FOR589: SANS Amsterdam December 2024

Provided by

Enquire about this course

What You Will Learn
What Is Cybercrime Intelligence?

Cybercrime Intelligence is a subset of Criminal Intelligence that helps organizations anticipate, prevent, and mitigate future cyber threats while aiding law enforcement and intelligence entities in investigating and prosecuting cybercriminals.
What You Will Learn

Cybercrime intelligence is crucial for organizations to anticipate, prevent, and mitigate potential cyber threats, as well as aiding law enforcement and governments in combating and prosecuting cybercriminals. FOR589: Cybercrime Intelligence offers an in-depth understanding of the cybercrime underground, covering a wide array of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both traditional intelligence and contemporary cybersecurity methodologies, this course helps augment existing intelligence operations, proactively address risks, and enhance overall cybersecurity posture. Ideal for security professionals, law enforcement officers, and anyone interested in learning more about the cybercrime underground, tracing the criminal use of cryptocurrency, intelligence, and cybercrime countermeasures.

Through practical exercises and real-life case studies, students in FOR589: FOR589: Cybercrime Intelligence will help you map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal behind the keyboard. Students learn all about the dark web economy, tracing cryptocurrency, and money laundering schemes. This course also teaches students how to research cybercrime safely, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and potential impact that organized cybercrime could have against their organizations while mapping to requirements within intelligence collection plans.
FOR589 Cybercrime Intelligence Course Topics:
  • All-source overview of intelligence concepts relevant to countering cybercrime.
  • Navigating the underground landscape safely and the economy within it.
  • Infiltrating the underground to gain tactical placement and access for future operations.
  • Advanced use of threat investigation platforms to search, pivot, and monitor.
  • Gathering intelligence on requirements that map to organizational intelligence collection plans.
  • Acquiring threat data during collections in alignment with the intelligence lifecycle.
  • Managing operations to meet strategic, tactical, and operational needs for your organization.
  • Attributing people, money, and systems, using proven and emerging investigative tradecraft.
  • Mapping and analysis using the Cyber Kill Chain, Diamond Model, and MITRE ATT&CK.
  • Supporting incident response using external datasets that reach beyond the network perimeter.
  • Identifying breaches that have already occurred by discovering incident indicators in the wild.
  • Mapping relationships between adversaries and their preferred targets.
  • Deceiving actors with data poisoning by planting disinformation and misinformation.
  • Detecting actors' own use of data poisoning and false flag operations.
  • Defining pseudonymity and anonymity, and their relevance to operational security.
  • Social engineering of cybercriminals with human interactions to elicit valuable intelligence.
  • Cryptocurrency tracing to aid in understanding adversarial scope and attribution.
  • Blockchain forensics to attribute cryptocurrency payments to people and services.
  • Tracing criminal proceeds through crypto laundering methods such as layering and mixing.
  • Using the course of action matrix to discover, detect, deny, disrupt, degrade, and destroy.
Business Takeaways
  • Close knowledge gaps within cybercrime and crypto crime.
  • Enhance Cyber Threat Intelligence (CTI) operations with cybercrime expertise.
  • Proactively discover and mitigate emerging cybercrime threats looming over the horizon.
  • Establish early warning systems to detect risks, threats, and fraud.
  • Identify access vectors, secure them, and collect against cybercriminals targeting them.
  • Focus investigative priorities with advice informed by cyber underground emerging trends.
  • Profile cybercrime events using proven intelligence frameworks and cyber kill chains.
  • Develop abilities to attribute threat actors behind cyberattacks and cyber fraud, when needed.
  • Conduct blockchain forensics for additional adversary attribution and potential fund recovery.
  • Create tailored and relevant intelligence products to supplement vendor offerings.
  • Support incident response teams with timely and relevant intelligence.
Skills Learned

FOR589 Cybercrime Intelligence Training Will Prepare Your Team To:
  • Understand how traditional intelligence collection disciplines have adapted to today's modern cyber-centric landscape and differentiate what is actionable intelligence and what is noise.
  • Discover risks to your organization mapped to threat actors and threat vectors as priority intelligence requirements.
  • Translate your organization's risk-guided intelligence requirements into threat-informed collection plans and operational tasks.
  • Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive to protect your organization and impose costs on criminal organizations.
  • Demystify the dark web and underground threat landscape, enabling you to traverse and listen in on criminal communities, marketplaces, ransom sites, and more.
  • Create online personas and sock puppet safely to gain the placement and access needed for intelligence collection, whether to passively browse forums or actively elicit brokers.
  • Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure.
  • Vet intelligence sources by measuring their level of competence, access, and credibility.
  • Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures.
  • Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes.
  • Tune threat intelligence platforms as early warning systems to detect risk exposures within the Internet ecosystem, especially the deep and dark web.
  • Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and work to attribute them by using cluster analysis.
Hands-On Cybercrime Intelligence Training

SANS labs provide hands-on experience to reinforce course concepts and learning objectives. This course includes a step-by-step electronic workbook directly tied to the material.

Labs Include:
  • Lab 1.1: CROM VM Setup and Intro to Authentic8 Silo
  • Lab 1.2: Password Pivots and Password Managers
  • Lab 1.3: Persona Preparation and Sock Puppet Account Creation
  • Lab 1.4: Identifiers, Dossiers, and Profiling
  • Lab 1.5: Link Analysis with Maltego
  • Lab 2.1: Cybercrime Site Identification and Enumeration
  • Lab 2.2: Cybercrime Infrastructure Analysis
  • Lab 2.3: Adversary Profiling
  • Lab 2.4: Capability Assessment and Monitoring
  • Lab 2.5: Cybercrime Intelligence Platforms
  • Lab 3.1: The Genesis Block
  • Lab 3.2: Twitter Hack and Scam
  • Lab 3.3: Profiling a Bulletproof Hosting Provider
  • Lab 3.4: Bitfinex Hack and Money Laundering
  • Lab 3.5: DarkSide Ransomware & Colonial Pipeline
  • Lab 4.1: Gaining Initial Access
  • Lab 4.2: Assess the Environment
  • Lab 4.3: Automated Collection and Analysis
  • Lab 4.4: Spotting and Assessing
  • Lab 4.5: Adversary Engagement
  • Lab 5: FOR589 Capstone Exercise
What You Will Receive
  • Virtual Machine Workstation
    • Students will receive virtual machine(s) to enable investigations with a pre-configured installable experience. Everything students need for the course will be pre-installed and ready to launch.
  • Authentic8 Silo for Research
    • Students will receive a demo license to access the Authentic8 Silo managed attribution platform to safely investigate darkweb sites and sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
  • Chainalysis Reactor platform
    • Students will receive a demo license to access the Chainalysis Reactor platform to investigate cryptocurrency transactions.
  • Maltego
    • Students will receive a demo license to access Maltego to conduct investigations utilizing data link analysis and graph visualizations.

Enquire

Start date Location / delivery
16 Dec 2024 Amsterdam Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...