Courses
THREAT ANALYST COURSE
This course takes a deep dive into threat analysis, threat intelligence, and attribution with a focus on key ideas and best practices in cyber threat intelligence. It is intended to shed light on attribution methods and show how threat intelligence data should be handled. The course looks at the key elements of a threat group and demonstrates how Corsaire consultants use raw tactical intelligence and consider links and interconnections to create a set of connected operations that corresponds to a threat actor group. Students will use organized analytical tools to comprehend the characteristics of contemporary cyberthreats. The students will observe examples of research and pivoting in the real world and become familiar with a number of criteria they should take into account when attributing related activities. The "who" and the "why" of an attack can be ascertained with the aid of operational and strategic intelligence, which is covered in the course. The training also defines key security jargon so that students may distinguish useful information from marketing fluff. Students use all the tools they have learned to make a determination based on data available and information on whether to graduate a group or cluster it with other group activity. For grading or appropriately attributing groups in order to receive CTAP certification or renewal.
Organizations frequently make the error of assuming that the detection and response products' default configurations will offer reliable defense against even the most sophisticated of threats. Although there are numerous efficient solutions available, all of them have flaws that a knowledgeable adversary might exploit, as knowledgeable detection engineers and red team operators are aware of. To have an effective response capacity, a mature security program must regularly test and improve product detection setups. Unfortunately, they frequently encounter a number of drawbacks due to their ignorance of the following: the attack tactic itself the telemetry employed in each detection, as well as the efficacy of the detection
The result often leads to blind spots within the detection and response capabilities, ineffective detection strategy, and a false sense of security in the organization’s ability to respond to advanced threat actors. When simulating sophisticated attacks, red team operators need to truly understand how a given technique works, the telemetry/artifacts it generates, and the strategies and biases that a defender might use to detect a technique. How organizations may respond to attackers is crucial in red team attack planning, technique selection, and evasion.
In the Threat Analyst Course, one section will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with students creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.
Whether you are a red team operator or detection engineer, you will have a comprehensive understanding of several attack chains. Red team operators will learn an approach to analyzing their own tools, a better understanding of which techniques to select to evade detection, and how to better describe to defenders why an evasion was successful. Detection engineers will understand how to craft a strategy to create robust detections and better detect families of attacks.
Learning objectives
After completing this course, learners should be able to:
-
State what cyber intelligence is and why it matters
-
Describe how attackers plan, prepare, and execute campaigns against victims
-
Identify key analytic tools that add value to your security environment
-
Tailor communication to the needs of key stakeholders to drive decision advantage
-
Understand various definitions of threat intelligence and attribution
-
Distinguish between tactical, operational and strategic threat intelligence
-
Use tactical intelligence in the early stages of a cyber attack to evaluate data and correctly identify indicators that can be grouped into a set of related activity and attributed to a threat group
-
Gain insight into common errors that can occur when analyzing common forensic artifacts and interpreting information presented from various sources
-
Examine operational and strategic intelligence to determine the attribution and sponsorship of an attack operation
-
Understand how attribution analysis can provide crucial context to threat activity that enables more informed decisions and improved resource allocation
-
Understand why attributing cyber operations to a threat group can have significant implications — and even affect geopolitical dynamics
Who should attend
Cyber intelligence analysts, cyber threat analysts, security analysts, penetration testers, and anyone looking for a short introduction to cyber intelligence analysis.
Prerequisites
A practical knowledge of information security fundamentals.
An awareness of threat intelligence and signs of compromise in general (IoCs).
It would be advantageous but not necessary to have prior experience performing forensic analysis, network traffic analysis, log analysis, security assessments and penetration testing, security architecture, and system administration tasks.
Delivery method
In-classroom instructor-led training
Duration
5-6 days (in-person delivery)