Okay so this encourage me to wrtite another big Article which is kinda off topic but you can save this on notepad IF you find this informative. Which I highly doubt lol
So What is Threat Intellingece and why people are going crazy about this .
Threat Intelligence is another buzzword created by vendors like they did with APTs
What Is APTs then ?
APT are the bunch of people hired to hack you organization constantly for 24 hour untill they suceess .
Okay now what is threat Intelligence then ?
Well its all about knowing your adversaries consider this scenerio
If you eat a fish and you die or get sick and next day you eat another fish and you don’t get sick and you go out and tell other people not to eat this colour .race fish because you might get sick . so people around you listen this and tell their family that this fish to be avoid .
That’s what exactly Threat Intelligence is
So in short you lurk around dark web,facebook,articles like krebs on security create IOCs and inject them into your SIEM
And that’s what they teach you in SANS 578 how to create IOCs
So we don’t have SANS 578 Course
How to learn Threat Intellince then ? or how to be an expert at Threat Intelligence
Actaully YOU CANNOT
You are doing a job which your antivirus vendor is already doing , can you do better job than them ? This about this way you go in and watch a APT and create some IOCs to create an IOC you will read a APT report which I would come a little bit later . so you read a APT report and extract IOC from them at this rate you create10+ IOC in one day
And your antivirus vendor at their company at least 200+ people are working on writing sigantures .
CAN YOU BEAT THEM ? Hell no that’s why I don’t consider Individual Threat Intelligence Skills not that much worthy , but they are worthy but not as much they people think that a analyst or expert Analyst can save them from being hacked
That’s the theory part lets come to bread and butter of Practical world
If you look at blueprint of 578 in SANS 578 they teach you
how to create IOCs from scartch.
2- How to create IOCs from APT reports
3-Using Virus Total Threat Intelligence to create IOCs
First one can be found using the SANS 508 Course
Another one can be found using APT reports itself like read the paper and create your Signature using the information you asses yourself (this comes with over time)
Third one can be found in Pluralsight Threat Intelligence course
Courses To study (MUST)
Pluralsight Threat Intelligence (Must READ)
SANS 508 Course (Highly Recommend using Printed Books )
SANS 599 (print those books using some cheap printer shop)
In SANS 599 you will know about APT terms , YARA , Cuckoo SANSBOX to create IOCs
Using Redline , Volatility you can match IOCs or using cisco Firepower they have option to inject Feeds
And here some very informative videos to watch