• +45-23 28 11 42
  • info@scc-eu.dk



This post is also available in: enEnglish


Duration : 50 Hours


The Threat Intelligence course will equip network defenders, threat hunting teams, and incident responders with the skills to better understand threat intelligence on a strategic and operational level. The program will prepare students for the collection, classification and exploitation of knowledge about adversaries, and the ways to monitor new and evolving threats. Cyber threat intelligence focuses on the flexible human threats with empowered and trained human factors.

The course will enable participants to make better security teams, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.


  • Understand and develop skills in tactical, operational, and strategic level threat intelligence
  • Generate threat intelligence to detect, respond to, and threats
  • Validate information received from other organizations to minimize resource expenditures on bad intelligence
  • Leverage open-source intelligence to complement your security team.

Pre- requisites

Experience in incident response and information security techniques.

Course Outline

Understanding Intelligence

  • Intelligence Lexicon and Definitions
  • Traditional Intelligence Cycle
  • Sherman Kent and Intelligence Tradecraft

Understanding Cyber Threat Intelligence

  • Defining Threats
  • Understanding Risk
  • Cyber Threat Intelligence and Its Role
  • The Expectation of Organizations and Analysts
  • Indicators of Compromise

Tactical Threat Intelligence Introduction

  • The Role of a Tactical Threat Intelligence Analyst
  • Expected Skills and Tradecraft
  • The Kill Chain and Intrusion Analysis
  • The Indicator Lifecycle

Operational Threat Intelligence Introduction

  • The Role of an Operational Threat Intelligence Analyst
  • The Need for Information Sharing and Peers
  • Models and Methods for Managing Intelligence
  • The Diamond Model
  • Campaigns and Threat Actors

Strategic Threat Intelligence Introduction

  • The Role of a Strategic Threat Intelligence Analyst
  • Threat Modeling
  • Organizational Change and Security Posturing
  • Event Recording and Incident Sharing (VERIS)

Kill Chain Courses of Action

  • Passively Discovering Activity in Historical Data and Logs
  • Detecting Future Threat Actions and Capabilities
  • Denying Access to Threats
  • Delaying and Degrading Adversary Tactics and Malware

Tactical Threat Intelligence Requirements

  • Preparing Your Organization for Threat Intelligence
  • The Role of Logs, Packet Capture, and Other Data Sources
  • Keys to Success with Technology and Security Products

Kill Chain Deep Dive

  • Scenario Introduction
  • Notification of Malicious Activity
  • Pivoting Off of a Single Indicator to Discover Adversary Activity
  • Identifying and Categorizing Malicious Actions
  • Using Network and Host-Based Data
  • Interacting with Incident Response Teams
  • Interacting with Malware Reverse Engineers
  • Effectively Leveraging Requests for Information

Handling Multiple Kill Chains

  • Identifying Different Simultaneous Intrusions
  • Managing and Constructing Multiple Kill Chains
  • Linking Related Intrusions

Pivoting to Open-Source Intelligence

  • Data Pivoting
  • Most Pivotable Indicators
  • Maltego and Data Transforms
  • Enriching Internal Data

OSINT Pivoting, Link Analysis, and Domains

  • Utilizing Temporal Analysis to Validate OSINT
  • Adversary Infrastructure Identification

OSINT From Malware

  • VirusTotal Uses and Limitations
  • Malware Configuration Data Analysis

Intelligence Aggregation and Data Visualization

  • Common Cyber Threat Intelligence Analytical Mistakes
  • Maltego and Casefile Data Visualization

Defining Campaigns

  • Key Indicators and Campaign Identification
  • Behavioral Tactics, Techniques, and Procedures
  • Campaign Naming and Identification

Communicating About Campaigns

  • Incident One-Sliders and Metrics
  • Developing Campaign Heatmaps
  • Communicating to Executives about Cyber Threat Intelligence

Storing Threat Intelligence

  • Storing Platform Considerations
  • Best Practices for Managing Intelligence
  • Malware Information Sharing Platform
  • Professional Tools and ThreatConnect

Sharing: Tactical

  • Understanding the Audience and Consumer
  • Threat Data Feeds and Their Limitations
  • YARA
  • Advanced YARA Concepts and Examples

Sharing: Operational

  • Partners and Collaboration
  • Government Intelligence Sharing
  • Traffic Light Protocol Standard
  • Information Sharing and Analysis Centers
  • CybOX, STIX, and TAXII
  • STIX Elements and Projects
  • TAXII Implementations

Sharing: Strategic

  • Making the Business Case for Security
  • Expectations of Executives and Decision-makers
  • Threat Intelligence Reports
  • Estimative Language
  • Confidence Assessments
  • Tips on Effective Report Writing
  • Critical Evaluating Intelligence Reports

Logical Fallacies and Cognitive Biases

  • Identifying and Defeating Bias
  • Logical Fallacies and Examples
  • Common Cyber Threat Intelligence Informal Fallacies
  • Cognitive Biases and Examples

Analysis of Competing Hypotheses

  • Analysis of Competing Hypotheses Steps
  • Evoltin Threat Scenario Walkthrough

Human Elements of Attribution

  • Attribution Uses and Limitations
  • When to Seek or Avoid Attribution
  • Intrusion to Campaign Attribution

Nation-State Attribution

  • Geopolitical Motivations to Cyber Attacks
  • Espionage and Sabotage
  • Attributing Campaigns to National Actors