50+ Cyber Security Courses at SANS 2020 in Orlando! Save up to $150 thru 3/4.

Simulcast FOR578 Session

Mon Jun 13 - Fri Jun 17, 2016 (US Eastern)
This event is over
but there are more training opportunities.

Cyber Threat Intelligence Sold Out

Great course for people starting into security essentials.

Alex Largie, Navajo Nation

Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an organization.

Brandon Smit, Dynetics


Make no mistake: current computer network defense and incident response contain a strong element of intelligence and counterintelligence that analysts must understand and leverage in order to defend their computers, networks, and proprietary data.

FOR578: Cyber Threat Intelligence will help network defenders and incident responders:

  • Construct and exploit threat intelligence to detect, respond, and defeat advanced persistent threats (APTs)
  • Fully analyze successful and unsuccessful intrusions by advanced attackers
  • Piece together intrusion campaigns, threat actors, and nation-state organizations
  • Manage, share, and receive intelligence on APT adversary groups
  • Generate intelligence from their own data sources and share it accordingly
  • Identify, extract, and leverage intelligence from APT intrusions
  • Expand upon existing intelligence to build profiles of adversary groups
  • Leverage intelligence to better defend against and respond to future intrusions.

Conventional network defenses such as intrusion detection systems and anti-virus tools focus on the vulnerability component of risk, and traditional incident response methodology pre-supposes a successful intrusion. However, the evolving sophistication of computer network intrusions has rendered these approaches insufficient to address the threats faced by modern networked organizations. Today's adversaries accomplish their goals using advanced tools and techniques designed to circumvent most conventional computer network defense mechanisms, go undetected during the intrusion, and then remain undetected on networks over long periods of time.

The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence - gives network defenders information superiority that can be used to reduce the adversary's likelihood of success with each subsequent intrusion attempt. Responders need accurate, timely, and detailed information to monitor new and evolving attacks, as well as methods to exploit this information to put in place an improved defensive posture. Threat intelligence thus represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats.

During a targeted attack, an organization needs a top-notch and cutting-edge incident response armed with the critical intelligence necessary to understand how adversaries operate and to combat the threat. FOR578: Cyber Threat Intelligence will train you and your team to detect, scope, and select resilient courses of action in response to such intrusions and data breaches.

Course Syllabus

Jake Williams
Mon Jun 13th, 2016
9:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern


A key facilitator of cyber threat intelligence (CTI) is to use a common lexicon that defines its most basic elements and ideas. This section introduces students to fundamental CTI concepts and models, beginning with an understanding of broader intelligence analysis tradecraft. The section introduces and defines CTI through conventional lectures, class participation, and exercises from the students' lab book.

  • Using CRITS to record intelligence
  • Analysis and intelligence extraction from a spear-phishing email
  • Analysis and intelligence extraction from a malicious PDF attachment
  • Identification of network scanning as adversary reconnaissance efforts

CPE/CMU Credits: 6

  • Course Introduction
    • Why CTI? Collection Requirements/Motivations
    • Intelligence and Intel Analysis
    • Traditional Intelligence Cycle
    • Lexicon and Definitions
    • Roles of CTI Analysts
    • Risk
  • Current Threat Landscape
    • Defining Threats and Abstractions
    • What a Threat Is NOT
    • How Does CTI Work?
  • Classic Intelligence Analysis
    • What Is Intelligence?
    • Sources
    • Intelligence Cycle
    • Analytical Process and the Scientific Method
    • Analysis of Competing Hypotheses
    • Biases in Intel Analysis
    • Counterintelligence
  • Intelligence in Computer Network Defense
    • The Indicator
    • Examples of Indicators
    • How Indicators Are Found: The Scan-Transform Loop
    • Understanding Signatures as Expressive CTI
    • Indicator Sources
  • Diamond Model
  • Kill Chain Introduction and Background
  • Kill Chain Phases in Detail
  • Analytical Aspects of the Kill Chain
  • Courses of Action Matrix
  • Indicator Lifecycle
  • Indicator Maturity Model
    • Model Definition
    • Application to Indicators and Signatures
  • Decision-making in Intelligence Exploitation
    • Intel Gain/Loss Considerations
    • Prioritization of Detections and Response
    • The Kill Chain and Intelligence in Conventional Incident Response
  • Additional, Alternate, and Emergent Models

Jake Williams
Tue Jun 14th, 2016
9:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern


One of the most commonly used and basic models covered in the first section is the "kill chain," which is the series of steps an adversary must accomplish to be successful. This section will use the kill chain as a guide to collect intelligence on the sophisticated adversary involved in a multi-phase intrusion, from initial discovery of command-and-control to completion of analysis of the event. The section also draws on other models introduced in Section 1, such as the Courses of Action Matrix, to show students their proper role in analyzing a successful intrusion as they methodically work their way toward being able to define a full campaign using the concepts introduced here.

  • Compromised system analysis with Redline
  • Identification of adversary command-and-control beaconing and lateral movement
  • Analysis of exfiltration of a compromised host on the network and correlation of indicators to unveil the campaign

CPE/CMU Credits: 6

  • Scenario-based Kill Chain Analysis: Web Drive-by
    • Moving Forward in the Kill Chain
    • Moving Backward in the Kill Chain
    • Stages 1-7 in Discovery Order
  • Application of Courses of Action for Computer Network Defense
  • Analytical Completeness Guided by Kill Chain Analysis
  • Multi-Stage Intrusions and Kill Chain Sequencing
  • Second Scenario-based Kill Chain Analysis: Webserver Intrusion
    • Linkage to Prior Kill Chain
    • Stages 1-7 in Discovery Order
  • Historical Unsuccessful Intrusion Attempt: Phishing Attempt
    • Relationship to Present Incident
    • When to Analyze Unsuccessful Attempts
    • Analytical Completeness in Unsuccessful Intrusions
  • Completing the Picture with Available Intelligence

Jake Williams
Wed Jun 15th, 2016
9:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern


An intrusion is but a single attempt by an adversary to gain access to a system for some intended purpose. Dedicated adversaries, intent on exploiting systems that support specific organizations, people, or technologies, will not let one failed attempt deter them from their ultimate goal. Their sustained campaign will likely consist of multiple intrusions over an extended period of time, each with its individual kill chain, against organizations you monitor and defend as well as others beyond your visible spectrum. In this section, students learn what campaigns are, why they are important, and how to define them. From this baseline intelligence, gaps and collection opportunities are identified for fulfillment via open-source resources and methods. Common types and implementations of open source data repositories, as well as their use, are explored in-depth through classroom discussion and exercises. These resources can produce an enormous volume of intelligence about intrusions, which may contain obscure patterns that further elucidate campaigns or actors. Tools and techniques to expose these patterns within the data through higher-order analysis will be demonstrated in narrative and exercise form. The application of the resulting intelligence will be articulated for correlation, courses of action, campaign assembly, and more.

  • Building campaigns (in-class)
  • Basic OSINT pivoting and indicator mapping
  • Aggregating and pivoting in Excel
  • Intel aggregation and pivoting in Maltego

CPE/CMU Credits: 6

  • Abbreviated History of Threats in Cyberspace
  • Cross-Incident Correlation
  • Campaign Definitions
    • Key Indicators
    • Tactics, Techniques, and Procedures in Detail
  • Distinguishing Correlative and Actionable Intelligence
  • Pitfalls in Correlating Intrusions
  • Interpreting Campaign Intersections
  • Pivoting, Hunting, and External Intelligence Exploitation
    • Passive Network Activity
    • Malware Repositories
    • Domain and Organizational Data
    • Configuration Block Data
  • Exploratory Techniques for Campaign Analysis
    • Graph-based Tools
    • CTI Analysis with Excel

Jake Williams
Thu Jun 16th, 2016
9:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern


Behind campaigns are people, and just like network defenders and intelligence analysts, these intruders have roles within organizations, employers, bosses, customers, and colleagues. This section will explore in more depth the characteristics of the organizational entities behind intrusions, and how these characteristics are projected through intrusions. Cognitive biases common in the CTI domain are discussed. Analysis of Competing Hypotheses is then presented as a formal method for mitigating bias in intelligence assessments in general, then for nation-state and (separately) campaign attribution. Intent, opportunity, and capability are revisited from Section 1 in greater detail, particularly as they pertain to nation-state actors. The role and significance of nation-state attribution in Cyber Threat Intelligence analysis is discussed as a general concept, with examples from contemporaneous nation-state threats. Finally, an abridged history of threats in cyberspace that marked inflection points particularly significant for the CTI domain is provided.

  • Congruence bias (in-class)
  • ACH & Nation-state Attribution (group)
  • The KGB, My Computer, And Me (group)

CPE/CMU Credits: 6

  • Formulating conclusions
    • Estimative language
    • Confidence assessments
    • Constructing assessments
  • Cognitive biases & Analysis of Competing Hypotheses (ACH)
  • Nation-state attribution
    • Significance
    • Intent, opportunity, and capability
    • CNA, CNE, sabotage, and espionage
    • Linguists and CTI Analysis
  • Understanding threats and their actions at the strategic and operational level
  • Abridged history of threats in cyberspace influencing the CTI domain

Jake Williams
Fri Jun 17th, 2016
9:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern


Intrusions consist of an enormous amount of information that, once refined, represents intelligence. In this section, students will learn effective ways to manage intelligence, collaborate with their peers, and empower their security teams. Campaigns consist of intrusions spanning months and sometimes even years, each with its own details linking its constituent intrusions. Collecting this intelligence is critical to making it actionable for defense, and appropriately sharing it with internal and peer organization security teams makes it possible to identify the resilient characteristics of adversaries and discover new campaigns. Intrusions will span organizations, and sometimes even spread across industries. External intelligence is key to keep up to date on the latest movements and tactics of adversaries, even if they are not (yet!) targeting you.

  • Open-source intelligence using Recorded Future
  • IOC creation
  • Critical analysis of threat Intelligence reporting
  • Internal threat intelligence sharing through the active cyber defense cycle

CPE/CMU Credits: 6

  • Intelligence Sharing Purposes and Considerations
  • Extracting Tactical Threat Intelligence
    • Indicators of Compromise (IOC) Formats
  • Open-Source Intelligence Collection (OSINT)
  • Commercial and Open-Source CTI Solutions
    • Threat Intel Collaborations
    • Sharing Platforms
    • CTI Feeds
    • Information Sharing and Analysis Centers (ISACs) and Fusion Centers
  • Intelligence Knowledge Management
    • Strategic, Operational, and Tactical Threat Intelligence
    • Non-disclosure Agreements (NDAs), Classifications, and Other Restrictions
    • Technologies
    • Standards
  • Internal Threat Intel Sharing
    • Threat Intelligence Consumption for Network Security Monitoring
    • Threat Intelligence Consumption for Incident Response
    • Threat Intelligence Consumption for Threat and Environment Manipulation
  • Peer Collaboration
    • Approaches
    • Risks
    • Benefits
    • Selecting the Right Groups and Forums
  • Report Writing
Date Time Instructor
Mon Jun 13th, 20169:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern
Jake Williams
Tue Jun 14th, 20169:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern
Jake Williams
Wed Jun 15th, 20169:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern
Jake Williams
Thu Jun 16th, 20169:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern
Jake Williams
Fri Jun 17th, 20169:00 AM - 12:15 PM US Eastern
1:30 PM - 5:00 PM US Eastern
Jake Williams

Additional Information


You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.


  • CPU: 64-bit Intel i5 x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • RAM: 8 GB of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory.)
  • Host Operating System: Fully patched & updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
  • Networking: Wireless 802.11 B, G, N, or AC
  • USB 3.0 ports recommended.
  • The student should have the capability to have Local Administrator Access within their host operating system and BIOS settings.
  • 80GB of free space on hard drive.


  1. Microsoft Office (2012+) - Note that you can download Office Trial Software online (free for 60 days).
  2. Install VMware Workstation, VMware Fusion, or VMware Player
  3. If you are using an Apple Laptop/MacBook with OSX as your operating system it is required you additionally bring a Windows Virtual System (Win7 or higher Any Version) to class

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from APT adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Security Operations Center Personnel and Information Security Practitioners who support hunting operations that seek to identify attackers in their network environments.
  • Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
  • Federal Agents and Law Enforcement Officials who want to master advanced intrusion investigations and incident response, as well as expand their investigative skills beyond traditional host-based digital forensics.
  • SANS FOR408, FOR572, FOR508, or FOR610 Graduates looking to take their skills to the next level.

FOR578 is not an entry-level course. Students should have experience in incident response and information security techniques such as those covered in FOR508, FOR572, FOR610, ICS515 or equivalent experience. FOR578 is perfect for SANS Alumni with incident response experience who are looking to elevate their analytical skills. Students taking FOR578 should be comfortable with Linux as it will be used in many labs in the course.

Courses that lead in to FOR578:

Students who have not taken any of the above courses but have real world experience with incident response techniques and are comfortable with Linux can still expect to succeed in the course.

Please contact the authors at FOR578-Prereq@sans.org if you have any questions or concerns about the prerequisites.

In this course, you will receive the following:

  • MP3 audio files of the complete course lecture

We are very proud to have the FOR578: Cyber Threat Intelligence course reviewed by many of the leading minds in cyber threat intelligence helping us gather key input and recommendations from commercial, government, and DoD organizations.

FOR578 Technical Reviewers:

  • Chris Anthony, Johns Hopkins University
  • Rich Barger, ThreatConnect
  • J. Brett Cunningham, Allsum, LLC
  • Rick Holland
  • Robert Huber
  • Eric Hutchins
  • Bertha Marasky, Verizon
  • Kyle Maxwell
  • Vivek Nakkady
  • Scott J. Roberts
  • Ray Strubinger
  • Adam Vincent, ThreatConnect
  • Adam Weidemann

"Cyber Threat Intelligence is an entire discipline not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study." - Bertha Marasky, Verizon

"Threat Intelligence Analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert Lee are the industry 'greybeards' that have seen it all; they are the thought leaders that should be shaping practitioners for the years to come." - Rich Barger, CIO at ThreatConnect Inc

"This is an awesome course and long overdue. I like the way you have mixed the technical with the intelligence and this is the first time I've seen this done in a meaningful way. Amazing work!" - Rowanne Mackie

"Fantastic class! I love the way the terminology was covered." - Nate DeWitt, eBay

"This training was invaluable. It provided me with insight on how to set up my own intel driven defense." - Jason Miller, Warner Bros

"This course is invaluable to organizations serious in defending their computer networks with operationalized intelligence." - Troy Wojewoda, Newport News Shipbuilding

"...You walk out different and start seeing everything from a different perspective" - Tok Yee Ching, Quann Singapore PTE LT

Statements From Our Authors

"In teaching this course, my goal is to create a colleague - someone I trust and who understands how to look at defending networks by leveraging the perspective of our adversary. This course represents my wish list for the baseline knowledge and experience I'd like to see among all the new colleagues I will meet throughout my career."

- Mike Cloppert

"When considering the value of threat intelligence, most individuals and organizations ask themselves three questions: What is threat intelligence? When am I ready for it? How do I use it? This class answers these questions and more at a critical point in the development of the field of threat intelligence in the wider community."

- Robert M. Lee

Venue Information

  • World Wide Web
  • Secure Site Requires Login ID & Password
    Webcast Classroom Training,