SANS Security 487

I recently took the SANS Security 487, Open-Source Intelligence (OSINT) Gathering and Analysis, course with Micah Hoffman. Now, I need to get started on the associated GIAC Open Source Intelligence (GOSI) exam prep.

When I put my training request in, my manager pointed out I could probably pass the exam without the course. Maybe my manager was right, but I like a good refresher course every once in a while.


How did this compare to the other OSINT classes and books I’ve read over the years? It’s complementary. There is some overlap, but it’s presented in a different, more direct way than in other places. This course didn’t feel like a rehash of the IntelTechniques OSINT course(s), nor did it feel like I was reading either Chris Kubecka or Michael Bazzell’s books. I liked the “Dark Web” portion than the  NCFTA “Advanced Dark Web” training course I took.

About the Course

This course was the first 6-day SANS class I’ve taken. When I took Forensic 578, it was a five-day class without the capstone or challenge coin. The extra sixth day for the capstone/capture the flag was pretty much optional. I think it would be worth doing if you’re new to doing OSINT investigations.

The class actually had two capture the flag options. The first one is a Solo capture of the flag, using the Netwars engine for flags and tracking points. The second ay was more real-world investigation, where you receive a target package from your customer and then research and report what you find.

My opinion of the class is that it is a fundamentals class, and the Instructors should say that on Day One in Hour One (at least Micah did). Due to my experience in OSINT, I found it a good refresher of the work I’ve done over the years. The class also pointed out some of my own biases in tools and how I operate. The lab on Metadata had two challenges included. An easy challenge and a hard challenge. The way I work, I found that the hard challenge was easier to complete than the easy one. But I reached for the tools I use day in and day out at work. Again like I said, it shows my personal bias towards methods and tools.

I think those newer to the field of Open Source Investigation would benefit from the class. The class covers a majority of the concepts that we have to work on within investigations. The labs had a real-world feel to them; I felt like I was in the office instead of training. By the way, if you’re reading this while working through the labs, thanks for the SEO bump.

I do recommend this course for either experienced or newer OSINT investigators. The experienced people will find it a good refresher, with a few new tips and tricks. I think there was one tool we covered I hadn’t seen or used before. Meanwhile, the less experienced investigators or those new to OSINT will get an excellent overview of the fundamentals and have a great grounding in the topic to move forward.

Oh, and the CTFs?

I finished the Solo CTF with 898 out of 905 points. I got impatient with one of the flags and used three hints. Because I knew if I didn’t finish it on Day 5, I would waste team time on Day 6 trying to finish it.

For the capstone CTF on day 6, I was on the team the got the challenge coin. I also solved the challenge on the challenge coin.

Leave a Reply

Your email address will not be published. Required fields are marked *