Gcti / sans for 578

trueshrewkmc

For anyone who has taken SANS FOR 578, Cyber Threat Intelligence...

How tool centric is FOR 578? I just finished FOR 508 online, on-demand and it felt as if it were 75% tools, 25% or less concepts. There were 4 books (and a lab book --- book 5) for FOR 508. Tools seemed to make up almost all of 2 books, and 1/2 of the other 2 books.

I'm also thinking about taking the Carnegie Mellon SEI online training in threat intelligence because it's cheaper and may be less tool centric.

Are there any FOR 578 alumni who can provide a little feedback?

Thank you.

yomista

I'm looking to take GCTI next. Will also love any feedback from whoever has taken it

trueshrewkmc

Have you taken SANS FOR 578? The SIFT Workstation is included with the On Demand materials, so I'm assuming the course (and exam) could be tool heavy.

According to the SANS/GIAC US web site, the GCTI test won't be released until late December 2017. You'll be waiting a few weeks for feedback unless it comes out earlier in other parts of the world. [I'm trying to be less of an ugly American, but sometimes I forget.]

yomista

Not yet. I am looking to take FOR578 next or FOR500/FOR508. Did you particularly enjoyed 508 or found it useful ? When you mentioned tool-centric, is it SIFT workstation and the bundled tools inside ?

I have a voucher that I need to use before April 2018 and like yourself still waiting for the exams to be released.

trueshrewkmc

I did not enjoy the tool-centric focus of FOR508. I don't do hands-on forensics work, so I am now vaguely acquainted with a whole bunch of Windows forensics tools. FOR508 covers SIFT workstation and some of its many, many tools. FOR508 also recaps some FOR408 content, so there's no need to take FOR408 first.

I asked SANS about FOR578 and whether it was as tool-centric as FOR508. SANS said it's just a handful of tools in FOR578.

al88

I finished FOR578 recently and I honestly was very disappointed!

The course needs to mature more I believe as the topic itself is still a new trend. If you took 508 (or any other course that evolve around threat hunting really) then there's a lot of overlap really..

It goes into teaching from strategical level to technical tool based level. (The strategy and context building part was the eye opener really, the rest is everyday business for you if you Ever delt with CTI) ..


I believe the course could be compressed into two days course and it would be great that way! And I'd take it again even!

I'd say if that happens (becomes 2 days or 3) or at least waiting for another year for it to mature a bit then go for it (especially if you planning to integrate CTI as a serious part of your organization.


Best of luck!

SaSkiller

So does either of these courses (508/57 cover how to build and execute threat hunting?

yomista

I think cause FOR578 is fairly new and they need time to mature. Feedback I think will help alot.
Are you planning to sit for the exam ?

al88

SaSkiller wrote: »

So does either of these courses (508/57 cover how to build and execute threat hunting?

They both do, (508 has a chapter, and the whole course is about threat hunting "indirectly" .. i guess it depends what's your definition of Threat hunting

578 obviously covers it but the whole scope of it.. reading APT reports, extracting info, building your own..etc.

If your are taking it to the next level from both Offensive (GPEN) and Defensive (GCIH) i highly recommend you go 508, it will teach you how to catch movement/malicious activities OR avoiding being caught.

508 by far the best course I took!

al88

yomista wrote: »

I think cause FOR578 is fairly new and they need time to mature. Feedback I think will help alot.
Are you planning to sit for the exam ?

I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam

yomista

al88 wrote: »

I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam

Please let me know what you think of it. All the best!

_nessie_

al88 wrote: »

I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam

I finished the exam this morning and passed.
With materials that were thaught in Q3 '16.
I felt I was "missing" things with some of the questions ...

Anyway,

I kind of disagree with you about the coverage of the course material. (although that might be due to my third point and conclusion )
If you're looking for material that shows you how to deal with intelligence and how to start of creating your own products in this realm, I sincerely believe that this course does offer you what you need.
If you look at it from the perspective of a semi-tech analyst that is not directly involved in the monitoring, incident handling or other CSOC related functions, but has to provide the context, the relationships with previous or other campaigns, providing the bigger picture in order to prioritize tasks, budget and even areas of interest, then again, I honestly believe this course provides what you need.

I'm currently taking the eLearnSecurity THP as well, and although there are overlaps (it would be weird if there weren't), the eLS is more practical-oriented and is thus more of interest for those involved in the tactical/operational but lacks the background of an incident handler or network analyst. I haven't done the 508, but these two may resemble.

cheerz