About This Course

The "Godfather of Threat Intelligence" delivers the definitive course on Cyber Threat Intelligence. 

The course uses real-world "war stories" from hunting, analyzing, and disrupting the world's worst cyber threats. With guided reading across various domains and history and practical exercises, this course will impart wisdom and lessons learned from a career in the trenches.

Not just for "intelligence" anymore. This course will give any cybersecurity professional the expertise to understand cyber threats at a deeper level and apply that knowledge to prevent, protect, detect, and mitigate cyber threats against any organization. This course is for any cybersecurity role, including security operations personnel, pentesters, auditors, cybersecurity managers, forensics analysts, security architect, security administrator, and many others.

This is not an "introductory survey," but a deep and comprehensive examination. It promises to improve the newest student to the most experienced practitioner.

 

Who Should Take This Course?

  • Cybersecurity practitioners or students who want to learn how to apply Threat Intelligence to their domain
  • Existing Threat Intelligence professionals who want to dive deeper into tradecraft and practice
  • Anyone who wants to start or expand their career into Threat Intelligence and intrusion analysis.


Learning Objectives

  • Find, evaluate, and integrate threat intelligence sources which measurably improve defense
  • Produce world-class threat intelligence from public and private data sources
  • Use wisdom and lessons from both modern and ancient case studies to apply elements of intelligence across cybersecurity
  • Disseminate threat intelligence and threat findings so decision-makers pay attention and take action
  • Apply traditional and modern models including the Diamond Model, Cyber Kill Chain, F3EAD, the Intelligence Cycle, OODA, MITRE ATT&CK and others
  • Hunt for previously unknown threats
  • Logically assess and criticize threat intelligence from any source and improve your own
  • Associate and attribute cyber threats to adversaries and other groups


Time Commitment

This course will require over 80 hours including readings, research, exercises, lecture, and exams. It is taught in a traditional graduate-school style using readings and lectures to bring the student along in the knowledge journey.  This course is not a "40 hour firehose" but instead designed to instill lifelong knowledge and understanding.


Outcome

The course concludes with a rigorous final exam requiring a 70% or better passing grade. A passing grade will result in certifying the student in Threat Intelligence and an associated certificate.

The course material and exam is available to students for 120 days after enrollment.

Add your email to the mailing list to get the latest updates.

Special First Offering with Live Lectures

Starting November 2 2020 we're offering this course in a semi-live style format.  You'll be led through the material chapter by chapter allowing you time to absorb the material. Each chapter will be followed by a 90 minute live session with your instructor, Sergio Caltagirone, who will present a special lecture on the chapter topics answering all of your questions at the same time.  This will be the only time live lectures will be part of the course. Lectures will be recorded and available for future students.

Chapters 1-4 Available Now!

18 Dec 2020: Live Special Topics Lecture

19 Dec 2020: Chapter 5 Material Available

15 Jan 2021: Live Special Topics Lecture

16 Jan 2021: Chapter 6 Material Available

12 Feb 2021: Live Special Topics Lecture

13 Feb 2021: Chapter 7 Material Available

5 March 2021: Live Special Topics Lecture

6 March 2021: Chapter 8 & 9 Material Available

12 March 2021: Final Special Topics Lecture

Instructor

Lead Instructor

Sergio Caltagirone

Sergio Caltagirone has been called the "Godfather of Threat Intelligence" having built over a dozen threat intelligence teams in both public and private sector and leading the development of threat intelligence worldwide with hundreds of publications and presentations. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He spent 9 years at the US National Security Agency as their lead threat intelligence analyst hunting and tracking the world's most sophisticated threats. He left NSA to build Microsoft's threat intelligence capability and practice protecting over 1 billion customers from cyber threats. Now, Sergio leads the world's only dedicated industrial control system threat intelligence team at Dragos protecting electric power grids, water systems, oil and gas plants, and manufacturing worldwide. He furthers several humanitarian goals through membership on the International Committee of the Red Cross cybersecurity experts committee and serving as Technical Director for the Global Emancipation Network combating human trafficking on the internet globally.

Course curriculum

  • 2

    Introduction to Threat Intelligence

    • Overview

      FREE PREVIEW
    • Traditional Intelligence

    • READ: "Art of War XIII: The Use of Spies" by Sun Tzu

    • Optional: Read Kim by Rudyard Kipling

    • Read: "The Origins of Modern Intelligence, Surveillance, and Reconnaissance" by Finnegan 2009

    • Optional: Read Tinker, Tailor, Soldier, Spy by John le Carré

    • Intelligence Tradecraft

    • Optional: "Intelligence in War It Can Be Decisive" by Gregory Elder 2006

    • READ: "Successful Leaders Employ Strategic Intelligence" by Maccoby 2001

    • Intelligence Uses

    • Optional: Read "Clausewitz's Contempt for Intelligence" by Rosello 1991

    • Optional: Read "The Joint Intelligence Process" pp. I-5 through I-22 in Joint Publication 2-0 "Joint Intelligence"

    • READ "Intelligence Concepts — The Intelligence Cycle" by Scott Roberts

    • READ: Intelligence-Driven Incident Response pp. 17-22 "Intelligence Cycle"

    • The Intelligence Cycle

    • READ: Source and Information Reliability

    • READ: Intelligence-Driven Incident Response "Sources and Methods" pp 11-13

    • READ: ELINT

    • READ: FM 2-22.3 Appendix B Pages 285-286 "Source and Information Reliability Matrix"

    • Intelligence Sources

    • Intelligence Coordination

    • Defining Cyber Threat Intelligence

    • History of Cyber Threat Intelligence

    • OPTIONAL: Read "Computer Security Threat Monitoring and Surveillance" by James Anderson 1980

    • WATCH: The World's First Cyber Crime: The Morris Worm

    • WATCH: The KGB, the Computer and Me

    • READ: "An Evening with Berferd" by Bill Cheswick 1991

    • WATCH: Tsutomu Shimomura Interview

    • WATCH: Back to the Future - Moonlight Maze

    • READ: "The Invasion of the Chinese Cyberspies" by Nathan Thornburgh via Time Magazine 2005

    • WATCH: Cracking Stuxnet, a 21st-century Cyber Weapon by Ralph Langer via TED

    • READ: Mandiant's APT1 Report

    • WATCH: Mandiant APT1 China Hackers Report with Richard Bejtlich 2013

    • Live: Analyzing the Historic Mandiant APT1 Report

    • CTI Introduction Quiz

  • 3

    Malicious Activity

    • READ: Intelligence-Driven Incident Response Chapters 1-5

    • Threat Naming Intro

    • Cyber Threat Actors

    • READ: Private Threat Actors for Hire

    • Cyber Threat Actor Motivations Part 1

    • Read: Florentine Banker Group

    • WATCH: The World's First Cyber Crime The Morris Worm

    • Watch: John Draper Explain the Captain Crunch Whistle Phreaking

    • Cyber Threat Motivations Part 2

    • READ: Double Dragon APT41, a dual espionage and cyber crime operation

    • Watch: Syrian Electronic Army Their Methods and Your Responses

    • False Flags, Covert and Clandestine Cyber Operations

    • READ: Russian Hacker False Flags Work—Even After They're Exposed by Andy Greenberg via Wired

    • Insider Threats

    • Read: The Insider Threat - An introduction to detecting and deterring an insider spy

    • Read: Ten Tales of Betrayal The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations

    • Read: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran

    • Diamond Model of Intrusion Analysis Overview

    • Diamond Model Details

    • Read: Diamond Model of Intrusion Analysis Paper

    • Cyber Kill Chain

    • Read: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

    • Watch: Using An Expanded Cyber Kill Chain Model to Increase Attack Resiliency

    • MITRE ATT&CK

    • Read: MITRE ATT&CK Design and Philosophy

    • Watch: Putting MITRE ATT&CK™ into Action with What You Have, Where You Are presented by Katie Nickels

    • Preparation

    • Read: RECONNAISSANCE A Walkthrough of the “APT” Intelligence Gathering Process by Rotem Kerner

    • Initial Phases Part 1

    • Initial Phases Part 2

    • READ: Cyber Espionage & Strategic Web Compromises – Trusted Websites Serving Dangerous Results by Ned Moran and Steven Adair 2018.

    • Read: BREAKING TRUST Shades of Crisis Across an Insecure Software Supply Chain

    • Read: Reflection on Trusting Trust by Ken Thompson

    • READ: Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record

    • Operational Phases

    • WATCH: Attack Tutorial Pass-the-Hash Attack Using Mimikatz

    • READ: Hiding in Plain Sight - Fireeye and Microsoft Expose Obfuscation Tactic

    • Watch: TEMPEST BBC report on Van Eck Phreaking

    • Action Phases

    • Watch: Ransomware

    • Exercise: Analyzing an Enterprise Cyber Incident

    • Industrial Control System (ICS) Attacks

    • Industrial Control System (ICS) Attacks Part 2

    • Watch: The Stuxnet Story: What really happened at Natanz

    • WATCH: Mike Assante - Analysis of the Attack on the Ukrainian Power Grid

    • WATCH: Hackers Manipulate Controls at Electric Distribution Substation in Ukraine 2015

    • CTI Chapter 3 Quiz

  • 4

    Intelligence Customers, Requirements, and Direction

    • Threat Intelligence Customers

    • Mission and Risk Analysis for Intelligence Analysts

    • READ: ISO31000:2018 Risk Management

    • READ ISO 31010:2019 Risk Assessment Techniques

    • Requirements Gathering

    • Read: A Fresh Look at Intelligence Requirements by Clyde R. Heffter (1995)

    • Turning Requirements into Hypotheses

    • Exercise: Turning Requirements into Hypotheses

    • Customer Cohesion

    • Read "Getting to Know the President" [3rd ed] Intelligence Briefings of Presidential Candidates 1952-2012 (About the PDB Process)

    • CTI Customers, Requirements, and Direction Quiz

    • Live! Chapter 4 Special Topics and Q&A Session

  • 5

    Intelligence Collection and Processing

    • Threat Intelligence Data

    • Fourth Party Collection Resources

    • OSINT

    • WATCH: Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT)

    • How to Use Shodan

    • Honeypots and Deception

    • Exercise: Find Badness Online

    • Integrating Threat Intelligence in a Security Operations Center

    • Internal Collection

    • WATCH: Guide to key Windows 10 event logs you need to monitor

    • Threat Hunting with Windows Event IDs

    • Additional Windows Host Security Resources

    • Anti-Forensics for Fun and Privacy by Alissa Gilbert

    • Metadata for Improved Forensics

    • Exercise: Network Anomaly Detection

    • Malicious Capability (Malware) Collection

    • Dynamic Malware Analysis

    • Basic Static Malware Analysis

    • Recommended Malware Analysis Resources

    • Internet Infrastructure Collection

    • Exercise: Passive DNS Hunting

    • Integrating External Threat Intelligence

    • Building a Collection Strategy

    • Data Storage and Processing

    • Exercise: Data Splunking

    • Test your learning

    • Live Special Topics Lecture: Chapter 5

  • 6

    Threat Intelligence Analysis

    • Logic for Analysts

    • Bias

    • Exercise: Find the Fallacy!

    • Threat Intelligence Quality

    • Threat Intelligence Confidence

    • Hypothesis-Driven Analysis

    • Diamond Model of Intrusion Analysis

    • Exercise: Map an Attack

    • Structured Analysis Models

    • Exercise: Alternative Competing Hypotheses

    • Attribution

    • Exercise: Exploring Attribution

    • Documenting and Managing Analysis

    • Exercise: Documenting Analysis Using MISP

    • Ethics for Analysts

    • Writing for Analysts

    • Presentation for Analysts

    • Evaluating Threat Intelligence

    • Exercise: Evaluate Threat Intelligence

    • Test your learning

    • Live Special Topics Lecture: Chapter 6

  • 7

    Intelligence Dissemination, Usage, and Feedback

    • Classification, Protection, and TLP

    • Dissemination

    • Intelligence for Architecture and Visibility

    • Intelligence for Policy and Compliance

    • Intelligence for Risk Analysis

    • Intelligence for Threat Modeling

    • Intelligence for Security Operations

    • Intelligence for Detection

    • WATCH: Threat Indications and Warning in Principle & Practice

    • Intelligence for Threat Hunting

    • Exercise: Build a Visibility and Detection Strategy

    • Intelligence for Incident Response

    • Disrupting Cyber Threats

    • Exercise: Build Disruption Plan

    • Intelligence for Executives

    • READ: The President's Daily Brief: Delivering Intelligence to Nixon and Ford

    • Working with Press and Journalists

    • Measuring Success

    • Gathering and Using Customer Feedback

    • Test your learning

    • Live Special Topics Lecture: Chapter 7

  • 8

    Building and Growing an Intelligence Function

    • Intelligence Maturity Scale

    • Collaboration and Sharing

    • Building an Intelligence Function and Team

    • Legal Considerations in Threat Intelligence

    • Selecting an Intelligence Vendor

    • Exercise: Evaluate and Select an Intelligence Vendor

    • CTI Building and Growing Intel Function Quiz

    • Live Special Topics Lecture: Chapter 8

  • 9

    Before you go

    • Congrats! Here's what's next...

    • More resources for you

    • Before you go...

Materials

This course requires some external resources for the student to obtain prior to starting the course.

Required

These resources are required for the student to obtain for completion of the course.

Intelligence-Driven Incident Response by Scott Roberts and Rebekah Brown 

Threat Intelligence and Me by Robert M. Lee 

Threat Intelligence Handbook, 2nd ed. by Recorded Future (Free download)

Recommended

These resources are highly recommended by the instructor but not necessary.

Tinker, Tailor, Soldier, Spy by John le Carré 

Red Team: How to Succeed by Thinking Like the Enemy by Micah Zenko