Options
SANS For 578 - Cyber Threat Intelligence - Course Reivew
Just attended this course in Orlando... Had Peter Szczepankiewicz (S14). A great instructor goes a long way to making a class, S14 is a great instructor. Five day course with lots of labs... Twenty students in the class, with a lot of IR folks and about 5 of us who actually were in Threat Intel roles... Pet peeve here, if you are taking a course, interact with your instructor and class mates ( out of 20 people, there was only 5 or 6 of us actively participating in the class and discussion (2 or 3 who only spoke when presenting the final group projects).
Day One: Cyber Threat Intelligence (CTI) and Requirements
Day Two: The Primary Collection Source: Intrusion Analysis
Day Three: Collection Sources
Day Four: Analysis and Dissemination of Intelligence
Day Five: High Order Analysis and Attribution
Day one was the basics... Intelligence definitions and terms, the traditional intelligence cycle, and a bit of history of the intelligence tradecraft. From there it moved into defining risks and threats, CTI's role in cyber defense and methods of threat detection. Also discussed was CTI's role in enabling other teams and ending with threat modeling. Structured Analytic techniques including decision matrices and decision trees were discussed and used on day one.
Day One tools included IOC editor and Threatminer.org, a lot of the courses labs were done in a SIFT vm
Day two discussed the Kill Chain and Diamond models which were used throughout the course. Day two was the most technical day with a lot of focus being on tools...
PDF Parsing in a linux terminal
Mandiant Redline
Wireshark (minimal, not a lot of depth) (came out of the class, knowing I need to know it better)
Virus Total
Whois
Documenting attack phases with KC and DM
Utilizing pivot tables and heat maps in MS Excel to aggregate and visualize data
Day three focused on more tools (maltego, Domain Tools (IRIS), etc, Recorded Future, and MISP). It also focused heavily on Open Source Intelligence (OSINT) gathering and analysis. Some of the OSINT included domains, external data sets, TLS/SSL Cerificate pivoting and MISP).
Day four started with Analysis of Competing Hypotheses (ACH) and ran through more maltego usage as well as Yara and STIX.
Day five discussed logical fallacies and cognitive biases in intelligence. Interesting lab for this was reviewing several different intelligence reports by various companies. From there, the discussion moved into report writing does and don'ts and best practices, before ending with fine-tuning analysis and attribution.
The day and course ended with an analysis of recent events (Election interference) and writing a report as a team on findings.
Thoughts overall, a great course for someone who has been in the space for 3-4 years such as myself, as well as IR folks looking to move into the discipline. While the course only touched on a lot of information, it is a good foundation to realize what you still need to learn. A great course and great instructor... next up will most likely be 504
Now to build my index and study and prep for the GCTI cert.
Day One: Cyber Threat Intelligence (CTI) and Requirements
Day Two: The Primary Collection Source: Intrusion Analysis
Day Three: Collection Sources
Day Four: Analysis and Dissemination of Intelligence
Day Five: High Order Analysis and Attribution
Day one was the basics... Intelligence definitions and terms, the traditional intelligence cycle, and a bit of history of the intelligence tradecraft. From there it moved into defining risks and threats, CTI's role in cyber defense and methods of threat detection. Also discussed was CTI's role in enabling other teams and ending with threat modeling. Structured Analytic techniques including decision matrices and decision trees were discussed and used on day one.
Day One tools included IOC editor and Threatminer.org, a lot of the courses labs were done in a SIFT vm
Day two discussed the Kill Chain and Diamond models which were used throughout the course. Day two was the most technical day with a lot of focus being on tools...
PDF Parsing in a linux terminal
Mandiant Redline
Wireshark (minimal, not a lot of depth) (came out of the class, knowing I need to know it better)
Virus Total
Whois
Documenting attack phases with KC and DM
Utilizing pivot tables and heat maps in MS Excel to aggregate and visualize data
Day three focused on more tools (maltego, Domain Tools (IRIS), etc, Recorded Future, and MISP). It also focused heavily on Open Source Intelligence (OSINT) gathering and analysis. Some of the OSINT included domains, external data sets, TLS/SSL Cerificate pivoting and MISP).
Day four started with Analysis of Competing Hypotheses (ACH) and ran through more maltego usage as well as Yara and STIX.
Day five discussed logical fallacies and cognitive biases in intelligence. Interesting lab for this was reviewing several different intelligence reports by various companies. From there, the discussion moved into report writing does and don'ts and best practices, before ending with fine-tuning analysis and attribution.
The day and course ended with an analysis of recent events (Election interference) and writing a report as a team on findings.
Thoughts overall, a great course for someone who has been in the space for 3-4 years such as myself, as well as IR folks looking to move into the discipline. While the course only touched on a lot of information, it is a good foundation to realize what you still need to learn. A great course and great instructor... next up will most likely be 504
Now to build my index and study and prep for the GCTI cert.
"Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Comments
-
Options
GeekyChick
Member Posts: 323 ■■■■□□□□□□
That looks like an amazing class! So, what was the conclusion on the election interference?? Ok, maybe I don't want to know.
Best of luck to you on the exam. -
Options
jcundiff
Member Posts: 486 ■■■■□□□□□□
GeekyChick wrote: »That looks like an amazing class! So, what was the conclusion on the election interference?? Ok, maybe I don't want to know. Best of luck to you on the exam.
we ended up breaking out into three groups, we had 1 low confidence yes (my group, of course the Russians attempted to interfere, just as they have since the early days of the cold war... you think we don't do it as well?) one medium/moderate confidence yes, and one high confidence yes. Not sure they how they came to the high confidence level based on the materials provided... it was stated you could use any OSINT source... but they stuck with the 5 or so papers provided..."Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke -
Optionscgrimaldo
Member Posts: 439 ■■■■□□□□□□
Thanks for the write-up! I'll be taking the class at the Threat Hunting and IR summit this year - I'm looking forward to it.
-
Optionsjcundiff
Member Posts: 486 ■■■■□□□□□□
Thanks for the write-up! I'll be taking the class at the Threat Hunting and IR summit this year - I'm looking forward to it.
Is that with Robert M Lee? he is one of the course authors so should be very good."Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke -
Options
636-555-3226
Member Posts: 975 ■■■■■□□□□□
Thanks for the write-up, never get enough reviews of the off-popular SANS courses around here. -
Optionsnisti2
Member Posts: 503 ■■■■□□□□□□
Thats nice!! good luck on the exam!!2020 Year goals:
Already passed: Oracle Cloud, AZ-900
Taking AZ-104 in December.
"Certs... is all about IT certs!" -
Options
chrisone
Member Posts: 2,278 ■■■■■■■■■□
Awesome review! Thank you for sharing your experience.
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
Options
Jasiono
Member Posts: 896 ■■■■□□□□□□
This course sounds so badass.
I need to find a justification for work to send me to this one -
OptionsUserName222
Registered Users Posts: 1 ■□□□□□□□□□
Hello, my apology for an ambush msg from an unknown person.
I was searching the internet for a way I could get INE rack tokens and I have came across your post from about year ago. You have mentioned
you have some spare tokens. So If you want to discuss this further please let me know on my twitter or google+ acc name Radek Tomecek
otherwise feel free to disregard this msg. -
Optionsjcundiff
Member Posts: 486 ■■■■□□□□□□
UserName222 wrote: »Hello, my apology for an ambush msg from an unknown person.
I was searching the internet for a way I could get INE rack tokens and I have came across your post from about year ago. You have mentioned
you have some spare tokens. So If you want to discuss this further please let me know on my twitter or google+ acc name Radek Tomecek
otherwise feel free to disregard this msg.
not sure who you are asking? but that doesnt sound like anything I posted?"Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke -
OptionsRandy_Randerson
Member Posts: 115 ■■■□□□□□□□
not sure who you are asking? but that doesnt sound like anything I posted?
He's looking for Chrisone after I just did the same Google Search -
Optionssb97
Member Posts: 109
I was hoping they would pivot away from Redline once Mandiant removed the MRI scores (Unless that feature got added back somewhere).
-
Options_nessie_
Member Posts: 39 ■■■□□□□□□□
Well, there still some usefulness in Redline apart from the MRI scores, but I do agree that it is a pitty Mandiant took this decision.
-
Optionssb97
Member Posts: 109
I was told that they were looking at removing Redline from the For508 course last summer. I don't know if they ever followed through. Its a shame because the tool was nice for Triage even if it was a bit slow.
-
OptionsRandy_Randerson
Member Posts: 115 ■■■□□□□□□□
I was told that they were looking at removing Redline from the For508 course last summer. I don't know if they ever followed through. Its a shame because the tool was nice for Triage even if it was a bit slow.
While Redline is free, I think there big thing with that class has always been that the job can be done with FOSS tools as opposed to relying on a vendor to supply something to get the job done. Just my opinion. I took it about 4 years ago at this point. Time flies when you're having fun! -
Optionssb97
Member Posts: 109
How in depth was the coverage of the various Threat Intelligence Platforms? Threat_note, CRITS, MISP, etc? Was there a significant lab covering the usage of these? I am particularly interested in Threat_note
-
Options
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
Don't know how I missed this, but great write up. Don't think I'll ever get to attend, but nice to see a review and who knows maybe be able to sell it to management at some point.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
Optionssb97
Member Posts: 109
JCundiff talked me into it. I am going to take this at the DFIR Summit in a week. Its funny, when I first read about the course I told myself there was no way I was going to take this.
-
Options
MalwareMike
Member Posts: 147 ■■■□□□□□□□
Great review! It's nice to see reviews from classes that a lot of us havent had the change to take part-in.Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
Twitter: https://twitter.com/Malware_Mike
Website: https://www.malwaremike.com
