- Cybersecurity
- English
- Supported by Global Gateway
- Vilius Benetis
- Angel Draev
- Rūta Jašinskiene
Intermediate
Description
This comprehensive training program is tailored to provide attendees with practical analyst skills in Cyber Threat Intelligence (CTI) using MISP - one of the most widely used Threat Intelligence Platform (TIP) platform in the field. MISP is a powerful open-source threat intelligence platform organizations can use to store, share and receive information about malware, threats, and vulnerabilities in a structured way. Participants will examine the logic of different tasks analyst do, immerse themselves in real-world scenarios to understand how responder teams effectively leverage CTI through MISP. They will learn how to extract valuable insights from intelligence feeds and master the formulation of strategic questions to maximize organizational benefits. Additionally, the focus on the added value of contributing to the TIP will be covered, teaching participants how to create queries and share intelligence effectively. With a dedicated emphasis on intelligence sharing, students will gain crucial insights into what, how, and to whom information can be shared for various purposes. Access to the MISP platform will be provided, allowing participants to practice and complete homework assignments designed to reinforce their learning.
This training course is intended for incident response specialist and managers who are working in SOC or CISRT.
The training courses are open for applications from all interested professionals, irrespective of their race, ethnicity, age, gender, religion, economic status and other diverse backgrounds. We strongly encourage registrations from female applicants, and applicants from developing countries (includes least developed countries, small island developing states, landlocked developing countries).
At least basic knowledge on cybersecurity, and threat analyst job role.
Upon completion of this course, participants will be able to:
-
Argue about activities cyber threat analyst is doing.
-
Quantify own practical value of CTI in daily operations.
-
Formulate questions to research in CTI datasets.
-
Plan justification and creation/collection of own CTI datasets.
-
Use MISP for situational awareness, most common cyber threat intelligence tasks.
-
Encode typical cyberthreat artifacts into MISP (for ex. scams, phishing, impersonation, technical attacks).
The course consists of 8 modules and is divided into 4 online sessions, one session per week. An online session lasts 3 hours with a 15-minute break.
Three first sessions end with a practical task to be completed at the student's convenience before the next session, i.e. within one week.
Participants will be given access to the MISP CTI platform, where they will be able to not only complete the assignments, but also practice alongside the assignments to gain a better understanding of how it works and its benefits.
All necessary course materials and additional resources (if any) will be provided through the ITU Academy platform.
To ensure maximum engagement and retention, the 4MAT teaching methodology will be utilized in all sessions. This involves interactive discussions on a topic, practical exercises, discussions to identify learning points, and individual notetaking to reflect on relevant habits that can be changed moving forward. At the end of each day, a review will be conducted to reinforce the key takeaways.
Students will be graded on whether or not they have completed the assignments (60% of the total, 20% per assignment) and on their active participation in the lectures (max. 40% for lecture attendance, 10% per lecture).
A total score higher than 70% is required to obtain the ITU certificate.
Module 1 Introduction to CTI – where it fits according to CSIRT services framework
Key learning points
- Introduction to and discussion about Cyber Threat Intelligence, definition and purpose..
- Intelligence Lifecycle (direction, collection, processing, analysis, dissemination, evaluation).
Training activities details
Lecturing, discussions
Module 2 Situational Awareness service design and stakeholder mapping
Key learning points
- CTI “location” in different services model – FIRST.org CSIRT services, SOC-CMM. What to expect from CTI and how it facilitates CSIRT operations.
- Introduction to the MISP tool and interface
- Practicing searching in MISP
Training activities details
- Lecturing, discussions
- Practical assignment (homework)
Module 3 Value of CTI technology
Key learning points
- CTI Outputs and deliverables, MISP examples
- Typical CTI samples to understand their practical applications.
Training activities details
Lecturing, discussions
Module 4 CTI data modelling
Key learning points
- Data structures of CTI – STIX, MISP Objects, Galaxies, Tags
- Encoding simple threat intelligence instance
- Utilize internal and external threat intelligence feeds within MISP.
Training activities details
- Lecturing, discussions
- Practical assignment (homework)
Module 5 Processes and workflows of Situational Awareness
Key learning points
- Typical activities and workflows of CTI analyst
- Challenges of CTI analyst
Training activities details
Lecturing, discussions
Module 6 Cyber events encoding into CTI platform
Key learning points
- Methods to decompose different cyberthreat events (scam, phishing etc.) into data structures
- Encoding scams, phishing into the MISP
Training activities details
- Lecturing, discussions
- Practical assignment (homework)
Module 7 Different MISP usages
Key learning points
- Learning how different organizations are using MISP and other CTI platforms
- Lecturing, discussions
Module 8 Sharing of CT
- Facilitating the exchange of Indicators of Compromise among trusted communities.
- Understand different sharing models in MISP (private, community, public).
- Configure secure sharing of CTI data with trusted partners.
Training activities details
Lecturing, discussions