Aaron Shaha has over 15 years of experience in physical and network security within the Department of Defense. Most recently he has served as a technical director in the NSA/CSS Threat Operations Center (NTOC) leading a team of advanced cyber analysts charged with finding the most advanced cyber actors and malicious tools in network traffic. He holds a Masters in Security Engineering from SMU and was previously certified Adjunct Faculty teaching Network Based Intrusion Detection for the NTOC. Previous positions include working to support real time cyber military integration operations and architecting a near real time Distributed Denial of Service (DDoS) system. He has also been awarded the National Intelligence Award - Exceptional Achievement Medal (EAM) for Computer Network Exploitation (CNE) expertise and problem solving in support of a major operation for the Counterterrorism Production Center. The EAM “Recognizes a single exceptional contribution to the IC and the US; awarded on a very selective and limited basis.”
Cyber Threat Intelligence Analysis
Cyber Threat Intelligence Analysis
This five (5)-day Instructor-Led Training (ILT) course teaches network defenders to collect, analyze and apply targeted cyber intelligence to defensive operations in order to proactively act on and adapt to sophisticated and dedicated attacks by cyber adversaries. As malicious software incorporates more advanced counter-detection techniques, the limited signature and heuristic analysis capabilities of anti-virus software and Intrusion Detection and Prevention Systems (IDS/IPS) become less and less effective. White-listing and sandboxing technologies have proven to mitigate many host-based attacks, but additional methodologies of analysis and attribution of known and unknown APT actors are needed to positively identify and prioritize the most formidable threats to the network. This course applies the Intelligence Cycle to the full-spectrum exercise of proactive network defense. It is intended as the core competency of Threat Intelligence operations and as the precursor to additional technical intelligence collection courses. It further serves to provide students with the all-source methodology of employing cyber collection sources and disciplines in a cumulative effort to apply to network defensive postures. When properly employed, this process fosters a cyber environment of preemptive action and provides network defenders and operators with an understanding of the tools, techniques and procedures (TTPs) needed to generate the timely and relevant intelligence that is required to preemptively apply network fortifications before compromise and to respond to cyber events in an expeditious manner.
Students will learn how to apply all-source cyber intelligence-informed operational methodologies, including proactive cyber analysis, to accurately identify risks from specific threats. This is delivered through method-driven instruction of Intelligence Analysis techniques taught by experienced Intelligence Community (IC) professionals. The instructors will teach the intelligence-driven operations cycle – data collection, exploitation, analysis, reporting and dissemination – to develop the student’s methods of identifying threats and assessing and prioritizing risk. Students will be introduced to cyber intelligence sourcing, risk management and assessment, indicators of compromise, application and assessment of adversarial profiles and TTPs to proactively defend networks.
The principle objective of this course is to equip network defenders, intelligence analysts, and other security operations personnel with a modern methodology to characterizing, investigating, attributing, and responding to advanced cyber threats in a collaborative, real-time environment. Students should expect to leave this course with proficiency in intelligence-driven network defense operations.
MODULES IN THIS COURSE:
Module 1 – The Art of Intelligence
Module 2 – Understanding Cyber Threat Intelligence
Module 3 – Cyber Threat Intelligence Planning & Requirements
Module 4 – Cyber Threat Intelligence Collection & Operations
Module 5 – Cyber Threat Intelligence Exploitation & Analysis
Module 6 – Cyber Threat Intelligence Reporting & Dissemination
Module 7 – Cyber Threat Intelligence Culmination Exercise
Individuals that are tasked with network defense, internal risk assessment or the analysis of cyber threats to their respective organizations network.
There are no required prerequisites for course attendance, but students are will benefit from possessing a relative working knowledge of network defenses and networking.
40 hours of course work, ideally delivered over 5 consecutive business days of a week.
Course includes a certificate of attendance.
COURSE STRUCTURE/CONTENT OUTLINE
Module 1: The Art of Intelligence
- Module 1: The art of intelligence
- Lesson 1-1: What is Intelligence?Intelligence vs. Information
- The Intelligence Cycle: Refining Intelligence from Information
- Reducing Uncertainty
- Lesson 1-2: Bias and Cognition
- Cognitive Bias
- Logical Fallacies
- Cognition: Thinking About Thinking
Module 2: Understanding Cyber Threat Intelligence
- Lesson 2-1: Threat Intel, the adversaries and their TTPs
- Why Cyber Threat Intelligence?
- Contextual Cyber Threat Intelligence
- Know Thy Enemy: The Actors
- Hacking Methodology, Attack Vectors & Attack Cycle
- Lesson 2-2: Implementing TI for Proactive Network Defense
- The Reticle
- Threat Intelligence Informed Risk Management
- Reducing Risk and Outsmarting the Adversary with OODA
- Infinite Proactive Defense Loop
- Acting Upon Intelligence
Module 3: Cyber Threat Intelligence Planning and Requirements
- Lesson 3-1: Planning and Generating Requirements for Intelligence Operations
- Strategic and Operational Planning
- Tactical and Technical Planning
- Requirement Management
Module 4: Cyber Threat Intelligence Collection & Operations
- LESSON 4-1: Cyber Intelligence Collection Disciplines
- Developing a Collection Plan
- Open Source Intelligence (OSINT)
- Surface Web Searching
- Deep and Dark Web Searching
- Additional Intelligence Sources: Data and Malware
Module 5: Cyber Threat Intelligence Exploitation & Analysis
- LESSON 5-1: Exploitation and Processing
- Exploitative TTPs
- Indicators of Compromise
- Knowledge bases and Data Feeds
- LESSON 5-2: The Fusing of Disciplines: Analyzing the Threat All-Source Aggregation
- Validation and Triage
- Structured Analytic Techniques
- Threat Profiles: Preparing to Report
Module 6: Reporting & Dissemination
- LESSON 6-1: Anatomy of a Report The Nature of Intelligence Reporting
- Reporting for Appropriate Dissemination
- Types of Cyber Threat Intelligence Reports
- Reporting Exercise
Module 7: Culmination Exercise
- LESSON 7-1: Completing the Cycle Post-Compromise Incident Response Guidance Report Exercise
Contact for Government rate
root9B reserves the right to cancel or change a class at any time, including but not limited to, lack of participation, classroom, equipment or trainer availability. All courses require a minimum of 6 attendees. Notification will be provided within 14 days of the class, whenever possible. Registrants will be issued a course voucher for the next available course in the event of a course cancellation. root9B is not liable for any direct, or indirect, consequential or special damages that may be incurred due to a cancellation of a scheduled class, including, but not limited to, cancellation penalties for transportation or accommodations. The customer or student's sole remedy shall be a voucher for future training.
James McCarter is a Marine Corps Intelligence veteran and Senior Threat Intelligence Analyst at root9B. He is a recognized subject matter expert within the intelligence and law enforcement communities with extensive Intelligence Analysis, Signals Intelligence (SIGINT), digital and mobile device forensics, Site Exploitation, Digital Data Triage and curriculum development experience. For over 12 years, he has personally conducted live operations and instruction in the aforementioned disciplines and has developed dozens of industry standard certification course modules on various classified and non-classified forensics, intelligence collection and analysis systems for commercial, DoD and Law Enforcement personnel. Mr. McCarter has provided instruction internationally to hundreds of individuals in over 100 courses and has provided support to numerous national level intelligence and law enforcement entities as a Forensics Expert, SIGINT Support Team Leader and Intelligence Analyst. He has planned, developed and executed live exercises with comprehensive course curriculum in SIGINT Operations/Signals Theory, Digital Forensics and Cyber Intelligence Analysis to multiple commercial and operational DoD entities in both tactical and non-tactical settings. He holds Professional Certifications in Computer Forensics and Digital Investigations, Cybersecurity and Security Fundamentals from Champlain College, is a graduate in Korean studies from the Defense Language Institute (USMC), received his Bachelor’s degree from Excelsior College and is a member of numerous industry Cybersecurity and Intelligence associations.
Dates & Locations
I consider myself extremely fortunate to have been to this training.