At the CIA, John served as the team lead for a transnational and emerging cyber technology team that, in addition to driving intelligence collection and analytic production, examined the implications of paradigm shifts in the cyber threat landscape. John would often provide support to combat large-scale cyber-attacks, including such notable attacks as WannaCry, NotPetya, and OlympicDestroyer.
John’s cybersecurity interests largely reside in understanding adversary operations and tradecraft by analyzing forensic artifacts, and in enriching data to provide actionable intelligence.
John has developed and taught cybersecurity and cyber threat courses for more than five years at Mandiant, within the U.S. government, and at George Mason University. He decided to start teaching at SANS because he believed that’s where he could have the greatest impact in empowering, educating, and equipping the next generation of cyber defenders and analysts.
“I am passionate about instruction, and I believe that anyone with enough passion, dedication, and willingness can master the core skills and competencies required to perform cyber threat intelligence analysis.” he explains. John believes that his role as instructor of the SANS FOR578: Cyber Threat Intelligence course allows him to draw on his experience in the field to teach the core skills and tools of the trade to track and combat an ever-evolving and growing number of cyber threat actors.
John has often found that students who take cyber threat intelligence courses tend to come either from a traditional intelligence analysis background, where cyber security concepts are new, or from a cybersecurity background, where analytic tradecraft concepts are new. In his teaching, he bridges this gap by providing useful insights to help students understand traditional intelligence analysis tradecraft and its application using different data sets to support multiple cybersecurity missions; the complexities involved in tracking clusters of intrusion activities over time; and the forensic psychology involved because there are humans behind these cyber operations and, as a result, patterns can be established that identify their unique operational fingerprints.
Finally, John’s classes are participatory, drawing on the knowledge of the students as well as the teacher. “I tend to draw out student experiences as a way to augment teaching so that we learn from the work and experience we all have in order to grow the collective knowledge base together as a community,” he says.
In his spare time John enjoys rock climbing jogging, biking, painting, craft beer, and whiskey.
Get to know John Doyle:
- SANS Instructor for the FOR578: Cyber Threat Intelligence course
- More than 14 years of experience in the cybersecurity field, with the past 11 years working in cyber threat intelligence.
- Covered North Korean, Russian, Chinese, and Iranian intrusion sets, as well as cyber-adjacent topics such as companies offering turnkey cyber espionage capabilities and hacking on behalf of a government.
- Received several awards for innovation in intelligence analysis, including for his use of non-traditional data sources to derive novel insights about cyber actors and for developing a training curriculum for cyber threat analysts.
- He is currently a Principal Analyst at FireEye Mandiant.
- GREM - GIAC Reverse Engineering Malware Certification
- GCTI - Cyber Threat Intelligence
- GDAT - GIAC Defending Against Advanced Adversaries
- GCFA - GIAC Certified Forensic Analyst
- GCFE - GIAC Certified Forensic Examiner
- GNFA - GIAC Certified Network Forensics Analyst
- GPEN - GIAC Certified Penetration Tester
- CISSP® - Certified Information Systems Security Professional
- FOR610: Reverse-Engineering Malware
- FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
- FOR578: Cyber Threat Intelligence
- SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses
- FOR500: Windows Forensic Analysis
- FOR508: Advanced Incident Response and Threat Hunting
- SEC555: SIEM with Tactical Analysis
- SEC579: Virtualization and Software-Defined Security
- Mandiant: Essentials of Malware Analysis
- Mandiant: Linux Enterprise Incident Response
- Mandiant: Windows Enterprise Incident Response
- SANS CTI Summit Presentation: “Developing the Analyst: Creating Career Roadmaps for Intelligently Progressing in CTI” https://www.youtube.com/watch?v=Vzpn5z_pG2E
- “Breaking Into the CTI Field: Demystifying the Interview Process and Practice Interview Questions” https://medium.com/@Shinigami42/breaking-into-the-cti-field-demystifying-the-interview-process-and-practice-interview-questions-37cc8168f10c
- “Intelligently Developing a Cyber Threat Analyst Workforce" https://www.sans.org/webcasts/intelligently-developing-a-cyber-threat-analyst-workforce/
- “Empathy: The Way to Win Hearts and Minds in CTI” https://medium.com/@Shinigami42/empathy-the-way-to-win-hearts-and-minds-in-cti-934de391e475
- “The Role of Contractors in Cyber Operations” https://open.spotify.com/episode/3nURaVsiOGAa8aerHrZFX8
- “Mental Health and Burnout in CTI” https://medium.com/@Shinigami42/mental-health-and-burnout-in-cti-2f4981be3955
- “Metrics are the Drivers of CTI Value” https://www.mandiant.com/resources/blog/metrics-drivers-cti-valu