FOR589: Cybercrime Intelligence

What You Will Learn

Cybercrime intelligence can help organizations effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments combat cybercrime and prosecute criminals. FOR589: Cybercrime Intelligence provides an in-depth understanding of the cybercrime underground and covers the wide variety of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both conventional intelligence and contemporary cybersecurity methodologies, this course will help you augment any existing intelligence operations, proactively address risks, and enhance an overall cybersecurity posture. The course is ideal for security professionals, law enforcement officers, and anyone interested in the intricacies of the cybercrime underground, tracing cryptocurrency, intelligence and countermeasures.

The course covers how to map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal behind the keyboard. Students learn all about the dark web economy, tracing cryptocurrency, and money laundering schemes. This course also teaches students how to perform undercover operations safely, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and potential impact that organized cybercrime could have against their organizations.

Through practical exercises and real-life case studies, students in FOR589: Cybercrime Intelligence will gain hands-on experience and develop the skills to:

Map cybercriminal infrastructure, analyze cybercriminal capabilities, uncover the victims of cybercrime, and attribute operations to the cybercriminals behind the keyboard.
Navigate the dark web, trace cryptocurrency transactions, and understand money-laundering schemes.
Perform undercover operations, including how to traverse the dark web safely, create sock puppet accounts with sound operational security (OPSEC), interact with threat actors, and infiltrate underground communities.
Work with various cybersecurity tools to detect, analyze, and mitigate cyber threats, as well as understand the scope, scale, and impact of organized cybercrime.

FOR589: Cybercrime Intelligence will help you:

Traverse the underground landscape
Map requirements to intelligence collection plans
Operate threat investigation platforms
Profile actors with identifiers and indicators
Identify cyberattack targets and victims
Trace payments with blockchain forensics
Counter cybercrime by imposing costs

FOR589 Cybercrime Intelligence Course Topics

All-source overview of practical threat intelligence concepts to counter cybercrime.
Navigating the underground landscape and the economy within it.
Infiltrating illicit communities to gain strategic and tactical placement and access.
Intelligence tradecraft to analyze cybercrime, such as cyber fraud and cyberattacks.
Advanced use of threat investigation platforms to search, pivot, and monitor.
Gathering intelligence requirements to map to targeted collection plans.
Acquiring threat data collections in alignment with the intelligence lifecycle.
Operations management to meet strategic, tactical, and operational needs.
Attributing people, money, and systems, using key investigative tradecraft.
Kill chain mapping and analysis with the Cyber Kill Chain, Diamond Model, and MITRE ATT&CK.
Finding commonly targeted Internet-facing systems with exposed sensitive services.
Rapid incident response support using external datasets that reach beyond the network perimeter.
Preventing breaches from starting by discovering and detecting incident precursors.
Identifying breaches that have already occurred by discovering incident identifiers.
Mapping relationships between adversaries and their targets.
Deceiving actors with data poisoning by planting disinformation and misinformation.
Detecting actors' own use of data poisoning and false flag operations.
Defining pseudonymity and anonymity, and their relevance to operational security.
Social engineering of cybercriminals with human interactions to elicit intelligence value.
Cryptocurrency tracing to differentiate sender, receiver, and change addresses.
Blockchain forensics to attribute cryptocurrency payments to people and services.
Tracing cryptocurrency payments through money laundering methods such as layering and mixing.
Imposing cost with countermeasures, using the courses of actions matrix to discover, detect, deny, disrupt, degrade, deceive, and destroy the cybercrime ecosystem.

What Is Cybercrime Intelligence?

Cybercrime Intelligence is a subset of Criminal Intelligence that helps organizations effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments investigate cybercrime and prosecute cybercriminals.

Business Takeaways

Close knowledge gaps between cybercrime and crypto crime.
Enhance Cyber Threat Intelligence (CTI) operations with cybercrime expertise.
Proactively discover and mitigate emerging cybercrime threats looming over the horizon.
Establish early warning systems to detect risks, threats, and fraud.
Identify access vectors and collect against cybercriminals exploring those vectors.
Focus investigative priorities with informed advice.
Profile cybercrime events using common intelligence frameworks and cyber kill chains.
Attribute threat actors behind cyberattacks and cyber fraud when needed
Conduct blockchain forensics for attribution and fund recovery.
Create tailored intel products to supplement vendor offerings.
Support incident response teams with timely and relevant intelligence.

Skills Learned

FOR589 Cybercrime Intelligence Training Will Prepare Your Team To:

Understand how traditional intelligence collection disciplines have adapted to today's modern cyber-centric landscape and differentiate what is actionable and what is noise.
Discover risks to your organization's assets and elements, mapped to threat actors and threat vectors as priority intelligence requirements.
Translate your organization's risk-guided intelligence requirements into threat-informed collection plans and operational tasks.
Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive, whether to protect your organization or impose costs on criminals with counter-offensive measures.
Demystify the dark web and underground threat landscape, enabling you to traverse and surveil communities, marketplaces, ransom sites, data breaches, malware logs, and more.
Understand how the underground threat landscape has expanded and evolved, lowering the barrier to entry, allowing emerging actors to conduct perceivably advanced operations.
Create online personas and sock puppet safely to gain the placement and access needed for intelligence collection, whether to passively browse forums or actively elicit brokers.
Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure.
Vet sources by measuring their level of competence, access, and credibility.
Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures.
Apply practical victimology to map the adversary-target relationship observed in cyberattacks and cyber fraud incidents, useful for research and response purposes alike.
Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes.
Develop threat intelligence platforms as early warning systems to detect all-source digital risk exposures within the Internet ecosystem, especially the deep and dark web.
Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and attribute them by using cluster analysis.

Hands-On Cybercrime Intelligence Training

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in a hands-on environment.

Lab 0: FOR589 Virtual Machine Setup
Lab 1.1: Password Pivots and OPSEC
Lab 1.2: Safe Sock Puppet Creation
Lab 1.3: Identifiers, Dossiers and Profiling
Lab 1.4: Link Analysis
Lab 2.1: Cybercrime Site Identification
Lab 2.2: Infrastructure Analysis and Mapping
Lab 2.3: Adversary Profiling and Tracking
Lab 2.4: Capability Assessment and Monitoring
Lab 2.5: Intelligence Platforms
Lab 3.1: Cryptocurrency OSINT
Lab 3.2: Transaction Analysis
Lab 3.3: Chainalysis Reactor
Lab 3.4: Bitfinex Hack & Obfuscation Methods
Lab 3.5: DarkSide Ransomware & Colonial Pipeline
Lab 4.1: Infiltration of a Gated Community
Lab 4.2: Automated Collection
Lab 4.3: Assessing the Environment
Lab 4.4: Adversary Engagement
Lab 4.5: Countermeasures
Day 5: FOR589 Capstone Challenge

What You Will Receive

Virtual Machine Workstation
- Students will receive virtual machine(s) to enable investigations with a pre-configured installable experience. Everything students need for the course will mostly be pre-installed and ready to launch.
Flashpoint Threat Intelligence Platform
- Students will receive a demo license to access the Flashpoint Threat Intelligence Platform in order to investigate underground cybercrime sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
Authentic8 Silo Toolbox
- Students will receive a demo license to access the Authentic8 Silo managed attribution platform in order to investigate underground cybercrime sources such as forums, markets, chat rooms, ransom sites, paste sites, and more.
Chainalysis Reactor Platform
- Students will receive a demo license to access the Chainalysis Reactor Platform in order to investigate cryptocurrency transactions.
Maltego
- Students will receive a demo license to access Maltego in order to conduct investigations with link analysis and graph visualizations.

Syllabus (30 CPEs)

Download PDF

FOR589.1: The Cybercriminal Intelligence Lifecycle
Overview
There are ways to stay ahead of the cybercrime economy - it starts with knowing the vast landscape you are up against and applying methodology to make sense of it all.
Security professionals and law enforcement should be aware of the latest criminal trends. In scenarios where risk is high and room for error is low, peers and victims rely on us for help. To provide that help, our processes and methodology must be defensible. Using these standards for curating and handling cybercrime intelligence, FOR589 will be able to ensure that their selected courses of action are properly guided, decided, and applied.
Section 1 introduces standards for intelligence requirements, collection plans, operating procedures, intelligence lifecycles, and knowledge frameworks that students will use to make intelligent decisions while also being mindful of operational security considerations. If we understand our elements and assets at risk, we can map them to our opposing threat actors and attack vectors. This approach allows us to repeatably anticipate emerging threats, stay ahead of cybercriminals, and mitigate risks to defend against threats.
Exercises
- Workstation and vendor orientation
- Building a cybercriminal profile and dossier
- Conducting link analysis with a data visualization tool
- Profiling a cybercrime campaign with industry-standard models
- Creating online persona sock puppet accounts safely
- Techniques for maintaining and organizing sock puppet
Topics
- Intelligence Fundamentals
  Defining intelligence
  Intelligence-gathering disciplines
  Analysis of all-source collections
  Structured analytic techniques
  Threat analysis methodologies
  Geopolitical considerations
  Legal considerations
- Intelligence Operations
  Modeling an intelligence program
  Governing an intelligence program
  Creating digital risk capabilities
  Creating threat hunt capabilities
  Staffing programs to deliver capabilities
- Planning Collections
  Threat modeling with crown jewel analysis
  Priority intelligence requirements
  Targeted collection plans
  Collection management frameworks
  Sourcing for the open web, deep web, and dark web
- Curating Collections
  Threat intelligence platform design
  Collection plan tasking execution
  Collection scraping and parsing process
  The collection exploitation and enriching process
  Active vs. passive data collection concepts
  Exploiting sources, entities, and events
  Source credibility assessments
- Cyberattack Forecasting
  Outside-in scoping for adversarial targeting
  Mapping intrusion preparation with MITRE PRE-ATT&CK
  Pre-access security breach precursors
  Post-access security breach behaviors
  Initial access vectors abused by threat actors
  Commonly abused sensitive service exposures
  Commonly abused third-party data exposures
  Commonly abused malware infection exposures
- Cyberattack Profiling
  Profiling intrusions with standardized methodology
  Mapping MITRE ATT&CK to Diamond Events
  Mapping Diamond Events to the Lockheed Martin Cyber Kill Chain
  Campaign grouping with unique attributable clusters
  Translating breach precursors to threat-informed forecasts
  Forecasting ransom events with breach precursor intelligence
  Building a course of action matrix for countermeasures
- Operational Security 101
  Defense-in-depth for underground operational security (OPSEC) modeling
  Compartmentalizing identity footprints and account signups
  Compartmentalizing Internet access and network routes
  Compartmentalizing web browsers and web sessions
  Compartmentalizing host systems and virtual machines
  Creating personas with backstories for account context
  Establishing accounts for infiltration and reconnaissance
  Balancing plausible deniability and logging compliance
  Analyzing OPSEC failures through case study compilation
FOR589.2: The Cybercriminal Underground
Overview
Within the cybercriminal ecosystem, there are adversaries/criminals, victims/targets, methods/services, and infrastructure/finances, so demystifying that ecosystem has never been so clear.
As an intelligence professional, understanding the cybercrime underground is vital to knowing the landscape and economy that you are up against. From attackers to targets, people to communities, currencies to technologies, and capabilities to infrastructure, we must have the know-how to access and traverse it all. With a solid mapping of the cybercrime underground, we meet the adversaries on their own playgrounds to gather underground intelligence at its source.
This section will provide students with the resources necessary to find the "known" and explore the "unknown." By demystifying the cybercriminal underground, we can find both, which is fundamental to take on emerging risks and threats with identification, protection, detection, response, and recovery. This is also needed to prepare a counter-offensive response. By the end of this section you will be able to see eye-to-eye with cybercriminals on their own playing field, opening possibilities for a strong defense or a knock-out offense.
Exercises
- Enumerating a forum with a web isolation platform
- Hunting criminal activity by querying threat intelligence platforms
- Tracking criminal activity by translating queries to alerting rules
- Attributing an initial access broker victim listed on a cybercrime forum
- Dissecting a malware infection victim log listed on a cybercrime marketplace
- Correlating criminal-victim relationships listed on a ransom extortion site
- Breached data access, analysis, and pivoting for cybercriminal attribution
Topics
- Tracking Cybercriminal Ecosystems with Underground Intelligence
  Landscaping the cybercriminal underground
  Mapping the cybercriminal economy
  Cybercrime intelligence use cases
  Cybercrime terminology
  Dark web basics and history
  Types of underground communities
  Cybercrime-as-a-Service
- Cybercrime Discovery: Services and Infrastructure
  Profiling areas of operation with typologies
  Hidden services vs. common Internet services
  Mapping and pivoting on cybercrime infrastructure
  Identifying attack infrastructure used in campaigns
  Infrastructure-as-a-Service for cybercrime
  Navigating community: forums, markets, and chats
  Navigating campaign infrastructure: ransom extortion sites, C2 panels
  Navigating services: search tools, hosting services
- Cybercrime Discovery: Actors and Adversaries
  Profiling cybercriminals with typologies
  Tracking cybercriminals on forums, markets, and chats
  Cybercriminal threat actors
  Cybercriminal threat groups
  Deep dive into threat actors types: malware, botnets, phishing, data brokers, access brokers, ransomware, money launderers, nation states
  Adversary assessments
- Cybercrime Discovery: Methods and Capabilities
  Cybercriminal toolkits
  Cybercriminal templated attacks
  Cybercriminal service rentals
  Vulnerabilities and exploits
  Malware tools
  Phishing attacks
  Social engineering
  Account takeovers
  Financial fraud
  Analysis of a criminal's dox publication
  Using the MITRE ATT&CK®️ framework
  Using the LockHeed Martin Cyber Kill Chain®️
- Cybercrime Discovery: Targets and Victims
  Victimology analytics for cyberattack incidents
  Victimology analytics for cyber fraud incidents
  Gathering incident precursor indicators
  Gathering security incident identifiers
  Discovering victims in public ransom extortion blogs
  Discovering victims of initial access brokers
  Discovering victims in data breaches and malware infections
  Discovering targeted emails with malspam lists
  Discovering targeted systems with Internet scans
  Discovering C2 victims with network traffic analysis
- Tools of the Tradecraft: Threat Intelligence Platforms
  Discovering threat investigation tool options
  Maneuvering threat intelligence platforms like Flashpoint and Intel471
  Architecting early warning systems for digital risk monitoring
  Architecting alerts based on intelligence requirements
  Hunting for risks and threats with TIP queries
  Translating TIP queries to actionable detections
  Investigating threat actor activities with TIPs
  Investigating forums and markets with TIPs
  Discovering OSINT tools and frameworks
FOR589.3: Cryptocurrency Investigations
Overview
Cryptocurrencies are often thought to be anonymous, but they are pseudonymous at best.
Since criminals deal heavily in these virtual assets, we can exploit this to unmask them!
The prevalence of cryptocurrency in the criminal economy can neither be overstated nor overlooked. In this section, students will learn to trace through cryptocurrency, understand its underlying blockchain technology, and demystify the money laundering schemes layered atop. In addition, we translate these concepts to practical intelligence applications, such as criminal attribution.
While these virtual assets have certainly played a prolific role in the funding of services within the cybercriminal underground, they are not bulletproof! Mistakes are made during transactions, creating opportunities to map out criminal counterparties and their affiliated real-life identities. This section teaches empowering cluster-analysis skills that are useful to differentiate senders from receivers, separate services from people, and demystify money-laundering schemes. Finally, we explore the practical use of "Know-Your-Customer" requests for unmasking criminals.
Exercises
- Transaction analysis with basic clustering using open-source tools
- Transaction analysis with advanced clustering using Chainalysis Reactor
- Identifying and tracing through peelchain obfuscation
- Identifying and tracing through advanced obfuscation methods
- Submitting a KYC request
- Exploring the laundering techniques used in cryptocurrency crimes
- Mapping the financial network of an organized cybercrime gang
Topics
- Tracking Financial Crimes with Financial Intelligence
  Financial crimes history and evolution
  Money laundering and occurrences
  Laws and regulations (5AMLD) for anti-money laundering (AML)
  The Financial Intelligence Unit role in AML investigations
  Suspicious activity report submissions
  Suspicious transaction report submissions
  Financial Action Task Force (FATF)
  Virtual assets and virtual asset service providers
  Cryptocurrency and criminal use cases
- Tracing Cryptocurrency Crimes with Blockchain Intelligence
  Cryptocurrency and criminal intelligence use cases
  Purpose and basics of cryptocurrency
  Blockchain technology functionality
  Cryptocurrency types and terminologies
  Cryptocurrency storage and wallets
  Custodial vs. non-custodial wallets
  Simple wallets vs. wallets with obfuscation methods
  Cluster analysis for contextualizing transactions
  Differentiating illicit services from legitimate services
- Cryptocurrency Tracing: Basic Clustering
  Tracing cryptocurrency with blockchain explorer tools
  Bitcoin counterparty mapping to discover senders and receivers
  Bitcoin transaction address identification (P2PKH, P2PSH, Bech32, Taproot)
  Bitcoin spend and co-spend analysis for mapping inputs and outputs
  Bitcoin change analysis with the unspent transaction (UTXO) model
  Enriching on-chain analysis with off-chain intelligence
  Monitoring for new Bitcoin transactions
- Cryptocurrency Tracing: Advanced Clustering
  Introduction to blockchain analytics platforms like Chainalysis Reactor
  Identifying and tracking sophisticated cryptocurrency transactions
  Behavioral patterns for cryptocurrency wallet identification
  Detecting and tracing privacy-enhanced wallets
  Detecting and tracing common obfuscation like peel chains and mixing networks
  Detecting and tracing advanced obfuscation techniques like chain hops and CoinJoin
  Detecting and tracing "doxxic change"
  Tracing and attributing subject targets with dusting attacks
- Cybercriminal Profiling with Cryptocurrency Attribution
  Application of the Diamond Model of Blockchain Analysis
  Introduction to Know-Your-Customer (KYC) requests
  Attributing persons of interest using KYC requests
  Operational security (OPSEC) risks of converting cryptocurrency to fiat
  Low-risk exchange (LRE) vs. high-risk exchange (HRE)
  Exchanges sanctioned by the Office of Foreign Assets Control (OFAC)
  Centralized and decentralized P2P exchanges for cashing out
  Money laundering schemes for cash-out strategies
  Identification of OPSEC mistakes that can lead to attribution
FOR589.4: Undercover Operations & Countermeasures
Overview
We've assessed the cybercriminal ecosystem. Now let's infiltrate deeper to facilitate the use of countermeasures. Criminals can be disrupted using social deceit, campaign mapping, and planned takedowns.
People, systems, and money possess exploitable characteristics that can be recognized by investigators with the correct access and skills. These characteristics can be collected to inform a variety of countermeasures. This section teaches you how to spot these characteristics, collect them both manually and automatically, and leverage them for criminal investigation and disruption.
This section will teach students how to use a combination of rapport and elicitation techniques that exploit core characteristics of a human intelligence (HUMINT) source. Through this process, the intelligence collector will maintain covertly structured control of the conversation to ensure that each cybercriminal source reveals topics that are relevant to the collector's intelligence requirements. Once cybercriminals and their infrastructure are attributed, a new realm of possibility to enforce countermeasures presents itself, with opportunities ranging from forensic seizures to coordinated takedowns.
Exercises
- Creating an advanced sock puppet that can blend in for vHUMINT engagement collections
- Browsing a hidden service site via the Tor network with a web browser
- Scraping a hidden service file directory via the Tor network with command-line tools
- Attributing a cybercriminal with a persona-focused deep dive
- Mapping prior attribution findings to a course of action matrix (cybercrime countermeasures)
Topics
- Undercover Preparation: Case Management
  Collection taskings, objectives, and target selection
  Preparing the operation, infrastructure, and mindset
  Recognizing the wide skillsets of an undercover operator
  Identifying placement and access requirements
  Implementing operational security (OPSEC) measures
  Legal and ethical considerations for undercover collections
  Authorized data access requests for extending beyond collection limits
  Unauthorized data access exploits for extending beyond collection limits
- Undercover Preparation: Personas and Accounts
  The power to selectively reveal oneself like a cypherpunk
  Differentiation of pseudonymity and anonymity
  Sock puppet creation and backstory
  Sock puppet red herrings and data poisoning
  Sock puppet management and handling
  How OPSEC failures are often a result of bad sock puppets
  How OPSEC failures are prone to burning covers and operations
  Safeguarding sock puppets: OPSEC, PERSEC, NETSEC
- Undercover Engagements: Infiltration and Deception
  Social engineering in virtual HUMINT (vHUMINT)
  Source engagement approaches: overt, covert, clandestine
  Infiltration of gated vs. ungated sources
  Infiltration of gated sources: paid entry vs. vetted entry
  Blending in and spotting scams with awareness of norms and standards
  Source recruiting, handling, profiling, and burn notices
  Interrogation tactics to engage and elicit human sources for collections
  Attribution analysis with data broker and access broker advertisements
  Attribution analysis with data broker and access broker interrogations
  Controlled buys for victim data recovery and attribution analysis
  Translating HUMINT source collections to actionable outcomes
- Undercover Engagements: Automating Data Collections
  Exploring methods to architect, from scratch, a web scraping operation
  Assessing the requirements of web forum scraping over the Tor network
  Building a self-made dark web forum scraper to collect and store data
  Building a self-made dark web forum database to parse and ingest data
  Querying a self-made dark web forum database to search and explore data
  Assessing the requirements of chat room scraping for Discord and Telegram
- Undercover Countermeasures: Responsive Disruption
  Legal and ethical considerations for cybercrime disruptions and takedowns
  Consulting with law enforcement and industry peers to avert the interruption of investigations
  Consulting with legal teams for lawful review of all responsive plans, intents, or actions
  Mapping and attributing cybercriminal infrastructure
  Mapping and attributing cybercriminal actors
  Disrupting cybercrime through the takedown of suspect infrastructure
  Disrupting cybercrime through the seizure and analysis of confirmed devices
  Disrupting cybercrime though the arrest and questioning of confirmed actors
  Recovering ransomed systems without payment using decryption intelligence
  Collecting cryptocurrency artifacts at a crime scene such as addresses, keys, wallets
  Course of action matrix for cybercrime takedown use cases
FOR589.5: Capstone
Overview
Put everything you learned to the test by investigating the cybercriminal underground and unraveling who is behind a new kind of cyber extortion campaign.
The final day of FOR589 is a capstone challenge that focuses on launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills.
Students will be presented with a fictional scenario and then given a list of items to investigate and analyze. These will include posts, threads, and profiles from cybercriminal underground forums, markets, and leak sites, as well as leaked private chat logs, databases, and threat actor infrastructure. There will also be a fictional blockchain ledger that students will use to trace transactions and track threat actors and various types of activities. Students will have to think about how to fulfil intelligence requirements from a law enforcement perspective, using the data sets provided that emulate real-world scenarios investigated by intelligence analysts.
Students will be placed on teams and at day’s end make presentations to instructors and the class to showcase what they found in their investigations, including the steps taken during the intelligence life cycle showing what they collected, processed, analyzed, and exploited.
Topics
- What You Will Learn
  How to practice the skills taught throughout the course
  How to safely investigate a simulated cybercrime operation
  How to present evidence to justify or warrant the deployment of a subpoena
  How to create a presentation to showcase findings to stakeholders
- What You Will Need
  Teams - Students will be assigned teams to collaborate while investigating
  Computers - Systems will access and analyze simulated datasets
  Investigative Mindset - Students will take the initiative to solve puzzling scenarios
- What You Will Do
  Comprehend the scope of work and plan accordingly to fulfill requirements
  Assign roles within the team to complete tasks that suit team members' skills
  Process and analyze the data, as the initial collection stage will already have been done
  Create adversary dossiers using identified activity and social networks
  Map the cybercriminal underground to highlight key services and adversaries

Prerequisites

FOR589 is an intermediate level course that focuses on discovering, detecting, and disrupting the threats emerging from the cybercriminal economy. While we do provide an introduction for most of the topics taught, some topics may be challenging to a student without familiarity in areas such as intelligence, dark web access, web data collection, cryptocurrency tracing, or digital forensics and incident response.

Students may benefit from having taken one of the SANS courses listed below, or equivalent training. However, while these courses are helpful, they are not required.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY FOR589 SYSTEM HARDWARE REQUIREMENTS

CPU: 64-bit Intel i5/i7 (4th generation+) processor, x64 bit 2.0+ GHz processor, or more recent processor is mandatory for this class. (Important - Please Read: a 64-bit system processor is mandatory.)
CRITICAL NOTE: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
BIOS settings must be set to enable virtualization technology, such as "Intel-VT."
Be certain that you can access your BIOS if it is password-protected in case changes are necessary. Test it!
16 gigabytes (GB) of RAM or higher is mandatory for this class. (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class to ensure that you can load the course data.)
150 GB of free space on your system hard drive is critical to host the VMs we distribute.
Local administrator access is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
Wireless 802.11 capability

MANDATORY FOR589 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs. Please note: It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled, or you must have the administrative privileges to disable it.

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Download and install 7Zip (for Windows Hosts) or Keka (macOS).

Your course media is delivered via download from the SANS "Course Material Downloads" page. The media files for the class can be large, some in the 40 to 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful to keep the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact support..

Author Statement

"A security breach is inevitable. It isn't a matter of if, but a matter of when. And for the last decade there have been more financially motivated data breaches than all other types of breaches combined. In FOR589: Cybercrime intelligence, we teach security professionals to proactively gather intelligence on the biggest threat to organizations at a time when we are witnessing an industrial revolution of the cybercriminal economy that has once again lowered the barrier to entry for criminals."

- Sean O'Connor

"Cybercrime is the number one threat to any organization's operations, and organized cybercrime continues to evolve down an even more insidious and destructive path. The enormous illicit fortunes amassed by organized cybercriminals have led to the manifestation of an entire underground economy. Ransomware attacks persist as one of the most profitable and destructive methods of monetizing access to any type of network. The Colonial Pipeline ransomware incident in 2021 was the most disruptive cyberattack on U.S. critical infrastructure to date. It showcased that unabated cybercrime directly leads to real-world catastrophes. It is thus more important than ever to understand the threat of cybercrime. FOR589: Cybercrime Intelligence is here to help. The course will arm students with knowledge of the cybercriminal underground and how to extract cybercrime intelligence, perform undercover operations, and, ultimately, disrupt the adversaries."

- Will Thomas

"Cybercriminals frequently penetrate networks with the primary goal of financial gain. Unfortunately, many organizations leave their sensitive data and intellectual property vulnerable to theft and exploitation, which leaves them with few options when they fall victim to a ransomware attack. They will often pay these ransoms, fueling the financial capabilities of these adversaries and escalating the threat of subsequent breaches. In FOR589, we equip students with the skills to delve into the depths of the cybercrime underworld. This exploration is key to comprehending the motives and proficiencies of cyber adversaries, which is essential for bolstering an organization's defenses and mitigating the likelihood of future security incidents, hopefully breaking this vicious cycle. In FOR589 we will teach students how to safely explore this criminal ecosystem and also provide practical training for tracing cryptocurrency transactions, offering even more intelligence by monitoring financial flows across blockchains."

- Conan Beach

Ways to Learn

Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

In Person (5 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

Who Should Attend FOR589?

Cyber Threat Intelligence Analysts who want to refine their grasp of the threat intelligence lifecycle's relevance to practical cybercrime activities. The course is particularly useful for analysts tasked with researching and monitoring threat leads.
Cyber Intelligence Professionals who aim to enhance their comprehension of the cybercrime landscape, broaden their familiarity with criminal tactics, evaluate and monitor underground sources, and develop their ability to infiltrate and collect information from such sources.
Criminal Actor Investigators who want to hone their skills in collecting, analyzing, and leveraging cybercrime intelligence, and increase their effectiveness in solving cybercrime cases and holding cybercriminals accountable for their actions.
Financial Crime Investigators who aim to bridge the knowledge gap between cryptocurrency crimes and the underground cybercriminal ecosystem upon which financial crimes are built in order to ensure that more investigative sources are accounted for.
Threat Hunters who seek to improve their proactive threat-hunting capabilities, learn how to identify and track cybercriminals, and understand how to apply cybercrime intelligence to generate and prioritize threat leads and hunt hypotheses.
Incident Responders who want to enhance their ability to respond to and manage cybercrime incidents, learn best practices in evidence preservation, and streamline collaboration with other stakeholders during investigations.
Forensic Analysts who want to deepen their knowledge of digital forensics in the context of cybercrime, learn how to extract and analyze relevant data from underground sources, and adapt their methodologies to address emerging threats.
Information Security Professionals who aim to broaden their understanding of the cybercrime landscape, stay informed about threats emerging from the underground, and develop plans to counter criminal methods used in cyberattacks and cyber fraud.
Federal Agents and Law Enforcement Professionals who need to stay current with the latest trends in cybercrime, improve their investigative skills, and better understand and collaborate with partners in the public and private sectors to combat cybercrime.
SANS Alumni looking to take their skills to the next level.

NICE Framework Work Roles:

All Source-Collection Manager (OPM 311)
All Source-Collection Requirements Manager (OPM 312)
All-Source Analyst (OPM 111)
Cyber Crime Investigator (OPM 221)
Cyber Defense Analyst (OPM 511)
Cyber Defense Forensics Analyst (OPM 212)
Cyber Defense Incident Responder (OPM 531)
Cyber Intel Planner (OPM 331)
Cyber Operator (OPM 331)
Cyber Ops Planner (OPM 332)
Cyber Policy and Strategy Planner (OPM 752)
Data Analyst (OPM 422)
Exploitation Analyst (OPM 121)
Law Enforcement/Counterintelligence Forensics Analyst (OPM 211)
Mission Assessment Specialist (OPM 112)
Partner Integration Planner (OPM 333)
Research & Development Specialist (OPM 661)
Target Developer (OPM 131)
Target Network Analyst (OPM 132)
Threat/Warning Analyst (OPM 141)

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Display times in

Africa/Abidjan

Africa/Accra

Africa/Addis Ababa

Africa/Algiers

Africa/Asmara

Africa/Asmera

Africa/Bamako

Africa/Bangui

Africa/Banjul

Africa/Bissau

Africa/Blantyre

Africa/Brazzaville

Africa/Bujumbura

Africa/Cairo

Africa/Casablanca

Africa/Ceuta

Africa/Conakry

Africa/Dakar

Africa/Dar es Salaam

Africa/Djibouti

Africa/Douala

Africa/El Aaiun

Africa/Freetown

Africa/Gaborone

Africa/Harare

Africa/Johannesburg

Africa/Juba

Africa/Kampala

Africa/Khartoum

Africa/Kigali

Africa/Kinshasa

Africa/Lagos

Africa/Libreville

Africa/Lome

Africa/Luanda

Africa/Lubumbashi

Africa/Lusaka

Africa/Malabo

Africa/Maputo

Africa/Maseru

Africa/Mbabane

Africa/Mogadishu

Africa/Monrovia

Africa/Nairobi

Africa/Ndjamena

Africa/Niamey

Africa/Nouakchott

Africa/Ouagadougou

Africa/Porto-Novo

Africa/Sao Tome

Africa/Timbuktu

Africa/Tripoli

Africa/Tunis

Africa/Windhoek

America/Adak

America/Anchorage

America/Anguilla

America/Antigua

America/Araguaina

America/Argentina/Buenos Aires

America/Argentina/Catamarca

America/Argentina/ComodRivadavia

America/Argentina/Cordoba

America/Argentina/Jujuy

America/Argentina/La Rioja

America/Argentina/Mendoza

America/Argentina/Rio Gallegos

America/Argentina/Salta

America/Argentina/San Juan

America/Argentina/San Luis

America/Argentina/Tucuman

America/Argentina/Ushuaia

America/Aruba

America/Asuncion

America/Atikokan

America/Atka

America/Bahia

America/Bahia Banderas

America/Barbados

America/Belem

America/Belize

America/Blanc-Sablon

America/Boa Vista

America/Bogota

America/Boise

America/Buenos Aires

America/Cambridge Bay

America/Campo Grande

America/Cancun

America/Caracas

America/Catamarca

America/Cayenne

America/Cayman

America/Chicago

America/Chihuahua

America/Ciudad Juarez

America/Coral Harbour

America/Cordoba

America/Costa Rica

America/Creston

America/Cuiaba

America/Curacao

America/Danmarkshavn

America/Dawson

America/Dawson Creek

America/Denver

America/Detroit

America/Dominica

America/Edmonton

America/Eirunepe

America/El Salvador

America/Ensenada

America/Fort Nelson

America/Fort Wayne

America/Fortaleza

America/Glace Bay

America/Godthab

America/Goose Bay

America/Grand Turk

America/Grenada

America/Guadeloupe

America/Guatemala

America/Guayaquil

America/Guyana

America/Halifax

America/Havana

America/Hermosillo

America/Indiana/Indianapolis

America/Indiana/Knox

America/Indiana/Marengo

America/Indiana/Petersburg

America/Indiana/Tell City

America/Indiana/Vevay

America/Indiana/Vincennes

America/Indiana/Winamac

America/Indianapolis

America/Inuvik

America/Iqaluit

America/Jamaica

America/Jujuy

America/Juneau

America/Kentucky/Louisville

America/Kentucky/Monticello

America/Knox IN

America/Kralendijk

America/La Paz

America/Lima

America/Los Angeles

America/Louisville

America/Lower Princes

America/Maceio

America/Managua

America/Manaus

America/Marigot

America/Martinique

America/Matamoros

America/Mazatlan

America/Mendoza

America/Menominee

America/Merida

America/Metlakatla

America/Mexico City

America/Miquelon

America/Moncton

America/Monterrey

America/Montevideo

America/Montreal

America/Montserrat

America/Nassau

America/New York

America/Nipigon

America/Nome

America/Noronha

America/North Dakota/Beulah

America/North Dakota/Center

America/North Dakota/New Salem

America/Nuuk

America/Ojinaga

America/Panama

America/Pangnirtung

America/Paramaribo

America/Phoenix

America/Port-au-Prince

America/Port of Spain

America/Porto Acre

America/Porto Velho

America/Puerto Rico

America/Punta Arenas

America/Rainy River

America/Rankin Inlet

America/Recife

America/Regina

America/Resolute

America/Rio Branco

America/Rosario

America/Santa Isabel

America/Santarem

America/Santiago

America/Santo Domingo

America/Sao Paulo

America/Scoresbysund

America/Shiprock

America/Sitka

America/St Barthelemy

America/St Johns

America/St Kitts

America/St Lucia

America/St Thomas

America/St Vincent

America/Swift Current

America/Tegucigalpa

America/Thule

America/Thunder Bay

America/Tijuana

America/Toronto

America/Tortola

America/Vancouver

America/Virgin

America/Whitehorse

America/Winnipeg

America/Yakutat

America/Yellowknife

Antarctica/Casey

Antarctica/Davis

Antarctica/DumontDUrville

Antarctica/Macquarie

Antarctica/Mawson

Antarctica/McMurdo

Antarctica/Palmer

Antarctica/Rothera

Antarctica/South Pole

Antarctica/Syowa

Antarctica/Troll

Antarctica/Vostok

Arctic/Longyearbyen

Asia/Aden

Asia/Almaty

Asia/Amman

Asia/Anadyr

Asia/Aqtau

Asia/Aqtobe

Asia/Ashgabat

Asia/Ashkhabad

Asia/Atyrau

Asia/Baghdad

Asia/Bahrain

Asia/Baku

Asia/Bangkok

Asia/Barnaul

Asia/Beirut

Asia/Bishkek

Asia/Brunei

Asia/Calcutta

Asia/Chita

Asia/Choibalsan

Asia/Chongqing

Asia/Chungking

Asia/Colombo

Asia/Dacca

Asia/Damascus

Asia/Dhaka

Asia/Dili

Asia/Dubai

Asia/Dushanbe

Asia/Famagusta

Asia/Gaza

Asia/Harbin

Asia/Hebron

Asia/Ho Chi Minh

Asia/Hong Kong

Asia/Hovd

Asia/Irkutsk

Asia/Istanbul

Asia/Jakarta

Asia/Jayapura

Asia/Jerusalem

Asia/Kabul

Asia/Kamchatka

Asia/Karachi

Asia/Kashgar

Asia/Kathmandu

Asia/Katmandu

Asia/Khandyga

Asia/Kolkata

Asia/Krasnoyarsk

Asia/Kuala Lumpur

Asia/Kuching

Asia/Kuwait

Asia/Macao

Asia/Macau

Asia/Magadan

Asia/Makassar

Asia/Manila

Asia/Muscat

Asia/Nicosia

Asia/Novokuznetsk

Asia/Novosibirsk

Asia/Omsk

Asia/Oral

Asia/Phnom Penh

Asia/Pontianak

Asia/Pyongyang

Asia/Qatar

Asia/Qostanay

Asia/Qyzylorda

Asia/Rangoon

Asia/Riyadh

Asia/Saigon

Asia/Sakhalin

Asia/Samarkand

Asia/Seoul

Asia/Shanghai

Asia/Singapore

Asia/Srednekolymsk

Asia/Taipei

Asia/Tashkent

Asia/Tbilisi

Asia/Tehran

Asia/Tel Aviv

Asia/Thimbu

Asia/Thimphu

Asia/Tokyo

Asia/Tomsk

Asia/Ujung Pandang

Asia/Ulaanbaatar

Asia/Ulan Bator

Asia/Urumqi

Asia/Ust-Nera

Asia/Vientiane

Asia/Vladivostok

Asia/Yakutsk

Asia/Yangon

Asia/Yekaterinburg

Asia/Yerevan

Atlantic/Azores

Atlantic/Bermuda

Atlantic/Canary

Atlantic/Cape Verde

Atlantic/Faeroe

Atlantic/Faroe

Atlantic/Jan Mayen

Atlantic/Madeira

Atlantic/Reykjavik

Atlantic/South Georgia

Atlantic/St Helena

Atlantic/Stanley

Australia/ACT

Australia/Adelaide

Australia/Brisbane

Australia/Broken Hill

Australia/Canberra

Australia/Currie

Australia/Darwin

Australia/Eucla

Australia/Hobart

Australia/LHI

Australia/Lindeman

Australia/Lord Howe

Australia/Melbourne

Australia/NSW

Australia/North

Australia/Perth

Australia/Queensland

Australia/South

Australia/Sydney

Australia/Tasmania

Australia/Victoria

Australia/West

Australia/Yancowinna

Brazil/Acre

Brazil/DeNoronha

Brazil/East

Brazil/West

CET

CST6CDT

Canada/Atlantic

Canada/Central

Canada/Eastern

Canada/Mountain

Canada/Newfoundland

Canada/Pacific

Canada/Saskatchewan

Canada/Yukon

Chile/Continental

Chile/EasterIsland

Cuba

EET

EST

EST5EDT

Egypt

Eire

Etc/GMT

Etc/GMT+0

Etc/GMT+1

Etc/GMT+10

Etc/GMT+11

Etc/GMT+12

Etc/GMT+2

Etc/GMT+3

Etc/GMT+4

Etc/GMT+5

Etc/GMT+6

Etc/GMT+7

Etc/GMT+8

Etc/GMT+9

Etc/GMT-0

Etc/GMT-1

Etc/GMT-10

Etc/GMT-11

Etc/GMT-12

Etc/GMT-13

Etc/GMT-14

Etc/GMT-2

Etc/GMT-3

Etc/GMT-4

Etc/GMT-5

Etc/GMT-6

Etc/GMT-7

Etc/GMT-8

Etc/GMT-9

Etc/GMT0

Etc/Greenwich

Etc/UCT

Etc/UTC

Etc/Universal

Etc/Zulu

Europe/Amsterdam

Europe/Andorra

Europe/Astrakhan

Europe/Athens

Europe/Belfast

Europe/Belgrade

Europe/Berlin

Europe/Bratislava

Europe/Brussels

Europe/Bucharest

Europe/Budapest

Europe/Busingen

Europe/Chisinau

Europe/Copenhagen

Europe/Dublin

Europe/Gibraltar

Europe/Guernsey

Europe/Helsinki

Europe/Isle of Man

Europe/Istanbul

Europe/Jersey

Europe/Kaliningrad

Europe/Kiev

Europe/Kirov

Europe/Kyiv

Europe/Lisbon

Europe/Ljubljana

Europe/London

Europe/Luxembourg

Europe/Madrid

Europe/Malta

Europe/Mariehamn

Europe/Minsk

Europe/Monaco

Europe/Moscow

Europe/Nicosia

Europe/Oslo

Europe/Paris

Europe/Podgorica

Europe/Prague

Europe/Riga

Europe/Rome

Europe/Samara

Europe/San Marino

Europe/Sarajevo

Europe/Saratov

Europe/Simferopol

Europe/Skopje

Europe/Sofia

Europe/Stockholm

Europe/Tallinn

Europe/Tirane

Europe/Tiraspol

Europe/Ulyanovsk

Europe/Uzhgorod

Europe/Vaduz

Europe/Vatican

Europe/Vienna

Europe/Vilnius

Europe/Volgograd

Europe/Warsaw

Europe/Zagreb

Europe/Zaporozhye

Europe/Zurich

GB-Eire

GMT

GMT+0

GMT-0

GMT0

Greenwich

HST

Hongkong

Iceland

Indian/Antananarivo

Indian/Chagos

Indian/Christmas

Indian/Cocos

Indian/Comoro

Indian/Kerguelen

Indian/Mahe

Indian/Maldives

Indian/Mauritius

Indian/Mayotte

Indian/Reunion

Iran

Israel

Jamaica

Japan

Kwajalein

Libya

MET

MST

MST7MDT

Mexico/BajaNorte

Mexico/BajaSur

Mexico/General

NZ-CHAT

Navajo

PRC

PST8PDT

Pacific/Apia

Pacific/Auckland

Pacific/Bougainville

Pacific/Chatham

Pacific/Chuuk

Pacific/Easter

Pacific/Efate

Pacific/Enderbury

Pacific/Fakaofo

Pacific/Fiji

Pacific/Funafuti

Pacific/Galapagos

Pacific/Gambier

Pacific/Guadalcanal

Pacific/Guam

Pacific/Honolulu

Pacific/Johnston

Pacific/Kanton

Pacific/Kiritimati

Pacific/Kosrae

Pacific/Kwajalein

Pacific/Majuro

Pacific/Marquesas

Pacific/Midway

Pacific/Nauru

Pacific/Niue

Pacific/Norfolk

Pacific/Noumea

Pacific/Pago Pago

Pacific/Palau

Pacific/Pitcairn

Pacific/Pohnpei

Pacific/Ponape

Pacific/Port Moresby

Pacific/Rarotonga

Pacific/Saipan

Pacific/Samoa

Pacific/Tahiti

Pacific/Tarawa

Pacific/Tongatapu

Pacific/Truk

Pacific/Wake

Pacific/Wallis

Pacific/Yap

Poland

Portugal

ROC

ROK

Singapore

Turkey

UCT

US/Alaska

US/Aleutian

US/Arizona

US/Central

US/East-Indiana

US/Eastern

US/Hawaii

US/Indiana-Starke

US/Michigan

US/Mountain

US/Pacific

US/Samoa

UTC

Universal

W-SU

WET

Zulu

Filters:

Register for FOR589

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

FOR589: Cybercrime Intelligence

Course Authors:

Sean O'Connor

Will Thomas

Conan Beach

What You Will Learn

FOR589: Cybercrime Intelligence will help you:

FOR589 Cybercrime Intelligence Course Topics

What Is Cybercrime Intelligence?

Business Takeaways

Skills Learned

Hands-On Cybercrime Intelligence Training

What You Will Receive

Syllabus (30 CPEs)

FOR589.1: The Cybercriminal Intelligence Lifecycle

Overview

Exercises

Topics

FOR589.2: The Cybercriminal Underground

Overview

Exercises

Topics

FOR589.3: Cryptocurrency Investigations

Overview

Exercises

Topics

FOR589.4: Undercover Operations & Countermeasures

Overview

Exercises

Topics

FOR589.5: Capstone

Overview

Topics

Prerequisites

Laptop Requirements

Important! Bring your own system configured according to these instructions.

MANDATORY FOR589 SYSTEM HARDWARE REQUIREMENTS

MANDATORY FOR589 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:

Author Statement

Ways to Learn

Who Should Attend FOR589?

Need to justify a training request to your manager?

Filters:

Register for FOR589

Loading...