This training course is intended for incident response specialists and managers who are working in SOC or CISRT. 

The training courses are open for applications from all interested professionals, irrespective of their race, ethnicity, age, gender, religion, economic status and other diverse backgrounds. We strongly encourage registrations from female applicants, and applicants from developing countries (including least developed countries, small island developing states, and landlocked developing countries).

Members of the above-mentioned target population are invited to apply for the training if they meet the following criteria:

• Have basic knowledge on cyber threat Intelligence or an analyst job role.
• Possess a fluent level of English.
• Complete the application questionnaire and attach an up-to-date CV

Government officials and policymakers from developing countries, particularly women, are encouraged to apply. Selection will be conducted by the course organizers, who will consider the above entry requirements along with an analysis of the applications.

The number of available places is limited to 30 in this course.

Upon completion of this course, participants will be able to: 

• Argue about activities cyber threat analyst is doing.
• Quantify own practical value of CTI in daily operations.
• Formulate questions to research in CTI datasets.
• Plan justification and creation/collection of own CTI datasets.
• Use MISP for situational awareness, most common cyber threat intelligence tasks. 
• Encode typical cyberthreat artifacts into MISP (for ex. scams, phishing, impersonation, technical attacks).

The course includes 8 modules, delivered over 4 online sessions—one session each week. Each session will last for 3 hours with a 30-minute break.

The first three sessions will conclude with a practical task, which students are to complete at their own pace before the following session, within one week.

Participants will receive access to the MISP CTI platform, enabling them to complete assignments and practice alongside the coursework to deepen their understanding of the platform's functionality and benefits. All course materials and any additional resources will be provided via the ITU Academy platform.

To maximize engagement and retention, all sessions will follow the 4MAT teaching methodology. This approach includes interactive discussions, practical exercises, learning-point identification, and individual reflections on habits for future improvement. Each session will conclude with a review to reinforce the key takeaways.

The dates and times of the online sessions are as follows:

• Session 1: 20 January 2025, 12:00 PM CET
• Session 2: 27 January 2025, 12:00 PM CET
• Session 3: 3 February 2025, 12:00 PM CET
• Session 4: 10 February 2025, 12:00 PM CET

Participants will be evaluated based on their completion of course assignments and active participation in lectures. The grading structure is as follows:

• Assignment 1: 20%
• Assignment 2: 20%
• Assignment 3: 20%
• Attendance in Session 1: 10%
• Attendance in Session 2: 10%
• Attendance in Session 3: 10%
• Attendance in Session 4: 10%

A total score of more than 70% is required to receive the ITU certificate.

• Module 1: Introduction to Cyber Threat Intelligence (CTI)
  • Sessions/Topics Covered: Overview of CTI and its role within the CSIRT services framework.
  • Key Learning Points:
    • Understanding Cyber Threat Intelligence, its definition, and purpose.
    • Introduction to the Intelligence Lifecycle, covering direction, collection, processing, analysis, dissemination, and evaluation.
• Module 2: Situational Awareness Service Design and Stakeholder Mapping
  • Sessions/Topics Covered: Service models, stakeholder mapping, and the MISP tool.
  • Key Learning Points:
    • Understanding CTI's position in various service models (FIRST.org CSIRT services, SOC-CMM).
    • Expectations from CTI and its role in supporting CSIRT operations.
    • Introduction to the MISP tool interface and practicing searches within it.
• Module 3: Value of CTI Technology
  • Sessions/Topics Covered: CTI outputs and deliverables, examples from MISP.
  • Key Learning Points:
    • Recognizing valuable CTI outputs and deliverables.
    • Reviewing CTI samples to understand practical applications.
• Module 4: CTI Data Modelling
  • Sessions/Topics Covered: CTI data structures and encoding.
  • Key Learning Points:
    • Data structures used in CTI, including STIX, MISP Objects, Galaxies, and Tags.
    • Encoding a basic threat intelligence instance.
    • Utilizing internal and external threat intelligence feeds within MISP.
• Module 5: Processes and Workflows of Situational Awareness
  • Sessions/Topics Covered: CTI analyst activities and workflows.
  • Key Learning Points:
    • Typical activities and workflows of a CTI analyst.
    • Identifying challenges faced by CTI analysts.
• Module 6: Cyber Events Encoding into CTI Platform
  • Sessions/Topics Covered: Techniques for encoding cyber threat events.
  • Key Learning Points:
    • Methods for decomposing cyber threat events (e.g., scams, phishing) into data structures.
    • Encoding scams and phishing incidents within MISP.
• Module 7: Different MISP Usages
  • Sessions/Topics Covered: MISP usage across various organizations.
  • Key Learning Points:
    • Learning how different organizations use MISP and other CTI platforms.
• Module 8: Sharing of CTI
  • Sessions/Topics Covered: Sharing Indicators of Compromise (IoCs) within trusted communities.
  • Key Learning Points:
    • Understanding different sharing models in MISP (private, community, public).
    • Configuring secure sharing of CTI data with trusted partners.