SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR578: Cyber Threat Intelligence
FOR578Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Rebekah Brown & Robert M. Lee
Course created by:Rebekah Brown & Robert M. Lee
- GIAC Cyber Threat Intelligence (GCTI)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Master tactical, operational, and strategic cyber threat intelligence skills. Improve analytic processes and incident response effectiveness to support your detection and response programs.
Featured Quote
Cyber Threat Intelligence is an entire discipline, not just a feed. This course will propel you along the path to understanding this rapidly maturing field of study.
Course Overview
Cyber threat intelligence training is essential for countering today’s flexible, persistent human threats and targeted attacks. In FOR578 Cyber Threat Intelligence™, you’ll learn to assess complex scenarios and develop skills in tactical, operational, and strategic-level threat intelligence. This course empowers you to expand your existing knowledge and establish new best practices for security teams.
What You’ll Learn
- Develop advanced analysis skills for complex scenarios
- Master intelligence requirements gathering (e.g., threat modeling)
- Understand threat intelligence at all levels (tactical, operational, strategic)
- Generate actionable threat intelligence for threat detection and response
- Become proficient in adversary data collection and exploitation
- Validate intelligence sources and create high-fidelity IOCs (e.g., YARA, STIX/TAXII)
- Understand and leverage analytic models (e.g., Kill Chain, Diamond Model, MITRE ATT&CK) across all security roles
Business Takeaways:
- Understand the everchanging cyber threat landscape and what it means for your organization
- Practice analytic techniques to inform key business leaders on how to most effectively defend themselves and the organization against targeted threats
- Identify cost-effective ways of leveraging open-source and community threat intelligence tools, along with familiarity with some of the most impactful commercial tools available.
- Effectively communicate threat intelligence at tactical, operational, and strategic levels
- Become a force multiplier for other core business functions, including security operations, incident response, and business operations.
Meet Your Authors
- Slide 1 of 2
Rebekah Brown
Certified Instructor CandidateRebekah Brown has been instrumental in advancing cyber threat intelligence, serving as a network warfare analyst at the NSA, Operations Chief of a U.S. Marine Corps cyber unit, and training lead at U.S. Cyber Command.
Read more about Rebekah Brown - Slide 2 of 2
Robert M. Lee
FellowA former U.S. Air Force cyber warfare officer, Robert led the NSA’s first mission targeting threats to industrial infrastructure. Now at Dragos, he spearheads global defense of critical systems, shaping national policy and industry threat response.
Read more about Robert M. Lee
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR578: Cyber Threat Intelligence.
Section 1Cyber Threat Intelligence and Requirements
This section introduces students to the most important concepts of intelligence, analysis tradecraft, and levels of threat intelligence, as well as the value they can add to organizations.
Topics covered
- Intelligence Cycle, Tradecraft, and Analytical Techniques
- Cyber Threat Definitions, Risk, Actors, and Threat Models
- Threat Intelligence Collection & Generation
Labs
- Using Structured Analytical Techniques
- Enriching and Understanding Limitations
- Strategic Threat Modeling
Section 2The Fundamental Skillset: Intrusion Analysis
In this section, students will be walked through and participate in multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.
Topics covered
- Intrusion Analysis
- Kill Chain Deep Dive
- Handling Multiple Kill Chains
Labs
- Collecting Indicators from Reconnaissance and Delivery
- Pivoting to Network Data with Indicators
- Pivoting to Memory with Indicators
Section 3Collection Sources
In this section students will learn to seek and exploit information from domains, external datasets, malware, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Certificates, and more. Students will also structure the data to be exploited for purposes of sharing internally and externally.
Topics covered
- Case Studies: HEXANE, GlassRAT, Trickbots
- Malware
- Domains
Labs
- Aggregating and Pivoting in Excel with Malware Samples
- Open-Source Intelligence and Domain Pivoting in DomainTools
- Maltego Pivoting and Open-Source Intelligence
Section 4Analysis and Production of Intelligence
In this section students will learn how to structure and store their information over the long term using tools such as MISP; how to leverage analytical tools to identify logical fallacies and cognitive biases; how to perform structured analytic techniques in groups such as analysis of competing hypotheses; and how to cluster intrusions into threat groups.
Topics covered
- Human-Operated Ransomware
- Storing and Structuring Data
- Logical Fallacies and Cognitive Biases
Labs
- Storing Threat Data in MISP
- Identifying Types of Biases
- Analysis of Competing Hypotheses
Section 5Dissemination and Attribution
Intelligence is useless if not disseminated and made useful to the consumer. In this section students will learn about dissemination at the various tactical, operational, and strategic levels.
Topics covered
- Logical Fallacies and Cognitive Biases
- Tactical Dissemination
- Operational Dissemination
Labs
- Developing IOCs in YARA
- Working with STIX
- Building a Campaign Heatmap
Section 6Capstone
The FOR578 capstone focuses on analysis. Students will be placed on teams, given outputs of technical tools and cases, and work to piece together the relevant information from a single intrusion that enables them to unravel a broader campaign.
Things You Need To Know
Relevant Job Roles
Data Analysis (OPM 422)
NICE: Implementation and OperationResponsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.
Explore learning pathThreat Hunter
Digital Forensics and Incident ResponseThis expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathAll-Source Analyst (DCWF 111)
DoD 8140: Intelligence (Cyberspace)Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathThreat Analysis (OPM 141)
NICE: Protection and DefenseResponsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.
Explore learning pathAll-Source Collection Manager (DCWF 311)
DoD 8140: Intelligence (Cyberspace)Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.
Explore learning pathOSINT Investigator/Analyst
Cyber DefenseThese resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathIncident Response Team Member
Digital Forensics and Incident ResponseThis dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Explore learning pathDefensive Cybersecurity (OPM 511)
NICE: Protection and DefenseResponsible for analyzing data collected from various cybersecurity defense tools to mitigate risks.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathIncident Response (OPM 531)
NICE: Protection and DefenseResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathDigital Evidence Analysis (OPM 211)
NICE: InvestigationResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Robert M. LeeDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
London, GB & Virtual (live)
Instructed by Andreas SfakianakisDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Peter SzczepankiewiczDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by John DoyleDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
San Antonio, TX, US & Virtual (live)
Instructed by Kevin RipaDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Melbourne, VIC, AU & Virtual (live)
Instructed by Justin ParkerDate & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Melbourne, VIC, AU & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse priceA$13,350 AUDEnrollment options - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Andreas SfakianakisDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options
Showing 8 of 33
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 2Threat intelligence analysis has been an art for too long, now it can finally become a science at SANS. Mike Cloppert and Robert M. Lee are the industry 'greybeards' who have seen it all. They are the thought leaders who should be shaping practitioners for years to come.
- Slide 2 of 2This course is terrific! Class discussion and relevant case studies are extremely helpful for better understanding the content.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources