We’ve been hit, how can CyberDefenses help? Incident Hotline

Cyber Defenses Academy

Threat Intelligence Fundamentals (Round Rock)



Product Description

Course Objectives

Through the user interactive labs the student will learn:

This course provides a professional who responds to issues from customers or internally to their own company, a set of tools and techniques to understand when ransomware is the issue, how to triage and handle its spread, then preserve evidence and clean up afterward.

The course is designed for those with an interest but no background in handling ransomware issues. It conveys the necessary concepts, principles and terms to lay down a solid foundation.  If you have that requirement then it will serve your needs well.

The course is an introductory class on several tracks CDI offers for the professional starting out.

Date & Time

(Round Rock) May 28-31

(Round Rock) Sep 3-6

(Round Rock) Dec 3-6

All class times are 8:30am to 5:00pm CST


CDI Academy
1205 Sam Bass Road, Suite 300
Round Rock, TX 78681
(512) 255-3700

Course Outline – Part A

  1. Introduction
  2. Defining the Threat
    • What they want
    • How they will get it
    • What they leave behind
  3. Threat Structure Components
    • Organizaton
    • Assets
    • Members
    • Motivations
  4. Attacker Core Steps
  5. Collection Methodologies
  6. White versus Red Information
  7. Internal Collection Targets
  8. External Collection Targets
  9. Storage
  10. Automation
  11. Transformation
    • Connect data, add Context, set Confidence and Pivot (C3P)
    • Visualize, Graph and Chart
    • Geometry, Constellations, Twisting
  12. Structural iteration and linking
  13. Q&A

Course Outline – Part B

  1. Introduction
  2. Profiling, Research, Investigation, Analysis (PRIA)
    • Pitfalls and Cautions
    • Handling Bias
    • Echo Effect
  3. Structured Analysis Techniques
    • Strategies of Use
    • Diagnostic
    • Contrarian
    • Imaginative
  4. Reviews
    • Narrative
    • Systemic & Meta-analysis
  5. Risk Signals and Indicators
    • …for Market Verticalf
    • …for an Organization
    • …for Adversaries
  6. Core Step Identification
  7. Campaign Attribution
  8. Dimensions of Time
  9. Profiling
    • Threats & Threat Corpus
    • Profile and Order of Battle (OOB)
    • Mapping TTPs
  10. Communication
    • Briefs
    • Reports
    • Case Studies
    • Reviews

Target Student

  • Individuals new to or desiring a better understanding of how to respond to ransomware.
  • Professionals who deal with technical issues but feel they do not have enough background in ransomware and responding to solve its dilemma
  • Technical professionals that need to be armed with greater knowledge of incident response, ransomware and their role in resolving it.

Additional Information

  • Laptop required
  • Requires basic knowledge of computers, technology and command line interface (CLI)
    • Assume students can open and operate browsers, find and use the command line, execute scripts and open programs
  • Requires knowledge of Linux
  • Requires basic knowledge of Python
  • Understanding of virtual machines (VM) and how to use one
    • Assume students understand how to import and power on a VM

What’s Next

The following CDI courses are good follow-ups:

Why This Course?

  • The course is designed for those with an interest in employing Threat Intelligence to deter, mitigate, and understand threats.  It conveys the necessary concepts, principles, and terms to lay down a solid foundation.  If you have that requirement then it will serve your needs well.
  • The course is a ranged class that starts at an iintroductory level and proceeds into intermediate concepts.

Your Instructor

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics.


Certification of Completion

Additional Information

This course is split into two sessions that can be taken independently or together.  The first two-day session covers the collection and transformation of information, both internally and externally, that is required for a successful Threat Intelligence pursuit.  The second two-day session dives into analysis, profiling, investigation and reporting of that information.

Part A

In this “Part A” of the course, students learn the focus areas for Threat Intelligence collection, both internal and external.  Deep pockets of information exist internally and when combined with the depth of external sources, provide a rich pallet in which to paint current events and threats.  Students learn where to find that information, how and what to collect from the data and then how to de-duplicate, Connect, add Context, set Confidence and Pivot (C3P), and store the data in order to process and apply it.

Part B

In this “Part B” of the course, students turn their focus to analysis, investigation, profiling and reporting.  Students are taught structured analytic techniques to profile, investigate and understand the information they learned to collect in “Part A” of the course.  A grounding in risk signals and indicators in information provided to assist in analysis and profiling of information in market verticals, against an organization or threat groups.  Deeper dossiers of information on threats are discussed and built, including file, DNS, and operation corpus for adversaries.  Lastly, students learn effective reporting strategies to communicate and disseminate information through briefs, reviews, case studies and reports.

Note:  Each hour of this course follows a pattern of 5-minute instructor discussion, 10-minute classroom discussion and 45-minute lab work.


Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.