About the course

Modern cybersecurity would not be where it is today without threat intelligence (TI). TI lies at the heart of any effective IS solution, enriching it with data and information from previously hidden areas of the Internet. By monitoring dark corners such as hacker forums and the dark web, TI analysts are able to see the bigger picture and attribute criminal behaviour more accurately.

Group-IB’s Threat Intelligence Analyst course teaches how to collect actionable intel from all types of sources, both public and closed, and how to interpret that data and spot signs that an attack is being prepared. As with all Group-IB courses, lessons include practical exercises based on real cases handled by the company’s TI team. This approach was chosen to ensure that participants can immediately apply what they learn in their day-to-day activities.

Key topics covered:

  • Overview of the threat Intelligence field
  • TI cycle and the three data levels
  • TI use cases for security operations
  • Threat modeling: PASTA, DEAD, VERIS, etc.
  • Attack modeling: cyber kill chain, MITRE ATT&CK models and ATT&CK Navigator
  • Processing of IoCs
  • CTI tools, standards and TIPs
  • Data sources and collection techniques
  • Group-IB TI practice

Skills acquired:

  • Understanding threat intelligence
  • Collecting relevant data
  • Improved detection and threat modeling using TI

Target participants:

  • Technical specialists with experience in IS
  • Information security specialists
  • SOC/CERT employees

Requirements:

  • A basic understanding of threat intelligence
  • Some experience in the field of cybersecurity and CTI

Course program

Day 1

arrow_drop_down
Theory
Demonstration
Practice

To understand and interpret threat intelligence data accurately, TI analysts must thoroughly understand the threat landscape. That is why the first part of the day is dedicated to a discussion about current cybercrime trends, recent attacks, popular schemes, and the TTPs threat actors use. Participants then learn how to identify the specific trends that are targeting (or could target) their company.

Attendees are then introduced to the fundamentals of CTI: the CTI cycle, the three levels of data, and the key role of threat intelligence in defense operations and OPSEC.

The next part of the training is built around the three-data-layer model.

Threat modeling approaches (including PASTA, DEAD, VERIS standards review) and attacker profiling are discussed as the strategic data layer.

Afterwards, we discuss the next level of CTI data, namely operational data. During this part participants are introduced to two attack modeling approaches: MITRE ATT&CK and the cyber kill chain. These standards help specialists structure information about attacks and promptly respond to ongoing incidents.

Day 2

arrow_drop_down
Theory
Demonstration
Practice

Day two starts with an overview of the tactical level of CTI data and IoC processing.

A significant part of intelligence gathering entails analyzing public sources. Instructors share tips and best practices for collecting, processing, and verifying IoCs, as well as information on relevant threats from open-source resources, documents, and more.

The last (and arguably most exciting) part of the day is the hands-on practice. Participants are given a first-hand look at the Group-IB Threat Intelligence system and have the opportunity to use it. Attendees complete exercises and work with reports and other resources to detect IoCs that are relevant to their company.

Afterwards participants are introduced to the practical application of TI, and specifically how to use the system to hunt for threats and protect network security. Moreover, they are shown how to detect leaks and other compromised data early. They are taught how to counteract, block, and investigate phishing attacks. They are also instructed how to monitor for and block instances of brand abuse.