FOR589: SANS Amsterdam December 2024 New

Provided by

Enquire about this course

What You Will Learn

Cybercrime intelligence can help organizations effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments combat cybercrime and prosecute criminals. FOR589: Cybercrime Intelligence provides an in-depth understanding of the cybercrime underground and covers the wide variety of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both conventional intelligence and contemporary cybersecurity methodologies, this course will help you augment any existing intelligence operations, proactively address risks, and enhance an overall cybersecurity posture. The course is ideal for security professionals, law enforcement officers, and anyone interested in the intricacies of the cybercrime underground, tracing cryptocurrency, intelligence and countermeasures.

The course covers how to map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal behind the keyboard. Students learn all about the dark web economy, tracing cryptocurrency, and money laundering schemes. This course also teaches students how to perform undercover operations safely, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and potential impact that organized cybercrime could have against their organizations.

Through practical exercises and real-life case studies, students in FOR589: Cybercrime Intelligence will gain hands-on experience and develop the skills to:
  • Map cybercriminal infrastructure, analyze cybercriminal capabilities, uncover the victims of cybercrime, and attribute operations to the cybercriminals behind the keyboard.
  • Navigate the dark web, trace cryptocurrency transactions, and understand money-laundering schemes.
  • Perform undercover operations, including how to traverse the dark web safely, create sock puppet accounts with sound operational security (OPSEC), interact with threat actors, and infiltrate underground communities.
  • Work with various cybersecurity tools to detect, analyze, and mitigate cyber threats, as well as understand the scope, scale, and impact of organized cybercrime.
FOR589: Cybercrime Intelligence will help you:
  • Traverse the underground landscape
  • Map requirements to intelligence collection plans
  • Operate threat investigation platforms
  • Profile actors with identifiers and indicators
  • Identify cyberattack targets and victims
  • Trace payments with blockchain forensics
  • Counter cybercrime by imposing costs
FOR589 Cybercrime Intelligence Course Topics
  • All-source overview of practical threat intelligence concepts to counter cybercrime.
  • Navigating the underground landscape and the economy within it.
  • Infiltrating illicit communities to gain strategic and tactical placement and access.
  • Intelligence tradecraft to analyze cybercrime, such as cyber fraud and cyberattacks.
  • Advanced use of threat investigation platforms to search, pivot, and monitor.
  • Gathering intelligence requirements to map to targeted collection plans.
  • Acquiring threat data collections in alignment with the intelligence lifecycle.
  • Operations management to meet strategic, tactical, and operational needs.
  • Attributing people, money, and systems, using key investigative tradecraft.
  • Kill chain mapping and analysis with the Cyber Kill Chain, Diamond Model, and MITRE ATT&CK.
  • Finding commonly targeted Internet-facing systems with exposed sensitive services.
  • Rapid incident response support using external datasets that reach beyond the network perimeter.
  • Preventing breaches from starting by discovering and detecting incident precursors.
  • Identifying breaches that have already occurred by discovering incident identifiers.
  • Mapping relationships between adversaries and their targets.
  • Deceiving actors with data poisoning by planting disinformation and misinformation.
  • Detecting actors' own use of data poisoning and false flag operations.
  • Defining pseudonymity and anonymity, and their relevance to operational security.
  • Social engineering of cybercriminals with human interactions to elicit intelligence value.
  • Cryptocurrency tracing to differentiate sender, receiver, and change addresses.
  • Blockchain forensics to attribute cryptocurrency payments to people and services.
  • Tracing cryptocurrency payments through money laundering methods such as layering and mixing.
  • Imposing cost with countermeasures, using the courses of actions matrix to discover, detect, deny, disrupt, degrade, deceive, and destroy the cybercrime ecosystem.
What Is Cybercrime Intelligence?

Cybercrime Intelligence is a subset of Criminal Intelligence that helps organizations effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments investigate cybercrime and prosecute cybercriminals.
Business Takeaways
  • Close knowledge gaps between cybercrime and crypto crime.
  • Enhance Cyber Threat Intelligence (CTI) operations with cybercrime expertise.
  • Proactively discover and mitigate emerging cybercrime threats looming over the horizon.
  • Establish early warning systems to detect risks, threats, and fraud.
  • Identify access vectors and collect against cybercriminals exploring those vectors.
  • Focus investigative priorities with informed advice.
  • Profile cybercrime events using common intelligence frameworks and cyber kill chains.
  • Attribute threat actors behind cyberattacks and cyber fraud when needed
  • Conduct blockchain forensics for attribution and fund recovery.
  • Create tailored intel products to supplement vendor offerings.
  • Support incident response teams with timely and relevant intelligence. 
Skills Learned

FOR589 Cybercrime Intelligence Training Will Prepare Your Team To:
  • Understand how traditional intelligence collection disciplines have adapted to today's modern cyber-centric landscape and differentiate what is actionable and what is noise.
  • Discover risks to your organization's assets and elements, mapped to threat actors and threat vectors as priority intelligence requirements.
  • Translate your organization's risk-guided intelligence requirements into threat-informed collection plans and operational tasks.
  • Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive, whether to protect your organization or impose costs on criminals with counter-offensive measures.
  • Demystify the dark web and underground threat landscape, enabling you to traverse and surveil communities, marketplaces, ransom sites, data breaches, malware logs, and more.
  • Understand how the underground threat landscape has expanded and evolved, lowering the barrier to entry, allowing emerging actors to conduct perceivably advanced operations.
  • Create online personas and sock puppet safely to gain the placement and access needed for intelligence collection, whether to passively browse forums or actively elicit brokers.
  • Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure.
  • Vet sources by measuring their level of competence, access, and credibility.
  • Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures.
  • Apply practical victimology to map the adversary-target relationship observed in cyberattacks and cyber fraud incidents, useful for research and response purposes alike.
  • Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes.
  • Develop threat intelligence platforms as early warning systems to detect all-source digital risk exposures within the Internet ecosystem, especially the deep and dark web.
  • Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and attribute them by using cluster analysis.
Hands-On Cybercrime Intelligence Training

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in a hands-on environment.
  • Lab 0: FOR589 Virtual Machine Setup
  • Lab 1.1: Password Pivots and OPSEC
  • Lab 1.2: Safe Sock Puppet Creation
  • Lab 1.3: Identifiers, Dossiers and Profiling
  • Lab 1.4: Link Analysis
  • Lab 2.1: Cybercrime Site Identification
  • Lab 2.2: Infrastructure Analysis and Mapping
  • Lab 2.3: Adversary Profiling and Tracking
  • Lab 2.4: Capability Assessment and Monitoring
  • Lab 2.5: Intelligence Platforms
  • Lab 3.1: Cryptocurrency OSINT
  • Lab 3.2: Transaction Analysis
  • Lab 3.3: Chainalysis Reactor
  • Lab 3.4: Bitfinex Hack & Obfuscation Methods
  • Lab 3.5: DarkSide Ransomware & Colonial Pipeline
  • Lab 4.1: Infiltration of a Gated Community
  • Lab 4.2: Automated Collection
  • Lab 4.3: Assessing the Environment
  • Lab 4.4: Adversary Engagement
  • Lab 4.5: Countermeasures
  • Day 5: FOR589 Capstone Challenge
What You Will Receive
  • Virtual Machine Workstation
    • Students will receive virtual machine(s) to enable investigations with a pre-configured installable experience. Everything students need for the course will mostly be pre-installed and ready to launch.
  • Flashpoint Threat Intelligence Platform
    • Students will receive a demo license to access the Flashpoint Threat Intelligence Platform in order to investigate underground cybercrime sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
  • Authentic8 Silo Toolbox
    • Students will receive a demo license to access the Authentic8 Silo managed attribution platform in order to investigate underground cybercrime sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
  • Chainalysis Reactor Platform
    • Students will receive a demo license to access the Chainalysis Reactor Platform in order to investigate cryptocurrency transactions.
  • Maltego
    • Students will receive a demo license to access Maltego in order to conduct investigations with link analysis and graph visualizations.


Start date Location / delivery
16 Dec 2024 Amsterdam Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...