FOR578 Cyber Threat Intelligence 2021

سرفصل های دوره

1. Cyber Threat Intelligence and Requirements

1. Welcome to Cyber Threat Intelligence FOR578
2. Be Social
3. Lab Guidance
4. Cyber Threat Intelligence and Requirements
5. Course Agenda
6. Course Goal A Capable CTI Analyst
7. FOR578 GCTI School of Thought
8. Section 1 Outline
9. Case Study Moonlight Maze
10. Targeting Government and Military Networks
11. Investigating Moonlight Maze
12. 2016 Reanalyzing Moonlight Maze
13. Connections to the Present Penquin Turla
14. Putting the Pieces Together
15. Lessons Learned

1. Understanding Intelligence
2. Intelligence
3. Classic Intelligence Sources
4. Counterintelligence
5. Case Study Operation Bodyguard
6. Sherman Kent
7. Kents Analytic Doctrine
8. Richards J Heuer Jr
9. Analysis
10. Analytical Judgment
11. DataDriven Versus ConceptuallyDriven Analysis
12. Thinking About Thinking and Perception
13. Analysis in Action
14. Hindrances to Good Analysis
15. Bias Example Ransomware Targeting Elections
16. System 1 and System 2 Thinking
17. Mental Models
18. Kills Chains and Other Structured Models Data into Buckets
19. Structured Analytic Techniques
20. The Intelligence Life Cycle
21. Field of View Bias from Collection
22. Know the Difference Data Versus Intelligence
23. Example Tools for Structured Analytic Techniques
24. MindMup
25. Exercise 11
26. Case Study Operation Aurora 1
27. Case Study Operation Aurora 2
28. Enter the CyberDragon
29. Tools and Tradecraft
30. Clues into Attribution
31. Lessons Learned

1. Understanding Cyber Threat Intelligence
2. Defining Cyber Threat Intelligence
3. CTI Terminology
4. Threat
5. Intelligence Requirements
6. Intrusions
7. Activity Group
8. Threat Actor
9. Campaign
10. Traffic Light Protocol
11. AdversaryThreat Personas and TargetsVictims
12. Tactics Techniques and Procedures
13. Tradecraft
14. Indicators
15. Indicator Life Cycle Introduction
16. Key Indicators
17. Key Indicator Examples
18. Discovery and Indicator Life Span
19. Indicator Fatigue and Proper Use Cases
20. Case Study PROMETHIUM and NEODYMIUM
21. Background
22. Observable Characteristics
23. NEODYMIUM Intrusion Flow
24. The Activity Groups

1. Threat Intelligence Consumption
2. Intelligence Generation Versus Consumption
3. Sliding Scale of Cyber Security
4. Leverage Intelligence to Drive Value
5. Offense Intelligence Consumption
6. Intelligence Intelligence Consumption
7. Active Defense Intelligence Consumption
8. Passive Defense Intelligence Consumption
9. Architecture Intelligence Consumption
10. The Four Types of Threat Detection
11. Moving Indicators to Threat Behavioral Analytics
12. The Pyramid of Pain
13. Exercise 12 LeadIn
14. Exercise 12 Optional

1. Preparing the Team to Generate Intelligence
2. Making the Switch from Consuming to Generating
3. Priority Intelligence Requirements
4. Intended Audience
5. Intelligence Requirement Examples
6. Structuring Your Team to Generate Intelligence
7. A Few Sample Purposes of a Cyber Threat Intelligence Team
8. Case Study The First Ever Electric Grid Focused Malware
9. Ukraine December 2016
10. Exercise 13 The Evolving Situation
11. Scenario Companies and Organizations
12. Details Roles and Requirements
13. Exercise 13
14. Case Study Carbanak
15. Carberp
16. Carbanak
17. How the Carbanak Cybergang Stole 1B
18. Carbanak Evolution
19. The Impact
20. Lessons Learned

1. Planning and Direction
2. Generating Intelligence Requirements
3. Planning Collection Management Framework
4. A Sample External Collection Management Framework on Malware Data
5. A Sample Internal Collection Management Framework
6. Systems Analysis
7. Threat Modeling
8. TargetCentric Intelligence Analysis
9. Building a Threat Model Review Your Critical Systems and Information
10. Adding Potential Adversaries to the Model
11. Pivoting off Information and Resources
12. Getting the Information You Need
13. Go as Granular as You Need
14. The VERIS Framework
15. Fundamentals of VERIS
16. VCAF VERIS Common Attack Framework
17. Using VERIS to Track Threats
18. Exercise 14 Positioning for the Future 1
19. Exercise 14 Positioning for the Future 2
20. Exercise 14
21. SANS DFIR
22. COURSE RESOURCES AND CONTACT INFORMATION

2. The Fundamental Skill Set Intrusion Analysis

1. Welcome to Cyber Threat Intelligence FOR578 Day 2
2. The Fundamental Skill Set Intrusion Analysis
3. Course Agenda
4. Section 2 Outline
5. Primary Collection Source Intrusion Analysis
6. Kill Chain Overview
7. Stage 1 Recon Precursors
8. Recon Example
9. Stage 2 Weaponization
10. Weaponization Example Trojanized Document
11. Stage 3 Delivery
12. Delivery Example HTTP
13. Stage 4 Exploitation
14. ExploitDelivery Loop SMTPHTTP
15. Stage 5 Installation
16. Installation Example
17. Stage 6 Command and Control C2
18. C2 Example Sleep
19. Stage 7 Actions on Objectives
20. Actions Example
21. Introduction to the Diamond Model
22. Diamond Model Axioms
23. Diamond Adversary
24. Adversary Human Fingerprints Examples in Malware
25. Diamond CapabilityTTP
26. Diamond Infrastructure
27. Diamond Victim
28. Merging the Diamond Model and Kill Chain
29. One Phases Choices May Move in Another Phase
30. CoA Introduction
31. The Courses of Action Matrix
32. CoA Discover
33. CoA Detect
34. CoA Deny
35. CoA Disrupt
36. CoA Degrade
37. CoA Deceive
38. CoA Destroy
39. Action Selection and Mutual Exclusivity
40. Leveraging CoA Intel GainLoss
41. MITRE ATTCK
42. TTPs in ATTCK
43. Different Models for Different Use Cases
44. Exercise 21 Read In
45. Details Roles and Requirements 1
46. Details Roles and Requirements 2
47. Priority Intelligence Requirements
48. Exercise 21
49. Exercise 21 Takeaways

1. Kill Chain and Diamond Deep Dive
2. Log Repositories and logrotate
3. Memory Analysis with Volatility
4. Section 2 Note Responder Actions
5. Incoming Alert What You Have
6. First Steps Reported Intrusion
7. Responder Action Network Flow Data
8. Discovery Findings Network Flow
9. Responder Action Proxy Logs
10. Discovery Findings Proxy Logs
11. Reported Intrusion Where Are We Now
12. Exploiting the URL for Tool Discovery
13. Pivoting on New Intelligence
14. Observing the Indicator Life Cycle
15. Reported Intrusion Where Are We Now
16. Reported Intrusion Where Do We Go
17. Kill Chain Completion
18. Exercise 22
19. Priority Intelligence Requirements in Exercise Scenario
20. Exercise 22 Takeaways
21. Phase 7 Actions on Objectives
22. Actions on Objectives Network Pivoting Overview
23. Actions on Objectives Host Pivoting Overview
24. Reported Intrusion C2 Victim Pivot FTP Flow Data
25. Responder Action Full Packet Capture
26. Reported Intrusion C2 Victim Pivot 1 FTP Network Traffic
27. Reported Intrusion C2 Victim Pivot 2 Flow Data to Known Malicious IPs
28. Reported Intrusion Victim Pivot 2 Proxy Search from Flow Data
29. Reported Intrusion Current Knowledge Gaps 1
30. C2 Decoding Overview
31. Reported Intrusion Memory Forensics 1
32. Reported Intrusion Memory Forensics 2
33. Phase 7 Discovery Disk Forensics 1
34. Phase 7 Discovery Disk Forensics 2
35. Responder Action Reverse Engineering
36. Exercise 23
37. Priority Intelligence Requirements in Ex 23
38. Exercise 23 Takeaways
39. Edison Malware Analysis RFI Response
40. Capabilities of scvhostexeFJerk
41. C2 Protocol for scvhostexeFJerk
42. C2 Decoding with CyberChef
43. C2 Decoding with Command Line and Scripting
44. The Beginning of a Persona
45. Exfil Documents
46. Where Do We Go
47. Reported Intrusion Current Knowledge Gaps 2
48. Moving into the System
49. Installation Findings
50. Responder Action Reverse Engineers RFIs
51. Reported Intrusion Current Knowledge
52. Phase 4 Exploitation Findings and Problems
53. Responder Action User Inbox Archive
54. Glancing Forward Phase 3 Findings
55. What Happened
56. Exercise 24
57. Priority Intelligence Requirements in Ex 24
58. Exercise 24 Takeaways

1. Handling Multiple Kill Chains
2. Where Are We and Where Do We Go 1
3. Reported Intrusion Current Knowledge Gaps
4. Reported Intrusion Phase 5 Findings Reprise
5. Reported Intrusion Current Knowledge
6. InstallationFindings
7. Where Are We and Where Do We Go 2
8. Phase 3 DeliveryFindings
9. The Time Card System
10. Reported Intrusion Where Are We and Where Do We Go
11. Kill Chain Sequencing
12. Visual Representation of Adversarys Efforts
13. Key Indicators and Insights from the Slides Intrusion
14. Exercise 25
15. Some Key Items Collected Out of the Intrusion
16. Priority Intelligence Requirements in Ex 25 1
17. Priority Intelligence Requirements in Ex 25 2
18. Key Indicators and Insights from the Exercises Intrusion
19. SANS DFIR
20. Here is my lens You know my methods Sherlock Holmes
21. COURSE RESOURCES AND CONTACT INFORMATION

3. Collection Sources

1. Collection Sources
2. Course Agenda
3. Section 3 Outline
4. Case Study HEXANE
5. HEXANE Background
6. HEXANE DanBot Header Metadata Compile Times and PDBs
7. HEXANE DanBot Header Metadata GUIDs
8. HEXANE DanBot Code Reuse
9. HEXANE DanBot Configuration Data

1. Collection Source Malware
2. Collection from Malware
3. The Human Fingerprints of Malware
4. Header Metadata
5. Code Reuse
6. Configuration Data
7. More Configuration Data Examples
8. Where Do You Get Malware
9. Commercial Dataset Example VirusTotal
10. VirusTotal Results
11. VirusTotal Details
12. VT Enterprise formerly VirusTotal Intelligence
13. DC3 Malware Configuration Parser
14. Malware Configuration Data from Dumping Tool
15. Exercise 31 Aggregating and Pivoting in Excel
16. Exercise 31
17. Key Indicators from Exercise 31
18. Compilation of SupplyDenn Intrusion Indicators from Ex 21 and Ex 31
19. Recap Indicators and Insights from the Day 2 Slides Intrusion
20. Combined View Leet

1. Collection Source Domains
2. Data Pivoting 1
3. Data Pivoting 2
4. Basic Most Pivotable Indicator Types
5. Data Pivoting Example 1
6. Data Pivoting Example 2
7. Data Pivoting Chart 2
8. C2 Domain Registration
9. Adversary Registered
10. Dynamic DNS Domains
11. DDNS Manager
12. DDNS for Adversaries
13. Legitimate but Compromised
14. Case Study Poison Hurricane
15. Autonomous System Number ASN Lookups
16. ASN Lookup asncymrucom
17. Passive DNS 1
18. Some PDNS Providers
19. Passive DNS 2
20. Example Mnemonic PDNS
21. Case Study Epic Turlas Out of This World C2
22. Epic Tula C2
23. For the Next Lab DomainTools
24. DomainTools Iris
25. DomainTools Search Tabs
26. DomainTools Pivot Engine
27. DomainTools Identifying New Indicators
28. Exercise 32 Expanding Intelligence Through Partners and OSINT
29. Exercise 32
30. New Intrusion Kirill Lazutin
31. Case Study GlassRAT
32. Case Study GlassRAT Campaign
33. GlassRAT C2 Overlap GlassRAT
34. GlassRAT Lessons Learned

1. Collection Source External Datasets
2. OpenSource Intelligence
3. Leveraging OSINT
4. Threat Data Feeds
5. Threat Intelligence Quotient TIQ Test
6. Measuring Threat Feeds
7. FireHOL IP Lists Threat Feed Analyzer
8. Collective Intelligence Framework
9. Creating Your Own OSINT Database
10. Additional OSINT OpenSource Tools
11. AlienVault OTX
12. Shodan
13. Geographical Information and Maps
14. GCHQs CyberChef
15. Exercise 33 Introduction
16. Exercise 33
17. Key Indicators from Exercise 33
18. Updated Leet View
19. Exercise 34 Leadin Ransomware
20. ThirdParty Phone Call
21. Priority Intelligence Requirement
22. For the Next Lab Recorded FutureHome Page
23. For the Next Lab Recorded FutureSearch Menu
24. Recorded Future Poison Ivy
25. Recorded Future Context
26. Exercise 34
27. Ex 34 Key Findings

1. Collection Source TLS Certificates
2. TLS Certificates
3. TLS Certificate Datastores
4. TLS Certificate Scan Providers
5. Searching Tips
6. Censysio Example SANS
7. Case Study CVE20141761
8. CVE20141761
9. Initial Pivoting
10. Collecting New Data
11. Identifying Links Between Data Points
12. Introducing TLS Cert
13. Identification of New Data
14. Unique Data from New Pivot Type
15. Maltego CaseFile
16. Maltego Entities and Links
17. Adding Entities to the Graph
18. Adding Links to the Graph
19. MovingManipulating Entities
20. Different Views
21. Exercise 35
22. Recap Indicators from Ex 21 and Ex 35
23. RECAP Kirill Lazutin
24. Merged View
25. SANS DFIR
26. COURSE RESOURCES AND CONTACT INFORMATION

4. Analysis and Production of Intelligence

1. Analysis and Production of Intelligence
2. Course Agenda
3. Section 4 Outline
4. Case Study Human Operated Ransomware
5. Human Operated Ransomware Operations
6. Wadhrama Attack Chain by PARINACOTA
7. Doppelpaymer Ransomware
8. Ryuk from TrickBot Infections
9. Make It Easy for Defenders
10. Example of Effective Visual Communication of TTPs
11. What Evil Looks Like

1. Exploitation Storing and Structuring Data
2. Storing Collected Intelligence
3. Storing Platforms
4. MISP
5. Creating an MISP Event
6. Visually Linking Indicators Between Events
7. Methods of Storing Best Practices
8. Leadin to Exercise 41
9. Exercise 41

1. Analysis Logical Fallacies and Cognitive Biases
2. Identifying and Defeating Bias
3. Logical Fallacies
4. Common CTI Informal Fallacies
5. Other Common Fallacies
6. Cognitive Biases
7. Mirror Image
8. AnchoringFocusing
9. Confirmation Bias
10. Congruence Bias
11. Hindsight Bias
12. Illusory Correlation
13. Case Study New York Stock Exchange NYSE Computer Glitch
14. Cum hoc ergo propter hoc
15. Case Study Turkey Pipeline Explosion
16. Bias and Experience
17. Exercise 42

1. Analysis of Competing Hypotheses 1
2. Analysis of Competing Hypotheses 2
3. 1 Enumerate Hypotheses
4. 2 Support the Hypotheses
5. 3 Diagnostics
6. 4 Refine the Matrix
7. 5 Prioritize the Hypotheses
8. 6 Determine Evidentiary Dependence
9. 7 Report Conclusions
10. Identify Milestones
11. Exercise 43

1. Analysis Different Types of Analysis
2. Leveraging Different Types of Analysis
3. Link Analysis
4. Common Link Analysis Tools
5. MaltegoCasefile Bubble Chart View
6. Data Analysis
7. Temporal Data Analysis 1
8. Temporal Data Analysis 2
9. Trend Analysis
10. Case Study Panama Papers
11. John Doe
12. The Challenge of Data
13. Example Link Analysis with Linkurious
14. Findings and Aftermath
15. CTI Angle IntelligenceDriven Hypothesis Generation
16. Exercise 44 Visualizing Large Datasets
17. Exercise 44

1. Analysis Clustering Intrusions
2. Style Guide
3. NamesIdentifiers
4. Risks of Clever Naming Conventions
5. MITRE ATTCK Groups Page
6. Rosetta Stone APT Groups and Operations Matrix
7. There is No OnetoOne Mapping
8. OnetoOne Mapping Issues Example
9. Confidently Correlating Clusters
10. ACH for IntrusionCluster Correlation
11. The Basics
12. Categorize Evidence Using Kill Chain and the Diamond Model
13. Enumerating IntrusionCampaign Hypotheses
14. External Intrusion Reports
15. Diamond Model Deeper Dive MetaFeatures
16. Creating an Activity Group
17. Different Examples of Diamond Models for Different Reqs
18. Recap of K Lazutin
19. New Intrusion Does it Fit
20. Adding Intrusions to the Diamond Model Creating a Group
21. Introducing PINKIEPIE
22. Shortcut The Rule of 2
23. Rule of 2 Forming an Activity Group
24. When to Retire Clusters
25. Case Study APT10 and APT31
26. Recorded Future and Rapid7 Attributed Breaches to APT10
27. Group Names are Definitions not Often Publicly Known
28. The Problem Isnt just a Recorded Future Rapid7 Problem
29. Everyones a Little Wrong
30. Ex 45 Lead In
31. Top Energy Intrusion
32. Recap of Top Energys Key Indicators from Day 2
33. New Intrusion 1 Key Indicators
34. New Intrusion 2 Key Indicators
35. Which Intrusion Overlaps
36. Introducing RAINBOWDASH Activity Group
37. Exercise 45 Leadin
38. Recap of Leet Intrusion Set
39. Exercise 45
40. SANS DFIR
41. COURSE RESOURCES AND CONTACT INFORMATION

5. Dissemination and Attribution

1. Dissemination and Attribution
2. Course Agenda
3. Section 5 Outline
4. Case Study Axiom
5. PlugX
6. Hikit Malware
7. Hikit Malware and Bit9
8. Axiom
9. Interesting Attributes
10. Lessons Learned

1. Dissemination Tactical
2. Know the Audience
3. YARA
4. Sample YARA Rule
5. YARA Key Points
6. Hex Special Values
7. More Complex YARA Rules
8. Sample YARA Rule Uncommon File Size
9. Sample YARA Rule GlassRAT
10. Sample YARA Rule Sofacy
11. Sample YARA Rule Sofacy from the German Parliament Campaign
12. Validating Signatures and IOCs
13. Exercise 51
14. Case Study HackingTeam
15. Case Study HackingTeam 1
16. Case Study HackingTeam 2
17. HackingTeam Isnt Alone
18. HackingTeams Compromise and Mercenary Group Takeaways

1. Dissemination Operational
2. Operational Threat Intelligence
3. Communicating About Adversary Operations
4. Partners and Collaboration
5. NationalLevel Government Information
6. ISACs and ISAOs
7. Additional Resources
8. STIXTAXII
9. TAXII Implementations
10. STIX 21 Objects
11. STIX 2
12. Methods of Sharing Best Practices
13. Exercise 52 Introduction
14. Exercise 52
15. Woe the Lowly Metric
16. Why You Should Embrace Metrics
17. Campaign Heatmap
18. Organizational Heat Maps
19. Incident OneSlider
20. Incident OneSlider With Multiple
21. Mitigation Scorecard
22. Email Delivery Success
23. Analytical Completeness
24. Case Study Metrics from CTI Summit
25. Exercise 53 Gaining Historical Perspective
26. Exercise 53

1. Dissemination Strategic
2. Strategic Threat Intelligence
3. Example Outcome Indictments
4. Making the Business Case for Security
5. Expectations
6. Lessons from the Field Shoe Company and AntiHype
7. ReportsNarrativeForm Intelligence
8. Observation Versus Interpretation
9. Estimative Language
10. Estimative Scales
11. ALWAYS REMEMBER
12. Diamond Model and Analytic Findings
13. Confidence Assessments
14. Constructing Assessments
15. Tips on Effective Report Writing
16. InClass Exercise
17. Proofpoints North Korea Bitten by Bitcoin Bug
18. Proofpoints North Korea Report Pros and Cons
19. Norses Iran CIB
20. Iran CIB Pros and Cons
21. Kasperskys Equation Group Optional
22. Equation Group Pros and Cons Optional
23. Case Study APT10 and Cloud Hopper
24. APT10 and the Chinese State
25. APT10 and the US Government
26. Indictments for Attribution APT10
27. Indictments for TTP Discovery APT10
28. Indictments for IOC Discovery APT10
29. Cloud Hopper
30. Observations for CTI Analysts Communicating Broadly
31. Observations for CTI Analysts Human Fingerprints
32. Observations for CTI Analysts Timelines
33. Observations for CTI Analysts Closing Thoughts

1. A Specific Intelligence Requirement Attribution
2. Attribution as an Intelligence Requirement
3. On Attribution
4. Four Approaches to True Attribution
5. The Simpsons Did It
6. Achieving the Value of Attribution without Attribution
7. Example Use Cases of Attribution
8. Attribution Is Never Straightforward
9. Example Merged State and Criminal Activity
10. Geopolitical Conflict Intersects Cyber
11. Challenges in Observing the Adversarys Intel Life Cycle
12. Deriving Intent
13. The Basics of State Attribution
14. Analytical Model for Each Entity
15. Categorize Evidence Using Threat Definition
16. Understanding Opportunity
17. ACH Matrix Template for State Attribution
18. Be Prepared for Information to Change
19. CaseStudy Soviet Disinformation Operations
20. False Flags
21. False Flag Example South Korean Winter Olympics
22. Coming to the EndReassess Intelligence Requirements
23. Case Study Lazarus Group
24. Operation Troy and Attacks on South Korean Organizations
25. The Sony Attack
26. Government Attribution
27. WannaCry Connections
28. Overlaps in the Intrusions
29. The Making of a Group Lazarus
30. Problem with Extending Too Far
31. Exercise 54
32. SANS DFIR
33. COURSE RESOURCES AND CONTACT INFORMATION

6. Capstone

1. Day 6 Capstone

2. Capstone The Goals

3. Capstone What to Know To Have Fun

4. Capstone How to Win

5. Scenario Background

6. VI Capstone

7. You

8. The State Actors

9. The NonState Actors

10. Scenario Objectives

11. Your Resources

12. Capstone

13. Baby Yoda

14. Incorporate the Fifteen Axioms for Intelligence Analysts

15. Thanks for Coming

16. SANS DFIR

File

Books.zip

Day 1

Day 2

Day 3

Day 4

Day 5

Day 6

FOR578-23812170.zip

USB.zip

UTF-8=578.21.2.iso

old-sku.txt

utf-8=578.21.2.zip

63,400 تومان

خرید اشتراک افزودن به سبد خرید

خرید دانلودی فوری

در این روش نیاز به افزودن محصول به سبد خرید و تکمیل اطلاعات نیست و شما پس از وارد کردن ایمیل خود و طی کردن مراحل پرداخت لینک های دریافت محصولات را در ایمیل خود دریافت خواهید کرد.

تولید کننده: Sans