A uniquely TrainedSecurity Force

Cyber Threat Intelligence Analysis

Cyber Threat Intelligence Analysis

Course Description

This five (5)-day Instructor-Led Training (ILT) course teaches network defenders to collect, analyze and apply targeted cyber intelligence to defensive operations in order to proactively act on and adapt to sophisticated and dedicated attacks by cyber adversaries. As malicious software incorporates more advanced counter-detection techniques, the limited signature and heuristic analysis capabilities of anti-virus software and Intrusion Detection and Prevention Systems (IDS/IPS) become less and less effective. White-listing and sandboxing technologies have proven to mitigate many host-based attacks, but additional methodologies of analysis and attribution of known and unknown APT actors are needed to positively identify and prioritize the most formidable threats to the network. This course applies the Intelligence Cycle to the full-spectrum exercise of proactive network defense. It is intended as the core competency of Threat Intelligence operations and as the precursor to additional technical intelligence collection courses. It further serves to provide students with the all-source methodology of employing cyber collection sources and disciplines in a cumulative effort to apply to network defensive postures. When properly employed, this process fosters a cyber environment of preemptive action and provides network defenders and operators with an understanding of the tools, techniques and procedures (TTPs) needed to generate the timely and relevant intelligence that is required to preemptively apply network fortifications before compromise and to respond to cyber events in an expeditious manner.


Students will learn how to apply all-source cyber intelligence-informed operational methodologies, including proactive cyber analysis, to accurately identify risks from specific threats. This is delivered through method-driven instruction of Intelligence Analysis techniques taught by experienced Intelligence Community (IC) professionals. The instructors will teach the intelligence-driven operations cycle – data collection, exploitation, analysis, reporting and dissemination – to develop the student’s methods of identifying threats and assessing and prioritizing risk. Students will be introduced to cyber intelligence sourcing, risk management and assessment, indicators of compromise, application and assessment of adversarial profiles and TTPs to proactively defend networks.

The principle objective of this course is to equip network defenders, intelligence analysts, and other security operations personnel with a modern methodology to characterizing, investigating, attributing, and responding to advanced cyber threats in a collaborative, real-time environment. Students should expect to leave this course with proficiency in intelligence-driven network defense operations.


Module 1 – The Art of Intelligence

Module 2 – Understanding Cyber Threat Intelligence

Module 3 – Cyber Threat Intelligence Planning & Requirements

Module 4 – Cyber Threat Intelligence Collection & Operations

Module 5 – Cyber Threat Intelligence Exploitation & Analysis

Module 6 – Cyber Threat Intelligence Reporting & Dissemination

Module 7 – Cyber Threat Intelligence Culmination Exercise


Individuals that are tasked with network defense, internal risk assessment or the analysis of cyber threats to their respective organizations network. 


There are no required prerequisites for course attendance, but students are will benefit from possessing a relative working knowledge of network defenses and networking. 


40 hours of course work, ideally delivered over 5 consecutive business days of a week.


Course includes a certificate of attendance.


Module 1: The Art of Intelligence

  • Module 1: The art of intelligence
    • Lesson 1-1: What is Intelligence?Intelligence vs. Information
    • The Intelligence Cycle: Refining Intelligence from Information
    • Reducing Uncertainty
  • Lesson 1-2: Bias and Cognition
    • Cognitive Bias
    • Logical Fallacies
    • Cognition: Thinking About Thinking

Module 2: Understanding Cyber Threat Intelligence

  • Lesson 2-1: Threat Intel, the adversaries and their TTPs
    • Why Cyber Threat Intelligence?
    • Contextual Cyber Threat Intelligence
    • Know Thy Enemy: The Actors
    • Hacking Methodology, Attack Vectors & Attack Cycle
  • Lesson 2-2: Implementing TI for Proactive Network Defense
    • The Reticle
    • Threat Intelligence Informed Risk Management
    • Reducing Risk and Outsmarting the Adversary with OODA
    • Infinite Proactive Defense Loop
    • Acting Upon Intelligence

Module 3: Cyber Threat Intelligence Planning and Requirements

  • Lesson 3-1: Planning and Generating Requirements for Intelligence Operations
    • Strategic and Operational Planning
    • Tactical and Technical Planning
    • Requirement Management

Module 4: Cyber Threat Intelligence Collection & Operations

  • LESSON 4-1: Cyber Intelligence Collection Disciplines
    • Developing a Collection Plan
    • Open Source Intelligence (OSINT)
    • Surface Web Searching
    • Deep and Dark Web Searching
    • Additional Intelligence Sources: Data and Malware

Module 5: Cyber Threat Intelligence Exploitation & Analysis

  • LESSON 5-1: Exploitation and Processing
    • Exploitative TTPs
    • Indicators of Compromise
    • Knowledge bases and Data Feeds
  • LESSON 5-2: The Fusing of Disciplines: Analyzing the Threat All-Source Aggregation
    • Validation and Triage
    • Structured Analytic Techniques
    • Threat Profiles: Preparing to Report

Module 6: Reporting & Dissemination

  • LESSON 6-1: Anatomy of a Report The Nature of Intelligence Reporting
    • Reporting for Appropriate Dissemination
    • Types of Cyber Threat Intelligence Reports
    • Reporting Exercise

Module 7: Culmination Exercise

  • LESSON 7-1: Completing the Cycle Post-Compromise Incident Response Guidance Report Exercise

PRICE: $4,600

Contact for Government rate

root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.

Dates & Locations

January 8, 2018
Honolulu, HI
February 12, 2018
San Antonio, TX
May 21, 2018
Colorado Springs, CO
July 9, 2018
Honolulu, HI
July 16, 2018
San Antonio, TX
August 13, 2018
Annapolis Junction, MD
October 1, 2018
San Antonio, TX
November 5, 2018
Annapolis Junction, MD
November 26, 2018
Honolulu, HI
December 17, 2018
Colorado Springs, CO

I consider myself extremely fortunate to have been to this training.