Threat = Capability + Opportunity + Intent

FOR578:
Cyber Threat
Intelligence
Fecha de publicación: 19 de ene de 2020

Matthew Green
Siguiendo
DFIR and research
Fecha de publicación:
19 de ene de 2020

This post is a review for SANS FOR578: Cyber Threat

Intelligence course. I will provide some background,
walk through my thoughts on content and some
resources for those who may be interested. I am
cross posting on LinkedIn as I think this media is
better suited to the course audience.

Background

I was lucky enough to facilitate the SANS event in

Sydney with Robert M Lee as my instructor. Rob is a
very experienced instructor and course author so it
was a treat to have him teach the course locally.

I currently work in technical IR and have worked with

a wide variety of organisational maturity in the threat
intelligence space over the last years. Whilst
exposed to a lot of the concepts, research papers
and thinking in the past, I do not have an intelligence
community background or undertaken any
structured analytical training.

Prior to heading into the course, my goals were to

mature my thinking and take away some new insights
to make me a better all round practitioner. I was also
looking forward to some re-indoctrination around
"enemy is my teacher" and the threat-centric
approaches.

The course is over 5 days and laid out similar to the

intelligence life cycle, providing a logical build into
each topic.

Day 1: Cyber Threat Intelligence and Requirements

The first day was all about understanding core

concepts to set the ground work for the rest of the
content. The most interesting sections for me were
traditional intelligence concepts and reflecting on
thought structure/approach. These themes
continued throughout the course along with
leveraging intelligence to drive value.

I also really enjoyed the indicator life cycle which

formalised a lot of my previous exposure and
thoughts around indicators. Collection Management
Framework and Threat Modelling rounded out the
day and it was nice to hear a higher level background
to the threat based approach to defence.

The case studies were very interesting mix of

historical and pivotal cyber campaigns driving home
a lot of the themes really well. The exercises whilst
not technical most definitely did their job combined
with the content to simulate thought and get the
class on the right wavelength in an enjoyable fashion.

Day 2: The Fundamental Skill set: Intrusion Analysis

Day two was earning our Kill Chain badge with the
most important CTI collection source - intrusion
analysis. It was a great refresher of the most popular
intrusion model with really good practical examples
and introduction to the Diamond Model. The most
enjoyable section for me was the upgraded Courses
of Action Matrix, and Intel Gain/Loss - providing
action awareness and insight into focus areas.

Day two included nice practical examples of pivoting

and intrusion analysis, including considering multiple
kill chains. This day highlighted the importance of
threat behaviours over an indicator only approach.
How to leverage that with threat models, prevention,
detection and response. This section really
highlighted some of the concepts and really helped
show the value of CTI in intrusion analysis.

Day 3: Collection Sources

Day three is all about collection other than intrusion

analysis. Collection covered included Malware,
Domains, ASN, DNS and TLS certificates. I am very
fortunate to work at a vendor to have access to great
solutions in this space so this topic was one of my
strongest areas. I really enjoyed the refresher on
tools, particularly ones I had not been exposed to.

One focus of the course is patterns and finding

adversary decisions or "human fingerprints"
amongst collection sources. Case studies and
exercises in this section were relevant and a good
lead in to the topic. Its also really good to see
industry partnership with no strings and Recorded
Future subscription has been great to use over the
last month!

Day 4: Analysis and Dissemination of Intelligence

Day four was the most interesting day for me with

sections on bias and fallacies. This day also looked
at analysis techniques and focused on the concept
of structured analysis over time highlighting trends.
This day introduced Analysis of Competing
Hypothesis (ACH) as an analysis technique to reduce
bias. I also really enjoyed the description of formally
clustering activity groups. The case studies were
relevant pivotal cyber campaigns driving home a lot
of the themes really well.

Day 5: Dissemination and Attribution

Day five continued Dissemination and focused on

Tactical - via Yara and IOC validation. Operational as
the bridge between the tactical and strategic
covered collaboration and sharing frameworks
Cybox/STIX/TAXII. The most interesting and relevant
section for me was the metrics component
highlighting several practical metric ideas that can
be used to show campaigns, performance of
controls, collection, mitigation and other situational
awareness.

Rounding out Dissemination, Strategic as high level a

business case for security. I found the reporting and
narrative discussions to be valuable and most
definitely will take this information to my own work
for more impact. Estimative language and
assessment puts into perspective some of the more
mature teams I have worked with and consumed
from in the past. My report writing and critique will
definitely be improved from these sections.

The section on Attribution really rolled it all together.

ACH model was discussed as a template for
attribution and the final capstone exercise. I didn't
win, it was an interesting exercise to run in a time
constrained environment (with beer optional :) ).
Finally of interest in this section was details on
Active Measures - Russian style dezinformatsiya,
that is really relevant to current news cycle of fake
news and influence operations.

Final thoughts

Overall a great course that I felt achieved the mission

of maturing my thinking in our field. I was very
aligned with many of the themes heading in, but
most definitely learned some things to take back to
work with me. The biggest difference students will
find is compared with other typical 500 level SANS
courses in that the focus is more the thinking behind
analysis.

I ended up scoring pretty high in my GCTI exam.

Taking the time to building an index to learn content
and slowing down to answer the questions with
thought seemed to be the most successful
approach.

In terms of target audience, FOR578 is not an entry

level course. I think the course would most suit those
that work-in in cyber intelligence, incident response,
management, or anyone that wants a baseline of
knowledge in the space. With a best fit to the above
with some intrusion analysis experience for context.

Finally, I have included some interesting resources if

anyone is interested.

Resources

Scott J Roberts, CTI Reading List (2017) - a great

reading list summary for anyone interested in
starting in CTI -
https://medium.com/@sroberts/cti-reading-list-
a93ccdd7469c

Andreas Sfakianakis @Tilting at windmills, Top CTI

Presentations for 2019 - latest themes in CTI -
https://threatintel.eu/2020/01/09/top-20-cti-
presos-for-2019/

Luis Rocha @CountUponSecurity, for578 review

(2015) - another review of for 578 -
https://countuponsecurity.com/2015/10/20/course
-review-sans-for578-cyber-threat-intelligence/

SAN578 description -
https://www.sans.org/course/cyber-threat-
intelligence

194 · 13 comentarios

Recomendar Comentar Compartir