About the course
Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.
What You Will Learn
THERE IS NO TEACHER BUT THE ENEMY!
All security practitioners should attend FOR578: Cyber Threat Intelligence to sharpen their analytical skills. This course is unlike any other technical training you have ever experienced. It focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills. The course will help practitioners from across the security spectrum:
- Develop analysis skills to better comprehend, synthesize, and leverage complex scenarios
- Identify and create intelligence requirements through practices such as threat modeling
- Understand and develop skills in tactical, operational, and strategic-level threat intelligence
- Generate threat intelligence to detect, respond to, and defeat focused and targeted threats
- Learn the different sources to collect adversary data and how to exploit and pivot off of those data
- Validate information received externally to minimize the costs of bad intelligence
- Create Indicators of Compromise (IOCs) in formats such as YARA and STIX/TAXII
- Understand and exploit adversary tactics, techniques, and procedures, and leverage frameworks such as the Kill Chain, Diamond Model, and MITRE ATT&CK
- Establish structured analytical techniques to be successful in any security role
It is common for security practitioners to call themselves analysts. But how many of us have taken structured analysis training instead of simply attending technical training? Both are important, but very rarely do analysts focus on training on analytical ways of thinking. This course exposes analysts to new mindsets, methodologies, and techniques to complement their existing knowledge and help them establish new best practices for their security teams. Proper analysis skills are key to the complex world that defenders are exposed to on a daily basis.
The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that addresses an organization's key knowledge gaps, pain points, or requirements. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.
Cyber threat intelligence thus represents a force multiplier for organizations looking to establish or update their response and detection programs to deal with increasingly sophisticated threats. Malware is an adversary's tool, but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.
Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.
In other words, cyber threat intelligence informs all security practices that deal with adversaries. FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization with the level of tactical, operational, and strategic cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and accurately and effectively counter those threats.
Syllabus (36 CPEs) GIAC Cyber Threat Intelligence
"The GIAC Cyber Threat Intelligence (GCTI) certification, to me, marks an important moment in our field where we begin to move the art of cyber threat intelligence to science and codify our knowledge. In our complex and ever changing threat landscape it is important for all analysts to earn the GCTI whether or not they are directly involved in generating intelligence. Technical training has become common and helped further our security field the same has not been true for structured analysis training, until now. Many of security practitioners consider themselves analysts but have not fully developed analysis skills in a way that can help us think critically and amplify our technical knowledge. It is in this structured analysis that we can challenge our biases, question our sources, and perform core skills such as intrusion analysis to better consume and generate intelligence. It is through cyber threat intelligence that organizations and their personnel can take on focused human adversaries and ensure that security is maintained. Intelligence impacts us all and we are furthering the field together in a way that will extraordinarily limit the success of adversaries." - Robert M. Lee, Course Author FOR578: Cyber Threat Intelligence
Strategic, operational, and tactical cyber threat intelligence application & fundamentals
Open source intelligence and campaigns
Intelligence applications and intrusion analysis
Analysis of intelligence, attribution, collecting and storing data sets
Kill chain, diamond model, and courses of action matrix
Malware as a collection source, pivoting, and sharing intelligence
FOR578 is a good course for anyone who has had security training or prior experience in the field. Students should be comfortable with using the command line in Linux for a few labs (though a walkthrough is provided) and be familiar with security terminology.
Some of the courses that lead in to FOR578:
Students who have not taken any of the above courses but have real-world experience or have attended other security training, such as any other SANS class, will be comfortable in the course. New students and veterans will be exposed to new concepts given the unique style of the class focused on analysis training.