هوش تهدید سایبری | SANS FOR578: Cyber Threat Intelligence

• FOR578.1: Cyber Threat Intelligence and Requirements

• Case Study: MOONLIGHT MAZE
• Understanding Intelligence
  • Intelligence Lexicon and Definitions
  • Traditional Intelligence Cycle
  • Richards Heuer, Jr., Sherman Kent, and Intelligence Tradecraft
  • Structured Analytical Techniques
• Case Study: Operation Aurora
• Understanding Cyber Threat Intelligence
  • Defining Threats
  • Understanding Risk
  • Cyber Threat Intelligence and Its Role
  • Expectation of Organizations and Analysts
  • Diamond Model and Activity Groups
  • Four Types of Threat Detection
• Threat Intelligence Consumption
  • Sliding Scale of Cybersecurity
  • Consuming Intelligence for Different Goals
  • Enabling Other Teams with Intelligence
• Positioning the Team to Generate Intelligence
  • Building an Intelligence Team
  • Positioning the Team in the Organization
  • Prerequisites for Intelligence Generation
• Planning and Direction (Developing Requirements)
  • Intelligence Requirements
  • Priority Intelligence Requirements
  • Beginning the Intelligence Lifecycle
  • Threat Modeling

• FOR578.2: The Fundamental Skillset: Intrusion Analysis

• Primary Collection Source: Intrusion Analysis
  • Intrusion Analysis as a Core Skillset
  • Methods to Performing Intrusion Analysis
  • Intrusion Kill Chain
  • MITRE ATT&CK
  • Diamond Model
• Kill Chain Courses of Action
  • Passively Discovering Activity in Historical Data and Logs
  • Detecting Future Threat Actions and Capabilities
  • Denying Access to Threats
  • Delaying and Degrading Adversary Tactics and Malware
• Kill Chain Deep Dive
  • Scenario Introduction
  • Notification of Malicious Activity
  • Pivoting Off of a Single Indicator to Discover Adversary Activity
  • Identifying and Categorizing Malicious Actions
  • Using Network and Host-Based Data
  • Interacting with Incident Response Teams
  • Interacting with Malware Reverse Engineers
  • Effectively Leveraging Requests for Information
• Handling Multiple Kill Chains
  • Identifying Different Simultaneous Intrusions
  • Managing and Constructing Multiple Kill Chains
  • Linking Related Intrusions
  • Extracting Knowledge from the Intrusions for Long-Term Tracking

• FOR578.3: Collection Sources

• Case Study: HEXANE
• Collection Source: Malware
  • • Data from Malware Analysis
    • Key Data Types to Analyze and Pivot On
    • VirusTotal and Malware Parsers
    • Identifying Intrusion Patterns and Key Indicators
• Collection Source: Domains
  • Domain Deep Dive
  • Different Types of Adversary Domains
  • Pivoting Off of Information in Domains
• Case Study: GlassRAT
• Collection Source: External Datasets
  • • Building Repositories from External Datasets
    • Open-Source Intelligence Collection Tools and Frameworks
• Collection Source: TLS Certificates
  • TLS/SSL Certificates
  • Tracking New Malware Samples and C2 with TLS
  • Pivoting off of Information in TLS Certificates
• Case Study: Trickbots

• FOR578.4: Analysis and Production of Intelligence

• Storing Threat Data in MISP
• Identifying Types of Biases
• Analysis of Competing Hypotheses
• Visual Analysis in Maltego
• The Rule of 2 and Threat Groups

Topics

• Case Study: Human-Operated Ransomware
• Exploitation: Storing and Structuring Data
  • Storing Threat Data
  • Threat Information Sharing
  • MISP as a Storage Platform
• Analysis: Logical Fallacies and Cognitive Biases
  • Logical Fallacies
  • Cognitive Biases
  • Common Cyber Threat Intelligence Informal Fallacies
• Analysis: Exploring Hypotheses
  • Analysis of Competing Hypotheses
  • Hypotheses Generation
  • Understanding and Identifying Knowledge Gaps
• Analysis: Different Types of Analysis
  • Visual Analysis
  • Data Analysis
  • Temporal Analysis
  • Case Study: Panama Papers
  • Analysis: Clustering Intrusions
  • Style Guide
  • Names and Clustering Rules
• ACH for Intrusions
• Activity Groups and Diamond Model for Clusters
  • Style Guide
  • Names and Clustering Rules
  • ACH for Intrusions
  • Activity Groups and Diamond Model for Clusters

• FOR578.5: Dissemination and Attribution

• Developing IOCs in YARA
• Working with STIX
• Building a Campaign Heatmap
• Analysis of Intelligence Reports
• Building an Attribution Intelligence Model

Topics

• Logical Fallacies and Cognitive Biases
  • Identifying and Defeating Bias
  • Logical Fallacies and Examples
  • Common Cyber Threat Intelligence Informal Fallacies
  • Cognitive Biases and Examples
• Dissemination: Tactical
  • Understanding the Audience and Consumer
  • Threat Data Feeds and Their Limitations
  • YARA
  • YARA Concepts and Examples
• Dissemination: Operational
  • Different Methods of Campaign Correlation
  • Understanding Perceived Adversary Intentions
  • Leveraging the Diamond Model for Campaign Analysis
  • STIX and TAXII
  • Government and Partner Collaboration
• Dissemination: Strategic
  • Report Writing Pitfalls
  • Report Writing Best Practices
  • Different Types of Strategic Output
• Case Study: APT10 and Cloud Hopper
• A Specific Intelligence Requirement: Attribution
  • Identifying and Remedying New Intelligence Requirements
  • Tuning the Collection Management Framework
  • Types of Attribution
  • Building an Attribution Model
  • Conducting Attribution Assessments
• Case Study: Lazarus Group

• FOR578.6: Capstone