GCTI

FOR578: Cyber Threat Intelligence Cyber Threat Intelligence

giac.org/gcti

6 36 Laptop THERE IS NO TEACHER BUT THE ENEMY!

Day Program CPEs Required
All security practitioners should attend FOR578: Cyber Threat Intelligence to sharpen their
analytical skills. This course is unlike any other technical training you have ever experienced. It
You Will Be Able To focuses on structured analysis in order to establish a solid foundation for any security skillset and
• Develop analysis skills to better to amplify existing skills.
comprehend, synthesize, and leverage
complex scenarios It is common for security practitioners to call themselves analysts. But how many of us have
• Identify and create intelligence taken structured analysis training instead of simply attending technical training? Both are
requirements through practices such as
threat modeling
important, but very rarely do analysts focus on training on analytical ways of thinking. This course
• Understand and develop skills in tactical,
exposes analysts to new mindsets, methodologies, and techniques to complement their existing
operational, and strategic-level threat knowledge and help them establish new best practices for their security teams. Proper analysis
intelligence skills are key to the complex world that defenders are exposed to on a daily basis.
• Generate threat intelligence to detect,
respond to, and defeat focused and The analysis of an adversary’s intent, opportunity, and capability to do harm is known as cyber
targeted threats threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool.
• Learn the different sources to collect Intelligence is actionable information that addresses an organization’s key knowledge gaps,
adversary data and how to exploit and
pivot off of it pain points, or requirements. This collection, classification, and exploitation of knowledge about
• Validate information received externally to adversaries gives defenders an upper hand against adversaries and forces defenders to learn and
minimize the costs of bad intelligence evolve with each subsequent intrusion they face.
• Create Indicators of Compromise (IOCs) in
formats such as YARA, OpenIOC, and STIX
Cyber threat intelligence thus represents a force multiplier for organizations looking to establish
• Move security maturity past IOCs into
or update their response and detection programs to deal with increasingly sophisticated threats.
understanding and countering the Malware is an adversary’s tool, but the real threat is the human one, and cyber threat intelligence
behavioral tradecraft of threats focuses on countering those flexible and persistent human threats with empowered and trained
• Establish structured analytical techniques human defenders.
to be successful in any security role
Knowledge about the adversary is core to all security teams. The red team needs to understand
adversaries’ methods in order to emulate their tradecraft. The Security Operations Center
needs to know how to prioritize intrusions and quickly deal with those that need immediate
attention. The incident response team needs actionable information on how to quickly scope
GCTI and respond to targeted intrusions. The vulnerability management group needs to understand
Cyber Threat Intelligence which vulnerabilities matter most for prioritization and the risk that each one presents. The threat
giac.org/gcti
hunting team needs to understand adversary behaviors to search out new threats.
GIAC Cyber Threat Intelligence In other words, cyber threat intelligence informs all security practices that deal with adversaries.
The GCTI certification proves practitioners have FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization with
mastered strategic, operational, and tactical
the level of tactical, operational, and strategic cyber threat intelligence skills and tradecraft
cyber threat intelligence fundamentals and
application. required to better understand the evolving threat landscape and accurately and effectively
• Strategic, operational, and tactical counter those threats.
cyber threat intelligence application &
fundamentals
• Open source intelligence and campaigns
“I could take this course five times more and get something new
• Intelligence applications and intrusion
analysis each time! So much valuable info to take back to my organization.”
• Analysis of intelligence, attribution, collecting —Charity Willhoite, Armor Defense, Inc.
and storing data sets
• Kill chain, diamond model, and courses of
action matrix
• Malware as a collection source, pivoting, and “This course is terrific! Class discussion and relevant case studies
sharing intelligence are extremely helpful for better understanding the content.”
—Larci Robertson, Epsilon

• Watch a preview of this course

sans.org/for578 • Discover how to take this course: Online, In-Person
Section Descriptions
SECTION 1: Cyber Threat Intelligence and SECTION 2: The Fundamental Skillset: Who Should Attend
Requirements Intrusion Analysis • Security practitioners, should attend. This
Cyber threat intelligence is a rapidly growing field. Intrusion analysis is at the heart of threat course is perfect match to any security
However, intelligence was a profession long before the intelligence. It is a fundamental skill set for any skill set from red teamers to incident
word “cyber” entered the lexicon. Understanding the security practitioner who wants to use a more responders. The course is focused on
analysis skills.
key points regarding intelligence terminology, tradecraft, complete approach to addressing security. Two of
and impact is vital to understanding and using cyber the most commonly used models for assessing • Incident response team members who
threat intelligence. This section introduces students to adversary intrusions are the “kill chain” and respond to complex security incidents/
the most important concepts of intelligence, analysis the “Diamond Model.” These models serve as a intrusions and need to know how to detect,
tradecraft, and levels of threat intelligence, and the value framework and structured scheme for analyzing investigate, remediate, and recover from
they can add to organizations. It also focuses on getting intrusions and extracting patterns such as compromised systems across an enterprise.
your intelligence program off to the right start with adversary behaviors and malicious indicators. In • Threat hunters who are seeking to
planning, direction, and the generation of intelligence this section students will participate in and be understand threats more fully and how
requirements. As with all sections, the day includes walked through multi-phase intrusions from initial to learn from them to be able to more
immersive hands-on labs to ensure that students have notification of adversary activity to the completion effectively hunt threats and counter the
the ability to turn theory into practice. of analysis of the event. The section also highlights tradecraft behind them.
TOPICS: Case Study: MOONLIGHT MAZE; Understanding the importance of this process in terms of • Security Operations Center personnel
Intelligence; Case Study: Operation Aurora; Understanding structuring and defining adversary campaigns. and Information Security Practitioners
Cyber Threat Intelligence; Threat Intelligence Consumption; TOPICS: Primary Collection Source: Intrusion who support hunting operations that
Positioning the Team to Generate Intelligence; Planning and Analysis; Kill Chain Courses of Action; Kill Chain seek to identify attackers in their network
Direction (Developing Requirements) Deep Dive; Handling Multiple Kill Chains environments.
• Digital forensic analysts and malware
analysts who want to consolidate
SECTION 3: Collection Sources SECTION 4: Analysis and Production and expand their understanding of
Cyber threat intelligence analysts must be able to of Intelligence filesystem forensics, investigations of
interrogate and fully understand their collection sources. technically advanced adversaries, incident
With great data comes great analysis expectations. response tactics, and advanced intrusion
Analysts do not have to be malware reverse engineers, as Now that students are familiar with different investigations.
an example, but they must at least understand that work sources of intrusions and collection, it is important
and know what data can be sought. This section continues to apply analytical rigor to how this information is • Federal agents and law enforcement
from the previous one in identifying key collection sources used in order to satisfy intelligence requirements officials who want to master advanced
for analysts. There is also a lot of available information on intrusion investigations and incident
for long-term analysis. Taking a single intrusion and
what is commonly referred to as open-source intelligence response, as well as expand their
turning it into a group, and tracking the adversary’s
(OSINT). In this course section students will learn to seek investigative skills beyond traditional host-
campaigns, are critical to staying ahead of based digital forensics.
and exploit information from Domains, External Datasets, adversaries. In this section students will learn how
Transport Layer Security/Secure Sockets Layer (TLS/SSL) to structure and store their information over the • Technical managers who are looking
Certificates, and more while also structuring the data to be long term using tools such as MISP; how to leverage to build intelligence teams or leverage
exploited for purposes of sharing internally and externally. analytical tools to identify logical fallacies and intelligence in their organizations building
off of their technical skillsets.
TOPICS: Case Study: HEXANE; Collection Source: Malware; cognitive biases; how to perform structured analytic
Collection Source: Domains; Case Study: GlassRAT; Collection techniques in groups such as analysis of competing • SANS alumni looking to take their analytical
Source: External Datasets; Collection Source: TLS Certificates; hypotheses; and how to cluster intrusions into skills to the next level
Case Study: Trickbots threat groups.
TOPICS: Case Study: Human-Operated Ransomware; NICE Framework Work Roles
Exploitation: Storing and Structuring Data; Analysis: • Data Analyst (OPM 422)
SECTION 5: Dissemination and Attribution Logical Fallacies and Cognitive Biases; Analysis:
Intelligence is useless if not disseminated and made useful Exploring Hypotheses; Analysis: Different Types of • Cyber Defense Analyst (OPM 511)
to the consumer. In this section students will learn about Analysis; ACH for Intrusions; Activity Groups and • Cyber Defense Incident Responder (OPM 531)
dissemination at the various tactical, operational, and Diamond Model for Clusters • Threat/Warning Analyst (OPM 141)
strategic levels. Labs will expose students to creating YARA
rules, leveraging STIX/TAXII, building campaign heat maps • All-Source Analyst (OPM 111)
for tracking adversaries over the long term, and analyzing SECTION 6: Capstone • Mission Assessment Specialist (OPM 112)
intelligence reports. Students will also learn about state The FOR578 capstone focuses on analysis. Students • Target Network Analyst (OPM 132)
adversary attribution, including when it can be of value will be placed on teams, given outputs of technical
and when it is merely a distraction. We’ll cover state-level • All Source-Collection Manager (OPM 311)
tools and cases, and work to piece together the
attribution from previously identified campaigns, and relevant information from a single intrusion that • All Source-Collection Requirements Manager
students will take away a more holistic view of the Cyber enables them to unravel a broader campaign. (OPM 312)
Threat Intelligence industry to date. The section will finish Students will get practical experience satisfying • Cyber Intel Planner (OPM 331)
with a discussion on consuming threat intelligence and intelligence requirements ranging from helping the
actionable takeaways so that students will be able to • Partner Integration Planner (OPM 333)
incident response team to satisfying state-level
make significant changes in their organizations once they attribution goals. This analytical process will put • Cyber Operator (OPM 321)
complete the course. the students’ minds to the test instead of placing a • Cyber Crime Investigator (OPM 221)
TOPICS: Logical Fallacies and Cognitive Biases; heavy emphasis on using technical tools. At the end
of the day the teams will present their analyses on • Law Enforcement/CounterIntelligence
Dissemination: Tactical; Dissemination: Operational;
Forensics Analyst (OPM 211)
Dissemination: Strategic; Case Study: APT10 and Cloud the multi-campaign threat they have uncovered.
Hopper; A Specific Intelligence Requirement: Attribution;
Case Study: Lazarus Group