This course is split into two sessions that can be taken independently or together. The first two-day session covers the collection and transformation of information, both internally and externally, that is required for a successful Threat Intelligence pursuit. The second two-day session dives into analysis, profiling, investigation and reporting of that information.
In this “Part A” of the course, students learn the focus areas for Threat Intelligence collection, both internal and external. Deep pockets of information exist internally and when combined with the depth of external sources, provide a rich pallet in which to paint current events and threats. Students learn where to find that information, how and what to collect from the data and then how to de-duplicate, Connect, add Context, set Confidence and Pivot (C3P), and store the data in order to process and apply it.
In this “Part B” of the course, students turn their focus to analysis, investigation, profiling and reporting. Students are taught structured analytic techniques to profile, investigate and understand the information they learned to collect in “Part A” of the course. A grounding in risk signals and indicators in information provided to assist in analysis and profiling of information in market verticals, against an organization or threat groups. Deeper dossiers of information on threats are discussed and built, including file, DNS, and operation corpus for adversaries. Lastly, students learn effective reporting strategies to communicate and disseminate information through briefs, reviews, case studies and reports.
Note: Each hour of this course follows a pattern of 5-minute instructor discussion, 10-minute classroom discussion and 45-minute lab work.