllabus

Mike Cloppert ,
Robert M. Lee
Sat Jun 13th, 2015
9:00 AM - 5:00 PM


This section introduces students to the most fundamental concepts and models in cyber threat intelligence (CTI), beginning with an understanding of broader intelligence analysis tradecraft. One of the key enablers of CTI is the use of a common lexicon, and every field of study must define its most basic elements and ideas. This section introduces and defines CTI through conventional lectures, class participation, and exercises from the students' lab book.

  • Step-by-step instructive decomposition of a basic, unsuccessful email intrusion attempt for the purposes of proper classification of intelligence
  • Digestion of an external report from a peer, with proper extraction and classification of the intelligence it contains
  • Selection of proper courses of action for information gathered thus far

CPE/CMU Credits: 6

  • Course Introduction
    • Why CTI? Collection Requirements/Motivations
    • Intelligence and Intel Analysis
    • Traditional Intelligence Cycle
    • Lexicon and Definitions
    • Roles of CTI Analysts
    • Risk
  • Current Threat Landscape
    • Defining Threats, Abstractions
    • What a Threat Is NOT
    • How Does CTI Work?
  • Classic Intelligence Analysis
    • What Is Intelligence?
    • Sources
    • Intelligence Cycle
    • Analytical Process and the Scientific Method
    • Analysis of Competing Hypotheses
    • Biases in Intel Analysis
    • Counterintelligence
  • Intelligence in Computer Network Defense
    • The Indicator
    • Examples of Indicators
    • How Indicators Are Found: The Scan-Transform Loop
    • Understanding Signatures as Expressive CTI
    • Indicator Sources
  • Diamond Model
  • Kill Chain Introduction and Background
  • Kill Chain Phases in Detail
  • Analytical Aspects of the Kill Chain
  • Courses of Action Matrix
  • Indicator Lifecycle
  • Indicator Maturity Model
    • Model Definition
    • Application to Indicators and Signatures
  • Decision-making in Intelligence Exploitation
    • Intel Gain/Loss Considerations
    • Prioritization of Detections and Response
    • The Kill Chain and Intelligence in Conventional Incident Response
  • Additional, Alternate, and Emergent models

Mike Cloppert ,
Robert M. Lee
Sun Jun 14th, 2015
9:00 AM - 5:00 PM


One of the most commonly used and basic models covered in Section 1 is the "kill chain," or the series of steps an adversary must accomplish in order to be successful. This section will walk students through analysis of a multi-phase intrusion, from initial discovery of command-and-control to completion of analysis of the event, using the kill chain as a guide to collect intelligence on the sophisticated adversary involved. Other models introduced in Section 1, such as the Courses of Action Matrix, are woven into this section in order to show students their proper role in analyzing a successful intrusion as they slowly work their way up to being able to define a full campaign using the concepts introduced here.

  • Analysis, extracting, and exploiting indicators: Web drive-by
  • Analysis, extracting, and exploiting indicators: Webserver intrusion
  • Analysis, extracting, and exploiting indicators: Email phishing

CPE/CMU Credits: 6

  • Scenario- based Kill Chain Analysis: Web Drive-by
    • Moving Forward in the Kill Chain
    • Moving Backward in the Kill Chain
    • Stages 1-7 in Discovery Order
  • Application of Courses of Action for Computer Network Defense
  • Analytical Completeness Guided by Kill Chain Analysis
  • Multi-Stage Intrusions and Kill Chain Sequencing
  • Second Scenario-based Kill Chain Analysis: Webserver Intrusion
    • Linkage to Prior Kill Chain
    • Stages 1-7 in Discovery Order
  • Historical Unsuccessful Intrusion Attempt: Phishing Attempt
    • Relationship to Present Incident
    • When to Analyze Unsuccessful Attempts
    • Analytical Completeness in Unsuccessful Intrusions
  • Completing the Picture with Available Intelligence

Additional Information


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have 8 GB of RAM or higher to support virtualization to function properly in the class.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.


  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • 8 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher of RAM is mandatory)
  • Ethernet Networking Capability Recommended or Wireless 802.11 B/G/N/AC
  • USB 3.0 Ports Recommended
  • Windows based operating system is preferred


  1. Microsoft Office (any version) - Note you can download Office Trial Software online (free for 60 days)
  2. Install VMware Workstation 11, VMware Fusion 7, or VMware Player 6 (higher versions are okay)
  3. Download and install 7Zip on your host


  1. Bring the proper system hardware (64bit/8GB Ram) and operating system configuration
  2. Install VMware (Workstation, Player, or Fusion), MS Office, and 7zip

If you have additional questions about the laptop specifications, please contact

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from an APT group/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
  • Information Security Professionals who may encounter data breach incidents and intrusions
  • Federal Agents and Law Enforcement who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics.
  • SANS FOR408, FOR572, FOR508, or FOR610 Graduates looking to take their skills to the next level.

FOR578 is perfect for SANS DFIR Alumni who are looking to elevate their analytical skills beyond the technical minutiae of data collection, processing, and exploitation to more holistic, intelligence-oriented tradecraft. It is akin to a "capstone" course that teaches students how to "think about thinking," and although it employs techniques such as enterprise incident response (FOR508), network forensics (FOR572), malware analysis (FOR610), and memory analysis (FOR526), it enhances technical skills with an emphasis on analysis. As such, it is not a beginner course; it requires an established understanding of incident response, information security, and a good degree of comfort at Unix and Windows command lines. The degree to which students meet these thresholds will dictate the benefit they gain from the course.

Before registering for FOR578, we strongly recommend that you should have attended one of the following SANS courses: SEC504, SEC511, FOR508, FOR572, FOR526, or FOR610.

Author Statement

"In teaching this course, my goal is to create a colleague - someone I trust and who understands how to look at defending networks by leveraging the perspective of our adversary. This course represents my wish list for the baseline knowledge and experience I'd like to see among all the new colleagues I will meet throughout my career."

- Mike Cloppert