Work recently sent me to SANS Forensics 578, Cyber Threat Intelligence. This was my first SANS class ever, and it was pretty good. The instance of the class I was sent to was presented by Jake Williams and Rebekah Brown. I think having both of them teach the class was great, because it gave more from the trenches view than having just one of them as an instructor.
The biggest take away I had from the class is I finally understand the Kill Chain and Diamond model. That may sound strange, but it was just something I wasn’t groking, even though it was covered in some of my college classes, and I’d come across it in self study. However after all the repetition in this class I have an understanding of it.
The next thing that was great about the class, was that some tools I have had access to, and not understand make more sense. I’ve had a Threat Connect account for a while but the documentation on it, in the short time I would have to read it, didn’t click. Now it does. Again through using it in the labs.
Speaking of the Labs, this was my first SANS course. I didn’t know about the walk through, but it was mentioned in the first lab. I’m not sure how I feel about them. I like them for those times that I need to check my answer but at the same time I found my self just walking through them, and not really trying to answer the questions. The few times I could answer the questions and didn’t even bother with the walk through did come back to bite me though. There were two that I knew how to get the answers so I did. Then find out after the fact that the walk through set the student up for either upcoming labs, or showed some neat tricks. Which sadly just re-enforced the skip the answering and do the walk through trap I keep falling into.
I think my biggest complaints of the class, were that Eastern Michigan University went more in depth on Intelligence in their two classes, than the SANS class did. Granted the SANS class covered all the details of both the EMU Classes. And the attempt at having a unified language, when other words would work better.
One of the goals is to make sure Threat Intelligence analysts are using the same terms at all the different companies. Which is a good thing for the most part. But, my manager and supervisor (the people managers) at work were the first to take this class. When they had came back they kept asking me to make reports with heat maps. To me at the time a heat map was things like maps showing higher to lower level of activities, or bubble maps with larger bubbles and smaller bubbles. What they were talking about were pivot tables with conditional formatting to the data in the table.
Its a good class, and I think that people that want to do IDR-plus (as Jake Williams put it, for companies that don’t have TI Programs) or want good Cyber Threat Intelligence programs. I don’t think it’s a good first class if you don’t know DFIR or Intelligence though. But I have a background in both.
The class was heavily OSINT driven, using OSINT / Community sharing tools. I would have liked to have seen some other sources mentioned too beyond Open Source Intelligence / Social Media Intelligence. It would have been good if they had given a list of some good “closed” communities to share data with too. The so called “Blood in, Blood Out” groups.
*update: fixed type on the title (I could have sworn I wrote 578, not 678).