Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Description

A Breakdown of the course This course takes up where the Introduction to Cyber Threat Intelligence course (January 2017) left off. It is recommended for participants to view this course prior to viewing the advanced course. In this introductory lesson, the instructor gives a breakdown of the course as follows: - Module 1: The Threat Intelligence Model

  • Module 2: Campaigns and Open-Source Threat Intelligence
  • Module 3: Sharing Operational Threat Intelligence

Video Transcription

00:04
Hello, Sy Berry.
00:05
My name is Dean Pompey Leo,
00:07
otherwise known as polymath.
00:10
I'd like to welcome you to the Advanced Cyber Threat Intelligence Course.
00:15
Some of you may recall that I produced a introduction to Cyber Threat Intelligence back in early 2017.
00:23
Now, if you haven't watched the introductory course, I urge you to stop watching this course and go wash the introductory course.
00:32
That's important because there are several concepts and principles that were described and detailed in that course that helped build on the information and knowledge that you need in order to tackle the advanced course. We're going to live in more detail in some of these topics
00:47
and look at some different tools and such. And it's better to have that background foundation already in place.
00:54
That being said,
00:56
I hope you'll enjoy this Advanced Cyber Threat Intelligence course or C T. I.
01:00
We're going to cover quite a, uh,
01:03
a few different topics, and we'll look at some different online resource is tools websites
01:08
and give the practitioner a better understanding of how to integrate this capability within their organization or, if it's already there, how to improve upon
01:19
the existing infrastructure.
01:23
So the first model that won't get into as the cyber threat.
01:26
Intelligence maturity. Mom,
01:30
you can see this has five levels starting at zero, where you don't know what you're doing yet moving up to level one. We've got some experience and you've got a little bit of information to work with.
01:42
Then getting to level two or the capacity for cyber threat intelligence will be expected to expand.
01:49
And this is something that should be anticipated and and a managed by the by the analyst.
01:57
Because as the organization begins to
02:00
reap the benefit of increased monitoring and improved incident response,
02:06
getting better threat feeds and so on,
02:08
inevitably there will be areas of the organization that would, uh
02:13
that would require this kind of interaction that may not already be getting getting that benefit.
02:20
Once the program exists at Level three,
02:23
then the organization is probably staffed all of the appropriate roles
02:28
and the responsibilities have been well defined. That the analysts can
02:32
understand their job functions very well.
02:36
And, uh,
02:37
perhaps the reporting structure is already well established,
02:42
and other pieces of infrastructure have been integrated well enough with C t. I so that you could move to the last step, which is when the program becomes stable.
02:51
When it's stable, then that means everybody's doing their jobs and you're getting repeatable results
02:57
with actionable intelligence that the organization can then consume and make the appropriate actions. The next module deals with campaigns as they relate to open source threat intelligence.
03:09
So we'll spend some time describing what it means to do. Pivoting in a general concept, it can be done in lots of different ways, pivoting off a domain name, pivoting off a piece of malware,
03:22
pivoting off a compromise system. These are all different,
03:27
uh, characteristics of the pivoting concept.
03:30
Also, look a little bit at what your adversary infrastructure might might look like
03:36
and how you can learn appropriate details
03:39
in order to better defend against
03:42
various forms of attack.
03:45
Well, look a little bit of virus total
03:49
and other aspects of Mao, whereas relates to
03:52
open source intelligence.
03:54
There's a lot of great resource is available, many of them are free,
03:58
and this could certainly help the analyst
04:00
be able to better understand how they're being affected by malware that's in the wild, so to speak.
04:08
We'll spend a little bit of time also
04:10
on the visual ization of the data that's being gathered.
04:14
Anything from using something simple, like a spreadsheet,
04:17
orm or advanced tools, which we covered in the introductory course, such as Multi Go.
04:24
So we will revisit Multi Go and see some of its capabilities as relates to visualization,
04:31
will dive into the concept of campaigns.
04:35
How do you describe the campaign? What characteristics doesn't have
04:40
the tactics, techniques and procedures of your adversary should be understood. We'll get into why that's important as well. Even the naming of a campaign and proper documentation.
04:51
We'll see how that's important, because that information may need to be searchable at a later date, and you want to be able to
04:58
use descriptive terminology that is consistent within your organization.
05:04
Like any, uh,
05:06
large scale effort, there will inevitably be some sort of metrics involved.
05:13
The metrics can provide great information to people higher up on the chain, the decision makers
05:18
trying to give them an understanding of whether or not the effort is being effective. If the money
05:25
the funds have been expended for the C. T. I program, are they
05:29
well spent? Are they getting, you know, some expected benefit from that
05:32
and we'll talk a little bit about the heat maps as another tool to
05:38
convey this information. And they easily understood manner.
05:44
That's module deals with sharing the threat intelligence information
05:48
in the context of operations.
05:53
This deal's also with where the information is stored.
05:57
Several different vendors
05:59
have their online product sweets,
06:01
and the information may be stored with them and be stored with the customer. That could be a balance of those two capabilities as well.
06:10
So how do you manage those storage requirements?
06:13
Not only in terms of capacity, but in terms of access controls and
06:18
other things like
06:20
protecting confidentiality with encryption and so on
06:25
that will move on to tactical sharing,
06:29
which in a nutshell, is describing who needs the information and what is their need to know what is their right to know.
06:35
So trying.
06:38
I understand the balance between producers of Intel and the consumers of Intel.
06:43
We'll get into AA Jara a little bit
06:45
as well as some other technologies and methodologies. A little bit later,
06:49
Uh, within the sharing of information within your over operations,
06:55
we can also think about who is the organization partner with, who are they collaborating with
07:00
I was the government put potentially involved
07:04
Or maybe you already working for the government and you're trying Thio better understand
07:10
the protocols of methodologies that are expected to be in use.
07:14
We'll get a little bit into side box sticks and taxi. I'll talk more about what that is later,
07:18
and that gives a better overall feel for
07:24
some of the sharing concepts.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor