SANS For 578 - Cyber Threat Intelligence - Course Reivew

jcundiff

Just attended this course in Orlando... Had Peter Szczepankiewicz (S14). A great instructor goes a long way to making a class, S14 is a great instructor. Five day course with lots of labs... Twenty students in the class, with a lot of IR folks and about 5 of us who actually were in Threat Intel roles... Pet peeve here, if you are taking a course, interact with your instructor and class mates ( out of 20 people, there was only 5 or 6 of us actively participating in the class and discussion (2 or 3 who only spoke when presenting the final group projects).

Day One: Cyber Threat Intelligence (CTI) and Requirements
Day Two: The Primary Collection Source: Intrusion Analysis
Day Three: Collection Sources
Day Four: Analysis and Dissemination of Intelligence
Day Five: High Order Analysis and Attribution

Day one was the basics... Intelligence definitions and terms, the traditional intelligence cycle, and a bit of history of the intelligence tradecraft. From there it moved into defining risks and threats, CTI's role in cyber defense and methods of threat detection. Also discussed was CTI's role in enabling other teams and ending with threat modeling. Structured Analytic techniques including decision matrices and decision trees were discussed and used on day one.

Day One tools included IOC editor and Threatminer.org, a lot of the courses labs were done in a SIFT vm

Day two discussed the Kill Chain and Diamond models which were used throughout the course. Day two was the most technical day with a lot of focus being on tools...

PDF Parsing in a linux terminal
Mandiant Redline
Wireshark (minimal, not a lot of depth) (came out of the class, knowing I need to know it better)
Virus Total
Whois
Documenting attack phases with KC and DM
Utilizing pivot tables and heat maps in MS Excel to aggregate and visualize data


Day three focused on more tools (maltego, Domain Tools (IRIS), etc, Recorded Future, and MISP). It also focused heavily on Open Source Intelligence (OSINT) gathering and analysis. Some of the OSINT included domains, external data sets, TLS/SSL Cerificate pivoting and MISP).

Day four started with Analysis of Competing Hypotheses (ACH) and ran through more maltego usage as well as Yara and STIX.

Day five discussed logical fallacies and cognitive biases in intelligence. Interesting lab for this was reviewing several different intelligence reports by various companies. From there, the discussion moved into report writing does and don'ts and best practices, before ending with fine-tuning analysis and attribution.

The day and course ended with an analysis of recent events (Election interference) and writing a report as a team on findings.

Thoughts overall, a great course for someone who has been in the space for 3-4 years such as myself, as well as IR folks looking to move into the discipline. While the course only touched on a lot of information, it is a good foundation to realize what you still need to learn. A great course and great instructor... next up will most likely be 504

Now to build my index and study and prep for the GCTI cert.

GeekyChick

That looks like an amazing class! So, what was the conclusion on the election interference?? Ok, maybe I don't want to know. Best of luck to you on the exam.

jcundiff

GeekyChick wrote: »

That looks like an amazing class! So, what was the conclusion on the election interference?? Ok, maybe I don't want to know. Best of luck to you on the exam.

we ended up breaking out into three groups, we had 1 low confidence yes (my group, of course the Russians attempted to interfere, just as they have since the early days of the cold war... you think we don't do it as well?) one medium/moderate confidence yes, and one high confidence yes. Not sure they how they came to the high confidence level based on the materials provided... it was stated you could use any OSINT source... but they stuck with the 5 or so papers provided...

cgrimaldo

Thanks for the write-up! I'll be taking the class at the Threat Hunting and IR summit this year - I'm looking forward to it.

jcundiff

cgrimaldo wrote: »

Thanks for the write-up! I'll be taking the class at the Threat Hunting and IR summit this year - I'm looking forward to it.

Is that with Robert M Lee? he is one of the course authors so should be very good.

636-555-3226

Thanks for the write-up, never get enough reviews of the off-popular SANS courses around here.

nisti2

Thats nice!! good luck on the exam!!

chrisone

Awesome review! Thank you for sharing your experience.

Jasiono

This course sounds so badass.
I need to find a justification for work to send me to this one

Blucodex

My co-worker was in this class. Heard great things.

UserName222

Hello, my apology for an ambush msg from an unknown person.

I was searching the internet for a way I could get INE rack tokens and I have came across your post from about year ago. You have mentioned
you have some spare tokens. So If you want to discuss this further please let me know on my twitter or google+ acc name Radek Tomecek

otherwise feel free to disregard this msg.

jcundiff

UserName222 wrote: »

Hello, my apology for an ambush msg from an unknown person.

I was searching the internet for a way I could get INE rack tokens and I have came across your post from about year ago. You have mentioned
you have some spare tokens. So If you want to discuss this further please let me know on my twitter or google+ acc name Radek Tomecek

otherwise feel free to disregard this msg.

not sure who you are asking? but that doesnt sound like anything I posted?

Randy_Randerson

jcundiff wrote: »

not sure who you are asking? but that doesnt sound like anything I posted?

He's looking for Chrisone after I just did the same Google Search

sb97

I was hoping they would pivot away from Redline once Mandiant removed the MRI scores (Unless that feature got added back somewhere).

_nessie_

Well, there still some usefulness in Redline apart from the MRI scores, but I do agree that it is a pitty Mandiant took this decision.

sb97

I was told that they were looking at removing Redline from the For508 course last summer. I don't know if they ever followed through. Its a shame because the tool was nice for Triage even if it was a bit slow.

Randy_Randerson

sb97 wrote: »

I was told that they were looking at removing Redline from the For508 course last summer. I don't know if they ever followed through. Its a shame because the tool was nice for Triage even if it was a bit slow.

While Redline is free, I think there big thing with that class has always been that the job can be done with FOSS tools as opposed to relying on a vendor to supply something to get the job done. Just my opinion. I took it about 4 years ago at this point. Time flies when you're having fun!

sb97

How in depth was the coverage of the various Threat Intelligence Platforms? Threat_note, CRITS, MISP, etc? Was there a significant lab covering the usage of these? I am particularly interested in Threat_note

the_Grinch

Don't know how I missed this, but great write up. Don't think I'll ever get to attend, but nice to see a review and who knows maybe be able to sell it to management at some point.

sb97

JCundiff talked me into it. I am going to take this at the DFIR Summit in a week. Its funny, when I first read about the course I told myself there was no way I was going to take this.

MalwareMike

Great review! It's nice to see reviews from classes that a lot of us havent had the change to take part-in.