homepage
Open menu
Talk with an expert
New

FOR589: Cybercrime Intelligence™

Register Now
  • In Person (5 days)
  • Online
30 CPEs

The cybercrime landscape is perpetually evolving, driven by technological advancements, increased investments by nation-states in offensive cyber operations, and a dynamic cybercrime ecosystem that continuously lowers the barriers for novice criminals to collaborate with more sophisticated actors. FOR589 offers a comprehensive exploration of the cybercrime underground, detailing a broad spectrum of tactics and techniques used by cybercriminals to target organizations. This course includes over twenty hands-on labs and a final capstone exercise, equipping analysts with the skills necessary to enhance their organization's defenses, proactively gather critical intelligence, trace cryptocurrency proceeds of crime, and generate actionable insights to protect their organization preemptively.

Course Authors:
Sean O'Connor
Sean O'Connor
Will Thomas
Will Thomas
Co-author and Instructor
Conan Beach
Conan Beach
What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor StatementTraining & Pricing

What You Will Learn

What Is Cybercrime Intelligence?

Cybercrime Intelligence is a subset of Criminal Intelligence that helps organizations anticipate, prevent, and mitigate future cyber threats while aiding law enforcement and intelligence entities in investigating and prosecuting cybercriminals.

What You Will Learn

Cybercrime intelligence is crucial for organizations to anticipate, prevent, and mitigate potential cyber threats, as well as aiding law enforcement and governments in combating and prosecuting cybercriminals. FOR589: Cybercrime Intelligence offers an in-depth understanding of the cybercrime underground, covering a wide array of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both traditional intelligence and contemporary cybersecurity methodologies, this course helps augment existing intelligence operations, proactively address risks, and enhance overall cybersecurity posture. Ideal for security professionals, law enforcement officers, and anyone interested in learning more about the cybercrime underground, tracing the criminal use of cryptocurrency, intelligence, and cybercrime countermeasures.

Through practical exercises and real-life case studies, students in FOR589: FOR589: Cybercrime Intelligence will help you map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal behind the keyboard. Students learn all about the dark web economy, tracing cryptocurrency, and money laundering schemes. This course also teaches students how to research cybercrime safely, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and potential impact that organized cybercrime could have against their organizations while mapping to requirements within intelligence collection plans.

FOR589 Cybercrime Intelligence Course Topics:

  • All-source overview of intelligence concepts relevant to countering cybercrime.
  • Navigating the underground landscape safely and the economy within it.
  • Infiltrating the underground to gain tactical placement and access for future operations.
  • Advanced use of threat investigation platforms to search, pivot, and monitor.
  • Gathering intelligence on requirements that map to organizational intelligence collection plans.
  • Acquiring threat data during collections in alignment with the intelligence lifecycle.
  • Managing operations to meet strategic, tactical, and operational needs for your organization.
  • Attributing people, money, and systems, using proven and emerging investigative tradecraft.
  • Mapping and analysis using the Cyber Kill Chain, Diamond Model, and MITRE ATT&CK.
  • Supporting incident response using external datasets that reach beyond the network perimeter.
  • Identifying breaches that have already occurred by discovering incident indicators in the wild.
  • Mapping relationships between adversaries and their preferred targets.
  • Deceiving actors with data poisoning by planting disinformation and misinformation.
  • Detecting actors' own use of data poisoning and false flag operations.
  • Defining pseudonymity and anonymity, and their relevance to operational security.
  • Social engineering of cybercriminals with human interactions to elicit valuable intelligence.
  • Cryptocurrency tracing to aid in understanding adversarial scope and attribution.
  • Blockchain forensics to attribute cryptocurrency payments to people and services.
  • Tracing criminal proceeds through crypto laundering methods such as layering and mixing.
  • Using the course of action matrix to discover, detect, deny, disrupt, degrade, and destroy.

Business Takeaways

  • Close knowledge gaps within cybercrime and crypto crime.
  • Enhance Cyber Threat Intelligence (CTI) operations with cybercrime expertise.
  • Proactively discover and mitigate emerging cybercrime threats looming over the horizon.
  • Establish early warning systems to detect risks, threats, and fraud.
  • Identify access vectors, secure them, and collect against cybercriminals targeting them.
  • Focus investigative priorities with advice informed by cyber underground emerging trends.
  • Profile cybercrime events using proven intelligence frameworks and cyber kill chains.
  • Develop abilities to attribute threat actors behind cyberattacks and cyber fraud, when needed.
  • Conduct blockchain forensics for additional adversary attribution and potential fund recovery.
  • Create tailored and relevant intelligence products to supplement vendor offerings.
  • Support incident response teams with timely and relevant intelligence.

Skills Learned

FOR589 Cybercrime Intelligence Training Will Prepare Your Team To:

  • Understand how traditional intelligence collection disciplines have adapted to today's modern cyber-centric landscape and differentiate what is actionable intelligence and what is noise.
  • Discover risks to your organization mapped to threat actors and threat vectors as priority intelligence requirements.
  • Translate your organization's risk-guided intelligence requirements into threat-informed collection plans and operational tasks.
  • Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive to protect your organization and impose costs on criminal organizations.
  • Demystify the dark web and underground threat landscape, enabling you to traverse and listen in on criminal communities, marketplaces, ransom sites, and more.
  • Create online personas and sock puppet safely to gain the placement and access needed for intelligence collection, whether to passively browse forums or actively elicit brokers.
  • Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure.
  • Vet intelligence sources by measuring their level of competence, access, and credibility.
  • Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures.
  • Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes.
  • Tune threat intelligence platforms as early warning systems to detect risk exposures within the Internet ecosystem, especially the deep and dark web.
  • Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and work to attribute them by using cluster analysis.

Hands-On Cybercrime Intelligence Training

SANS labs provide hands-on experience to reinforce course concepts and learning objectives. This course includes a step-by-step electronic workbook directly tied to the material.

Labs Include:

  • Lab 1.1: CROM VM Setup and Intro to Authentic8 Silo
  • Lab 1.2: Password Pivots and Password Managers
  • Lab 1.3: Persona Preparation and Sock Puppet Account Creation
  • Lab 1.4: Identifiers, Dossiers, and Profiling
  • Lab 1.5: Link Analysis with Maltego
  • Lab 2.1: Cybercrime Site Identification and Enumeration
  • Lab 2.2: Cybercrime Infrastructure Analysis
  • Lab 2.3: Adversary Profiling
  • Lab 2.4: Capability Assessment and Monitoring
  • Lab 2.5: Cybercrime Intelligence Platforms
  • Lab 3.1: The Genesis Block
  • Lab 3.2: Twitter Hack and Scam
  • Lab 3.3: Profiling a Bulletproof Hosting Provider
  • Lab 3.4: Bitfinex Hack and Money Laundering
  • Lab 3.5: DarkSide Ransomware & Colonial Pipeline
  • Lab 4.1: Gaining Initial Access
  • Lab 4.2: Assess the Environment
  • Lab 4.3: Automated Collection and Analysis
  • Lab 4.4: Spotting and Assessing
  • Lab 4.5: Adversary Engagement
  • Lab 5: FOR589 Capstone Exercise

What You Will Receive

  • Virtual Machine Workstation
    • Students will receive virtual machine(s) to enable investigations with a pre-configured installable experience. Everything students need for the course will be pre-installed and ready to launch.
  • Authentic8 Silo for Research
    • Students will receive a demo license to access the Authentic8 Silo managed attribution platform to safely investigate darkweb sites and sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
  • Chainalysis Reactor platform
    • Students will receive a demo license to access the Chainalysis Reactor platform to investigate cryptocurrency transactions.
  • Maltego
    • Students will receive a demo license to access Maltego to conduct investigations utilizing data link analysis and graph visualizations.

Syllabus (30 CPEs)

Download PDF
  • Overview

    There are ways to stay ahead of cybercrime and extend your perimeter - it starts with knowing the vast landscape you are up against and applying sound methodologies to make sense of it all.

    Security professionals and law enforcement must stay aware of the latest criminal trends. In scenarios where risk is high and room for error is low, peers and victims need our help. To provide that help, our methodology and processes must be defensible. Using these standards for curating and handling cybercrime intelligence, FOR589 will be able to ensure that their selected courses of action are properly guided, decided, and applied.

    Section 1 introduces standards for intelligence requirements, collection plans, operating procedures, and frameworks that students will use to make informed decisions while also being mindful of operational security considerations. If we understand our assets at risk, we can map them to our attack vectors and interested threat actors. This approach allows us to anticipate emerging threats and stay ahead of cybercriminals.

    Exercises
    • Workstation and vendor orientation
    • Building a cybercriminal profile and dossier
    • Conducting link analysis with a data visualization tool
    • Profiling a cybercrime campaign with industry-standard models
    • Creating online persona sock puppet accounts safely
    • Maintaining and organizing sock puppet accounts
    Topics
    • Intelligence Fundamentals
      • Information vs Intelligence
      • Intelligence-gathering disciplines
      • Analysis of all-source collections
      • Structured analytic techniques
      • Legal considerations
    • Intelligence Operations
      • Governing an intelligence program
      • Creating threat hunt capabilities
      • Staffing programs to deliver capabilities
      • Legal considerations
    • Planning Collections
      • Priority intelligence requirements
      • Targeted collection plans
      • Collection management frameworks
    • Cyberattack Profiling
      • Profiling intrusions with standardized methodology
      • Using the MITRE ATT&CK®️ framework
      • Using the Lockheed Martin Cyber Kill Chain®️
      • Campaign grouping with unique attributable clusters
      • Translating breach precursors to threat-informed forecasts
      • Forecasting ransom events with breach precursor intelligence
    • Operational Security 101
      • Defense-in-depth for underground operational security (OPSEC) modeling
      • Compartmentalizing identity footprints and account signups
      • Compartmentalizing Internet access and network routes
      • Compartmentalizing web browsers and web sessions
      • Compartmentalizing host systems and virtual machines
      • Creating personas with backstories for account context
      • Establishing accounts for infiltration and reconnaissance
      • Balancing plausible deniability and logging compliance
      • Analyzing OPSEC failures through case study compilation
    • Undercover Preparation: Personas and Accounts
      • Differentiation of pseudonymity and anonymity
      • Sock puppet red herrings and data poisoning
      • Sock puppet creation and backstory
      • Sock puppet management and handling
      • How OPSEC failures are often a result of bad sock puppets
      • How OPSEC failures are prone to burning covers and operations
      • Safeguarding sock puppets: OPSEC, PERSEC, NETSEC
  • Overview

    Within the cybercriminal ecosystem, there are adversaries/criminals, victims/targets, methods/services, and infrastructure/finances. Clarifying that ecosystem has never been so important.

    As a cyber professional, understanding the cybercrime underground is vital to knowing the landscape and economy that you are up against. We must learn to access and navigate it all. With a solid mapping of the cybercrime underground, we meet the adversaries on their own playgrounds to gather underground intelligence at its source.

    This section will provide students with the resources necessary to find the "known" and explore the "unknown." By demystifying the cybercriminal underground, we can find both, which is fundamental to take on emerging risks and threats. This is also needed to prepare a counter-offensive response. By the end of this section, you will be able to see eye-to-eye with cybercriminals on their own playing field, opening possibilities for a strong defense or a knock-out offense.

    Exercises
    • Enumerating a forum
    • Hunting criminal activity by querying threat intelligence platforms
    • Tracking criminal activity by translating queries to alerting rules
    • Attributing an initial access broker victim listed on a cybercrime forum
    • Dissecting a malware infection victim log listed on a cybercrime marketplace
    • Correlating criminal-victim relationships listed on a ransom extortion site
    • Breached data access, analysis, and pivoting for cybercriminal attribution
    Topics
    • Tracking Cybercriminal Ecosystems with Underground Intelligence
      • Landscaping the cybercriminal underground
      • Mapping the cybercriminal economy
      • Cybercrime intelligence use cases
      • Cybercrime terminology
      • Dark web basics and evolution
      • Types of underground communities
      • Cybercrime-as-a-Service
    • Cybercrime Discovery: Services and Infrastructure
      • Profiling areas of operation with typologies
      • Hidden services vs. common Internet services
      • Mapping and pivoting on cybercrime infrastructure
      • Identifying attack infrastructure used in campaigns
      • Infrastructure-as-a-Service for cybercrime
      • Navigating communities: forums, markets, and chats
      • Navigating campaign infrastructure: ransom extortion sites, C2 panels
      • Navigating services: search tools, hosting services
    • Cybercrime Discovery: Actors and Adversaries
      • Profiling cybercriminals with typologies
      • Tracking cybercriminals on forums, markets, and chats
      • Cybercriminal threat actors/groups
      • Deep dive into threat actor types: malware, botnets, phishing, data brokers, access brokers, ransomware, money launderers, nation states and advanced persistent threats (APTs)
      • Adversary assessments
    • Cybercrime Discovery: Methods and Capabilities
      • Cybercriminal toolkits
      • Cybercriminal templated attacks
      • Cybercriminal service rentals
      • Vulnerabilities and exploits
      • Malware tools
      • Phishing attacks
      • Social engineering
      • Account takeovers
      • Financial fraud
      • Analysis of a criminal's dox publication
      • Mapping MITRE ATT&CK to Diamond Events
      • Mapping Diamond Events to the Lockheed Martin Cyber Kill Chain
    • Cybercrime Discovery: Targets and Victims
      • Victimology analytics for cyberattack & fraud incidents
      • Gathering incident precursor indicators
      • Gathering security incident identifiers
      • Discovering victims in public ransom extortion blogs
      • Discovering victims of initial access brokers
      • Discovering victims in data breaches and malware infections
      • Discovering targeted emails with malspam lists
      • Discovering targeted systems with Internet scans
      • Discovering C2 victims with network traffic analysis
    • Tools of the Tradecraft: Threat Intelligence Platforms (TIPs)
      • Discovering threat investigation tool options
      • Maneuvering threat intelligence platforms like Flashpoint and Intel471
      • Architecting early warning systems for digital risk monitoring
      • Architecting alerts based on intelligence requirements
      • Hunting for risks and threats with TIP queries
      • Translating TIP queries to actionable detections
      • Investigating threat actor activities with TIPs
      • Investigating forums and markets with TIPs
      • Discovering OSINT tools and frameworks
  • Overview

    Cryptocurrencies are often thought to be anonymous, but they are pseudonymous at best.

    Since criminals deal heavily in these virtual assets, we can exploit this to unmask them!

    The prevalence of cryptocurrency in the criminal economy cannot be overstated or overlooked. In this section, students will learn to trace cryptocurrency transactions, understand underlying blockchain technologies, and learn about the money laundering schemes layered in this space. In addition, we translate these concepts to practical intelligence applications, such as criminal attribution.

    While these virtual assets have certainly played a prolific role in the funding of services within the cybercriminal underground, they are not bulletproof! Mistakes are made during transactions, creating opportunities to map out criminal counterparties and their real-life identities. This section teaches cluster-analysis skills that are useful to differentiate senders from receivers, separate services from people, and demystify money-laundering schemes. Finally, we explore the practical use of Know Your Customer (KYC) records requests for unmasking criminals.

    Exercises
    • Transaction analysis with basic clustering using open source tools
    • Transaction analysis with advanced clustering using Chainalysis Reactor
    • Identifying and tracing through obfuscation methods
    • Submitting a KYC request
    • Exploring the laundering techniques used in cryptocurrency crimes
    • Mapping the financial network of a real-world cybercrime organization
    Topics
    • Tracking Financial Crimes with Financial Intelligence (FININT)
      • Financial crimes history and evolution
      • Money laundering and occurrences
      • Laws and regulations for anti-money laundering (AML)
      • The Financial Intelligence Unit role in AML investigations
      • Suspicious activity report (SAR) submissions
      • Virtual assets and virtual asset service providers
      • Cryptocurrency and criminal use cases
    • Tracing Cryptocurrency Crimes with Blockchain Intelligence
      • Cryptocurrency and criminal intelligence use cases
      • Purpose and basics of cryptocurrency
      • Blockchain technology functionality
      • Cryptocurrency types and terminologies
      • Custodial vs. non-custodial wallets
      • Cluster analysis for contextualizing transactions
      • Differentiating illicit services from legitimate services
    • Cryptocurrency Tracing: Basic Clustering
      • Tracing cryptocurrency with blockchain explorer tools
      • Bitcoin counterparty mapping to discover senders and receivers
      • Bitcoin spend and co-spend analysis for mapping inputs and outputs
      • Bitcoin change analysis with the unspent transaction (UTXO) model
      • Enriching on-chain analysis with off-chain intelligence
      • Monitoring for new Bitcoin transactions
    • Cryptocurrency Tracing: Advanced Clustering
      • Introduction to blockchain analytics platforms like Chainalysis Reactor
      • Identifying and tracking sophisticated cryptocurrency transactions
      • Behavioral patterns for cryptocurrency wallet identification
      • Detecting and tracing privacy-enhanced wallets
      • Detecting and tracing advanced obfuscation techniques like mixers and chain-hopping
      • Detecting and tracing "doxxic change"
      • Tracing and attributing subject targets with dusting attacks
    • Cybercriminal Profiling with Cryptocurrency Attribution
      • Application of the Diamond Model of Blockchain Analysis
      • Introduction to KYC requests
      • Attributing persons of interest using KYC requests
      • Operational security (OPSEC) risks of converting cryptocurrency to fiat
      • Exchanges sanctioned by the Office of Foreign Assets Control (OFAC)
      • Centralized and decentralized P2P exchanges for cashing out
      • Money laundering schemes for cash-out strategies
      • Identification of OPSEC mistakes that can lead to attribution
  • Overview

    We've assessed the cybercriminal ecosystem, now let's infiltrate deeper to facilitate the use of countermeasures. Criminals can be disrupted via social interactions, campaign mapping, and planned takedowns.

    People, systems, and money possess exploitable characteristics that can be recognized by investigators with the correct access and skills. These characteristics can be collected to inform countermeasures. This section teaches you how to spot these characteristics, collect them both manually and automatically, and leverage them for criminal investigations and disruptions.

    This section will teach students how to use a combination of rapport and elicitation techniques that exploit core characteristics of an online human intelligence (HUMINT) source. Through this process, the intelligence collector will maintain covertly structured control of the conversation to ensure that each cybercriminal source reveals topics that are relevant to the collector's intelligence requirements. Once cybercriminals and their infrastructure are attributed, a new realm of possibility to enforce countermeasures presents itself, with opportunities ranging from seizures to coordinated takedowns.

    Exercises
    • Using a sock puppet that can blend in for vHUMINT engagement collections
    • Browsing a hidden service site via the Tor network with a web browser
    • Scraping a hidden service file directory
    • Attributing a cybercriminal with a persona-focused deep dive
    • Mapping prior attribution findings to a course of action matrix (cybercrime countermeasures)
    Topics
    • Undercover Preparation: Case Management
      • Collection taskings, objectives, and target selection
      • Preparing the operation, infrastructure, and mindset
      • Recognizing the wide skillsets of an undercover operator
      • Identifying placement and access (P&A) requirements
      • Implementing operational security (OPSEC) measures
      • Legal and ethical considerations for undercover collections
      • Authorized data access requests for extending beyond collection limits
    • Undercover Engagements: Infiltration and Deception
      • Social engineering in virtual HUMINT (vHUMINT)
      • Source engagement approaches: overt, covert, clandestine
      • Infiltration of gated vs. ungated sources
      • Infiltration of gated sources: paid entry vs. vetted entry
      • Blending in and spotting scams with awareness of norms and standards
      • Source recruiting, handling, profiling, and burn notices
      • Interrogation tactics to engage and elicit human sources for collections
      • Attribution analysis with data broker and access broker advertisements
      • Controlled buys for victim data recovery and attribution analysis and legal concerns
      • Translating HUMINT source collections to actionable outcomes
    • Undercover Engagements: Automating Data Collections
      • Exploring methods to architect, from scratch, a web scraping operation
      • Assessing the requirements of web forum scraping over the Tor network
      • Building a dark web forum scraper to collect and store data
      • Building a dark web forum database to query, parse and ingest data
    • Undercover Countermeasures: Responsive Disruption
      • Legal and ethical considerations for cybercrime disruptions and takedowns
      • Consulting with law enforcement and industry peers
      • Consulting with legal teams for lawful review of plans, intents, and actions
      • Mapping and attributing cybercriminal infrastructure and threat actors
      • Disrupting cybercrime through collaboration with law enforcement
      • Disrupting cybercrime through the takedown of suspect infrastructure
      • Recovering ransomed systems without payment using decryption intelligence
      • Collecting cryptocurrency artifacts such as addresses, keys, wallets
      • Course of action matrix for cybercrime takedown use cases
  • Overview

    Put everything you learned to the test by investigating the cybercriminal underground and unraveling who is behind a new kind of cyber extortion campaign.

    The final day of FOR589 is a capstone challenge that focuses on launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills.

    Students will be presented with a fictional scenario and then given a list of items to investigate and analyze. These will include posts, threads, and profiles from cybercriminal underground forums, markets, and leak sites, as well as leaked private chat logs, databases, and threat actor infrastructure. There will also be a fictional blockchain ledger that students will use to trace transactions and track threat actors and various types of activities. Students will have to think about how to fulfil intelligence requirements from a law enforcement perspective, using the data sets provided that emulate real-world scenarios investigated by intelligence analysts.

    Students will be placed on teams and at day's end make presentations to instructors and the class to showcase what they found in their investigations, including the steps taken during the intelligence life cycle showing what they collected, processed, analyzed, and exploited.

    Topics
    • What You Will Learn
      • How to practice the skills taught throughout the course
      • How to safely investigate a simulated cybercrime operation
      • How to present evidence to justify or warrant the deployment of a subpoena
      • How to create a presentation to showcase findings to stakeholders
    • What You Will Need
      • Teams - Students will be assigned teams to collaborate while investigating
      • Computers - Systems will access and analyze simulated datasets
      • Investigative Mindset - Students will take the initiative to solve puzzling scenarios
    • What You Will Do
      • Comprehend the scope of work and plan accordingly to fulfill requirements
      • Assign roles within the team to complete tasks that suit team members' skills
      • Process and analyze the data, as the initial collection stage will already have been done
      • Create adversary dossiers using identified activity and social networks
      • Map the cybercriminal underground to highlight key services and adversaries

Prerequisites

FOR589: Cybercrime Intelligence is a course focused on navigating, discovering, detecting, and disrupting threats from the cybercrime economy. While introductory content is provided, familiarity with intelligence, dark web access, web data collection, cryptocurrency tracing, or digital forensics and incident response is beneficial. First time SANS students will be successful in this course as the technical demands of this course are on par with other beginner SANS courses.

Students may benefit from having taken one of the SANS courses listed below, or equivalent training. However, while these courses are helpful, they are not required.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR589 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (4th generation+) processor, x64 bit 2.0+ GHz processor, or more recent processor is mandatory for this class. (Important - Please Read: a 64-bit system processor is mandatory.)
  • CRITICAL NOTE: Apple Silicon devices (starting with M1 processors) cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
  • Be certain that you can access your BIOS if it is password-protected in case changes are necessary. Test it!
  • 16 gigabytes (GB) of RAM or higher is mandatory for this class. (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
  • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices, so test your system with a commercial USB drive before class to ensure that you can load the course data.)
  • 150 GB of free space on your system hard drive is critical to host the VMs we distribute.
  • Local administrator access is absolutely required. Do not let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • Wireless 802.11 capability
MANDATORY FOR589 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs. Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
  • Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from completing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled, or you must have the administrative privileges to disable it.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
  1. Download and install VMware Workstation Pro 17+ (for Windows hosts), or VMWare Fusion Pro 13+ (for macOS hosts) prior to class beginning. Workstation Pro and Fusion Pro are now available free for personal use from the VMware website. Licensed commercial subscriptions to these products can also be used.
  2. On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  3. Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  4. Download and install 7Zip (for Windows Hosts) or Keka (macOS). These may be included in your SANS courseware .ISO files.

Your course media is delivered via download from the SANS "Course Material Downloads" page in your SANS account. The media files for the class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to PDFs. The number of classes using eWorkbooks will grow quickly. Considering this, we have found that a second monitor and/or a tablet device can be useful to keep the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"A security breach is inevitable. It isn't a matter of if, but a matter of when. And for the last decade there have been more financially motivated data breaches than all other types of breaches combined. In FOR589: Cybercrime intelligence, we teach security professionals to proactively gather intelligence on the biggest threat to organizations at a time when we are witnessing an industrial revolution of the cybercriminal economy that has once again lowered the barrier to entry for criminals."

- Sean O'Connor

"Cybercrime is the number one threat to any organization's operations, and organized cybercrime continues to evolve down an even more insidious and destructive path. The enormous illicit fortunes amassed by organized cybercriminals have led to the manifestation of an entire underground economy. Ransomware attacks persist as one of the most profitable and destructive methods of monetizing access to any type of network. The Colonial Pipeline ransomware incident in 2021 was the most disruptive cyberattack on U.S. critical infrastructure to date. It showcased that unabated cybercrime directly leads to real-world catastrophes. It is thus more important than ever to understand the threat of cybercrime. FOR589: Cybercrime Intelligence is here to help. The course will arm students with knowledge of the cybercriminal underground and how to extract cybercrime intelligence, perform undercover operations, and, ultimately, disrupt the adversaries."

- Will Thomas

"Cybercriminals frequently penetrate networks with the primary goal of financial gain. Unfortunately, many organizations leave their sensitive data and intellectual property vulnerable to theft and exploitation, which leaves them with few options when they fall victim to a ransomware attack. They will often pay these ransoms, fueling the financial capabilities of these adversaries and escalating the threat of subsequent breaches. In FOR589, we equip students with the skills to delve into the depths of the cybercrime underworld. This exploration is key to comprehending the motives and proficiencies of cyber adversaries, which is essential for bolstering an organization's defenses and mitigating the likelihood of future security incidents, hopefully breaking this vicious cycle. In FOR589 we will teach students how to safely explore this criminal ecosystem and also provide practical training for tracing cryptocurrency transactions, offering even more intelligence by monitoring financial flows across blockchains."

- Conan Beach

Ways to Learn

  • OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

Register Now
  • Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

View Available Dates & Time Zones
  • In Person (5 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

View Available Dates & Locations

Who Should Attend FOR589?

  • Cyber Threat Intelligence Analysts who want to refine their grasp of the threat intelligence lifecycle's relevance to practical cybercrime activities. The course is particularly useful for analysts tasked with researching and monitoring threat leads.
  • Cyber Intelligence Professionals who aim to enhance their comprehension of the cybercrime landscape, broaden their familiarity with criminal tactics, evaluate and monitor underground sources, and develop their ability to infiltrate and collect information from such sources.
  • Criminal Actor Investigators who want to hone their skills in collecting, analyzing, and leveraging cybercrime intelligence, and increase their effectiveness in solving cybercrime cases and holding cybercriminals accountable for their actions.
  • Financial Crime Investigators who aim to bridge the knowledge gap between cryptocurrency crimes and the underground cybercriminal ecosystem upon which financial crimes are built in order to ensure that more investigative sources are accounted for.
  • Threat Hunters who seek to improve their proactive threat-hunting capabilities, learn how to identify and track cybercriminals, and understand how to apply cybercrime intelligence to generate and prioritize threat leads and hunt hypotheses.
  • Incident Responders who want to enhance their ability to respond to and manage cybercrime incidents, learn best practices in evidence preservation, and streamline collaboration with other stakeholders during investigations.
  • Forensic Analysts who want to deepen their knowledge of digital forensics in the context of cybercrime, learn how to extract and analyze relevant data from underground sources, and adapt their methodologies to address emerging threats.
  • Information Security Professionals who aim to broaden their understanding of the cybercrime landscape, stay informed about threats emerging from the underground, and develop plans to counter criminal methods used in cyberattacks and cyber fraud.
  • Federal Agents and Law Enforcement Professionals who need to stay current with the latest trends in cybercrime, improve their investigative skills, and better understand and collaborate with partners in the public and private sectors to combat cybercrime.
  • SANS Alumni looking to take their skills to the next level.

NICE Framework Work Roles:

  • All Source-Collection Manager (OPM 311)
  • All Source-Collection Requirements Manager (OPM 312)
  • All-Source Analyst (OPM 111)
  • Cyber Crime Investigator (OPM 221)
  • Cyber Defense Analyst (OPM 511)
  • Cyber Defense Forensics Analyst (OPM 212)
  • Cyber Defense Incident Responder (OPM 531)
  • Cyber Intel Planner (OPM 331)
  • Cyber Operator (OPM 331)
  • Cyber Ops Planner (OPM 332)
  • Cyber Policy and Strategy Planner (OPM 752)
  • Data Analyst (OPM 422)
  • Exploitation Analyst (OPM 121)
  • Law Enforcement/Counterintelligence Forensics Analyst (OPM 211)
  • Mission Assessment Specialist (OPM 112)
  • Partner Integration Planner (OPM 333)
  • Research & Development Specialist (OPM 661)
  • Target Developer (OPM 131)
  • Target Network Analyst (OPM 132)
  • Threat/Warning Analyst (OPM 141)
See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter
Africa/Abidjan
Africa/Accra
Africa/Addis Ababa
Africa/Algiers
Africa/Asmara
Africa/Asmera
Africa/Bamako
Africa/Bangui
Africa/Banjul
Africa/Bissau
Africa/Blantyre
Africa/Brazzaville
Africa/Bujumbura
Africa/Cairo
Africa/Casablanca
Africa/Ceuta
Africa/Conakry
Africa/Dakar
Africa/Dar es Salaam
Africa/Djibouti
Africa/Douala
Africa/El Aaiun
Africa/Freetown
Africa/Gaborone
Africa/Harare
Africa/Johannesburg
Africa/Juba
Africa/Kampala
Africa/Khartoum
Africa/Kigali
Africa/Kinshasa
Africa/Lagos
Africa/Libreville
Africa/Lome
Africa/Luanda
Africa/Lubumbashi
Africa/Lusaka
Africa/Malabo
Africa/Maputo
Africa/Maseru
Africa/Mbabane
Africa/Mogadishu
Africa/Monrovia
Africa/Nairobi
Africa/Ndjamena
Africa/Niamey
Africa/Nouakchott
Africa/Ouagadougou
Africa/Porto-Novo
Africa/Sao Tome
Africa/Timbuktu
Africa/Tripoli
Africa/Tunis
Africa/Windhoek
America/Adak
America/Anchorage
America/Anguilla
America/Antigua
America/Araguaina
America/Argentina/Buenos Aires
America/Argentina/Catamarca
America/Argentina/ComodRivadavia
America/Argentina/Cordoba
America/Argentina/Jujuy
America/Argentina/La Rioja
America/Argentina/Mendoza
America/Argentina/Rio Gallegos
America/Argentina/Salta
America/Argentina/San Juan
America/Argentina/San Luis
America/Argentina/Tucuman
America/Argentina/Ushuaia
America/Aruba
America/Asuncion
America/Atikokan
America/Atka
America/Bahia
America/Bahia Banderas
America/Barbados
America/Belem
America/Belize
America/Blanc-Sablon
America/Boa Vista
America/Bogota
America/Boise
America/Buenos Aires
America/Cambridge Bay
America/Campo Grande
America/Cancun
America/Caracas
America/Catamarca
America/Cayenne
America/Cayman
America/Chicago
America/Chihuahua
America/Ciudad Juarez
America/Coral Harbour
America/Cordoba
America/Costa Rica
America/Creston
America/Cuiaba
America/Curacao
America/Danmarkshavn
America/Dawson
America/Dawson Creek
America/Denver
America/Detroit
America/Dominica
America/Edmonton
America/Eirunepe
America/El Salvador
America/Ensenada
America/Fort Nelson
America/Fort Wayne
America/Fortaleza
America/Glace Bay
America/Godthab
America/Goose Bay
America/Grand Turk
America/Grenada
America/Guadeloupe
America/Guatemala
America/Guayaquil
America/Guyana
America/Halifax
America/Havana
America/Hermosillo
America/Indiana/Indianapolis
America/Indiana/Knox
America/Indiana/Marengo
America/Indiana/Petersburg
America/Indiana/Tell City
America/Indiana/Vevay
America/Indiana/Vincennes
America/Indiana/Winamac
America/Indianapolis
America/Inuvik
America/Iqaluit
America/Jamaica
America/Jujuy
America/Juneau
America/Kentucky/Louisville
America/Kentucky/Monticello
America/Knox IN
America/Kralendijk
America/La Paz
America/Lima
America/Los Angeles
America/Louisville
America/Lower Princes
America/Maceio
America/Managua
America/Manaus
America/Marigot
America/Martinique
America/Matamoros
America/Mazatlan
America/Mendoza
America/Menominee
America/Merida
America/Metlakatla
America/Mexico City
America/Miquelon
America/Moncton
America/Monterrey
America/Montevideo
America/Montreal
America/Montserrat
America/Nassau
America/New York
America/Nipigon
America/Nome
America/Noronha
America/North Dakota/Beulah
America/North Dakota/Center
America/North Dakota/New Salem
America/Nuuk
America/Ojinaga
America/Panama
America/Pangnirtung
America/Paramaribo
America/Phoenix
America/Port-au-Prince
America/Port of Spain
America/Porto Acre
America/Porto Velho
America/Puerto Rico
America/Punta Arenas
America/Rainy River
America/Rankin Inlet
America/Recife
America/Regina
America/Resolute
America/Rio Branco
America/Rosario
America/Santa Isabel
America/Santarem
America/Santiago
America/Santo Domingo
America/Sao Paulo
America/Scoresbysund
America/Shiprock
America/Sitka
America/St Barthelemy
America/St Johns
America/St Kitts
America/St Lucia
America/St Thomas
America/St Vincent
America/Swift Current
America/Tegucigalpa
America/Thule
America/Thunder Bay
America/Tijuana
America/Toronto
America/Tortola
America/Vancouver
America/Virgin
America/Whitehorse
America/Winnipeg
America/Yakutat
America/Yellowknife
Antarctica/Casey
Antarctica/Davis
Antarctica/DumontDUrville
Antarctica/Macquarie
Antarctica/Mawson
Antarctica/McMurdo
Antarctica/Palmer
Antarctica/Rothera
Antarctica/South Pole
Antarctica/Syowa
Antarctica/Troll
Antarctica/Vostok
Arctic/Longyearbyen
Asia/Aden
Asia/Almaty
Asia/Amman
Asia/Anadyr
Asia/Aqtau
Asia/Aqtobe
Asia/Ashgabat
Asia/Ashkhabad
Asia/Atyrau
Asia/Baghdad
Asia/Bahrain
Asia/Baku
Asia/Bangkok
Asia/Barnaul
Asia/Beirut
Asia/Bishkek
Asia/Brunei
Asia/Calcutta
Asia/Chita
Asia/Choibalsan
Asia/Chongqing
Asia/Chungking
Asia/Colombo
Asia/Dacca
Asia/Damascus
Asia/Dhaka
Asia/Dili
Asia/Dubai
Asia/Dushanbe
Asia/Famagusta
Asia/Gaza
Asia/Harbin
Asia/Hebron
Asia/Ho Chi Minh
Asia/Hong Kong
Asia/Hovd
Asia/Irkutsk
Asia/Istanbul
Asia/Jakarta
Asia/Jayapura
Asia/Jerusalem
Asia/Kabul
Asia/Kamchatka
Asia/Karachi
Asia/Kashgar
Asia/Kathmandu
Asia/Katmandu
Asia/Khandyga
Asia/Kolkata
Asia/Krasnoyarsk
Asia/Kuala Lumpur
Asia/Kuching
Asia/Kuwait
Asia/Macao
Asia/Macau
Asia/Magadan
Asia/Makassar
Asia/Manila
Asia/Muscat
Asia/Nicosia
Asia/Novokuznetsk
Asia/Novosibirsk
Asia/Omsk
Asia/Oral
Asia/Phnom Penh
Asia/Pontianak
Asia/Pyongyang
Asia/Qatar
Asia/Qostanay
Asia/Qyzylorda
Asia/Rangoon
Asia/Riyadh
Asia/Saigon
Asia/Sakhalin
Asia/Samarkand
Asia/Seoul
Asia/Shanghai
Asia/Singapore
Asia/Srednekolymsk
Asia/Taipei
Asia/Tashkent
Asia/Tbilisi
Asia/Tehran
Asia/Tel Aviv
Asia/Thimbu
Asia/Thimphu
Asia/Tokyo
Asia/Tomsk
Asia/Ujung Pandang
Asia/Ulaanbaatar
Asia/Ulan Bator
Asia/Urumqi
Asia/Ust-Nera
Asia/Vientiane
Asia/Vladivostok
Asia/Yakutsk
Asia/Yangon
Asia/Yekaterinburg
Asia/Yerevan
Atlantic/Azores
Atlantic/Bermuda
Atlantic/Canary
Atlantic/Cape Verde
Atlantic/Faeroe
Atlantic/Faroe
Atlantic/Jan Mayen
Atlantic/Madeira
Atlantic/Reykjavik
Atlantic/South Georgia
Atlantic/St Helena
Atlantic/Stanley
Australia/ACT
Australia/Adelaide
Australia/Brisbane
Australia/Broken Hill
Australia/Canberra
Australia/Currie
Australia/Darwin
Australia/Eucla
Australia/Hobart
Australia/LHI
Australia/Lindeman
Australia/Lord Howe
Australia/Melbourne
Australia/NSW
Australia/North
Australia/Perth
Australia/Queensland
Australia/South
Australia/Sydney
Australia/Tasmania
Australia/Victoria
Australia/West
Australia/Yancowinna
Brazil/Acre
Brazil/DeNoronha
Brazil/East
Brazil/West
CET
CST6CDT
Canada/Atlantic
Canada/Central
Canada/Eastern
Canada/Mountain
Canada/Newfoundland
Canada/Pacific
Canada/Saskatchewan
Canada/Yukon
Chile/Continental
Chile/EasterIsland
Cuba
EET
EST
EST5EDT
Egypt
Eire
Etc/GMT
Etc/GMT+0
Etc/GMT+1
Etc/GMT+10
Etc/GMT+11
Etc/GMT+12
Etc/GMT+2
Etc/GMT+3
Etc/GMT+4
Etc/GMT+5
Etc/GMT+6
Etc/GMT+7
Etc/GMT+8
Etc/GMT+9
Etc/GMT-0
Etc/GMT-1
Etc/GMT-10
Etc/GMT-11
Etc/GMT-12
Etc/GMT-13
Etc/GMT-14
Etc/GMT-2
Etc/GMT-3
Etc/GMT-4
Etc/GMT-5
Etc/GMT-6
Etc/GMT-7
Etc/GMT-8
Etc/GMT-9
Etc/GMT0
Etc/Greenwich
Etc/UCT
Etc/UTC
Etc/Universal
Etc/Zulu
Europe/Amsterdam
Europe/Andorra
Europe/Astrakhan
Europe/Athens
Europe/Belfast
Europe/Belgrade
Europe/Berlin
Europe/Bratislava
Europe/Brussels
Europe/Bucharest
Europe/Budapest
Europe/Busingen
Europe/Chisinau
Europe/Copenhagen
Europe/Dublin
Europe/Gibraltar
Europe/Guernsey
Europe/Helsinki
Europe/Isle of Man
Europe/Istanbul
Europe/Jersey
Europe/Kaliningrad
Europe/Kiev
Europe/Kirov
Europe/Kyiv
Europe/Lisbon
Europe/Ljubljana
Europe/London
Europe/Luxembourg
Europe/Madrid
Europe/Malta
Europe/Mariehamn
Europe/Minsk
Europe/Monaco
Europe/Moscow
Europe/Nicosia
Europe/Oslo
Europe/Paris
Europe/Podgorica
Europe/Prague
Europe/Riga
Europe/Rome
Europe/Samara
Europe/San Marino
Europe/Sarajevo
Europe/Saratov
Europe/Simferopol
Europe/Skopje
Europe/Sofia
Europe/Stockholm
Europe/Tallinn
Europe/Tirane
Europe/Tiraspol
Europe/Ulyanovsk
Europe/Uzhgorod
Europe/Vaduz
Europe/Vatican
Europe/Vienna
Europe/Vilnius
Europe/Volgograd
Europe/Warsaw
Europe/Zagreb
Europe/Zaporozhye
Europe/Zurich
GB
GB-Eire
GMT
GMT+0
GMT-0
GMT0
Greenwich
HST
Hongkong
Iceland
Indian/Antananarivo
Indian/Chagos
Indian/Christmas
Indian/Cocos
Indian/Comoro
Indian/Kerguelen
Indian/Mahe
Indian/Maldives
Indian/Mauritius
Indian/Mayotte
Indian/Reunion
Iran
Israel
Jamaica
Japan
Kwajalein
Libya
MET
MST
MST7MDT
Mexico/BajaNorte
Mexico/BajaSur
Mexico/General
NZ
NZ-CHAT
Navajo
PRC
PST8PDT
Pacific/Apia
Pacific/Auckland
Pacific/Bougainville
Pacific/Chatham
Pacific/Chuuk
Pacific/Easter
Pacific/Efate
Pacific/Enderbury
Pacific/Fakaofo
Pacific/Fiji
Pacific/Funafuti
Pacific/Galapagos
Pacific/Gambier
Pacific/Guadalcanal
Pacific/Guam
Pacific/Honolulu
Pacific/Johnston
Pacific/Kanton
Pacific/Kiritimati
Pacific/Kosrae
Pacific/Kwajalein
Pacific/Majuro
Pacific/Marquesas
Pacific/Midway
Pacific/Nauru
Pacific/Niue
Pacific/Norfolk
Pacific/Noumea
Pacific/Pago Pago
Pacific/Palau
Pacific/Pitcairn
Pacific/Pohnpei
Pacific/Ponape
Pacific/Port Moresby
Pacific/Rarotonga
Pacific/Saipan
Pacific/Samoa
Pacific/Tahiti
Pacific/Tarawa
Pacific/Tongatapu
Pacific/Truk
Pacific/Wake
Pacific/Wallis
Pacific/Yap
Poland
Portugal
ROC
ROK
Singapore
Turkey
UCT
US/Alaska
US/Aleutian
US/Arizona
US/Central
US/East-Indiana
US/Eastern
US/Hawaii
US/Indiana-Starke
US/Michigan
US/Mountain
US/Pacific
US/Samoa
UTC
Universal
W-SU
WET
Zulu
Filters:
Training Formats
        Location
        Dates

        Register for FOR589

        Learn about Group Pricing

        Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

        Loading...