+ Reply to Thread
Results 1 to 12 of 12
  1. Senior Member
    Join Date
    Aug 2016
    Location
    Arizona (not a native)
    Posts
    103

    Certifications
    CISSP, CASP, GCFA, C|EH v8, C|NDA, RDRP (Registered DoD RMF Practitioner), Sec+, MCSE-NT4, A+
    #1

    Default Gcti / sans for 578

    For anyone who has taken SANS FOR 578, Cyber Threat Intelligence...

    How tool centric is FOR 578? I just finished FOR 508 online, on-demand and it felt as if it were 75% tools, 25% or less concepts. There were 4 books (and a lab book --- book 5) for FOR 508. Tools seemed to make up almost all of 2 books, and 1/2 of the other 2 books.

    I'm also thinking about taking the Carnegie Mellon SEI online training in threat intelligence because it's cheaper and may be less tool centric.

    Are there any FOR 578 alumni who can provide a little feedback?

    Thank you.
    Reply With Quote Quote  

  2. SS
  3. Junior Member
    Join Date
    Sep 2016
    Location
    Singapore
    Posts
    23

    Certifications
    GNFA,GCED,GCIH, ITIL v3
    #2
    I'm looking to take GCTI next. Will also love any feedback from whoever has taken it
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Aug 2016
    Location
    Arizona (not a native)
    Posts
    103

    Certifications
    CISSP, CASP, GCFA, C|EH v8, C|NDA, RDRP (Registered DoD RMF Practitioner), Sec+, MCSE-NT4, A+
    #3
    Have you taken SANS FOR 578? The SIFT Workstation is included with the On Demand materials, so I'm assuming the course (and exam) could be tool heavy.

    According to the SANS/GIAC US web site, the GCTI test won't be released until late December 2017. You'll be waiting a few weeks for feedback unless it comes out earlier in other parts of the world. [I'm trying to be less of an ugly American, but sometimes I forget.]
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    Sep 2016
    Location
    Singapore
    Posts
    23

    Certifications
    GNFA,GCED,GCIH, ITIL v3
    #4
    Not yet. I am looking to take FOR578 next or FOR500/FOR508. Did you particularly enjoyed 508 or found it useful ? When you mentioned tool-centric, is it SIFT workstation and the bundled tools inside ?

    I have a voucher that I need to use before April 2018 and like yourself still waiting for the exams to be released.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Aug 2016
    Location
    Arizona (not a native)
    Posts
    103

    Certifications
    CISSP, CASP, GCFA, C|EH v8, C|NDA, RDRP (Registered DoD RMF Practitioner), Sec+, MCSE-NT4, A+
    #5
    I did not enjoy the tool-centric focus of FOR508. I don't do hands-on forensics work, so I am now vaguely acquainted with a whole bunch of Windows forensics tools. FOR508 covers SIFT workstation and some of its many, many tools. FOR508 also recaps some FOR408 content, so there's no need to take FOR408 first.

    I asked SANS about FOR578 and whether it was as tool-centric as FOR508. SANS said it's just a handful of tools in FOR578.
    Reply With Quote Quote  

  7. Member
    Join Date
    Sep 2015
    Location
    Dallas, TX
    Posts
    61

    Certifications
    GCTI, GNFA, GCFA, GCIH, Sec+
    #6
    I finished FOR578 recently and I honestly was very disappointed!

    The course needs to mature more I believe as the topic itself is still a new trend. If you took 508 (or any other course that evolve around threat hunting really) then there's a lot of overlap really..

    It goes into teaching from strategical level to technical tool based level. (The strategy and context building part was the eye opener really, the rest is everyday business for you if you Ever delt with CTI) ..


    I believe the course could be compressed into two days course and it would be great that way! And I'd take it again even!

    I'd say if that happens (becomes 2 days or 3) or at least waiting for another year for it to mature a bit then go for it (especially if you planning to integrate CTI as a serious part of your organization.


    Best of luck!
    Last edited by al88; 12-15-2017 at 07:45 PM.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Feb 2015
    Location
    Tampa, FL
    Posts
    314

    Certifications
    GPEN/GCIH/OSWP
    #7
    So does either of these courses (508/57 cover how to build and execute threat hunting?
    Reply With Quote Quote  

  9. Junior Member
    Join Date
    Sep 2016
    Location
    Singapore
    Posts
    23

    Certifications
    GNFA,GCED,GCIH, ITIL v3
    #8
    I think cause FOR578 is fairly new and they need time to mature. Feedback I think will help alot.
    Are you planning to sit for the exam ?
    Reply With Quote Quote  

  10. Member
    Join Date
    Sep 2015
    Location
    Dallas, TX
    Posts
    61

    Certifications
    GCTI, GNFA, GCFA, GCIH, Sec+
    #9
    Quote Originally Posted by SaSkiller View Post
    So does either of these courses (508/57 cover how to build and execute threat hunting?
    They both do, (508 has a chapter, and the whole course is about threat hunting "indirectly" .. i guess it depends what's your definition of Threat hunting

    578 obviously covers it but the whole scope of it.. reading APT reports, extracting info, building your own..etc.

    If your are taking it to the next level from both Offensive (GPEN) and Defensive (GCIH) i highly recommend you go 508, it will teach you how to catch movement/malicious activities OR avoiding being caught.

    508 by far the best course I took!
    Reply With Quote Quote  

  11. Member
    Join Date
    Sep 2015
    Location
    Dallas, TX
    Posts
    61

    Certifications
    GCTI, GNFA, GCFA, GCIH, Sec+
    #10
    Quote Originally Posted by yomista View Post
    I think cause FOR578 is fairly new and they need time to mature. Feedback I think will help alot.
    Are you planning to sit for the exam ?
    I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam :/
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Sep 2016
    Location
    Singapore
    Posts
    23

    Certifications
    GNFA,GCED,GCIH, ITIL v3
    #11
    Quote Originally Posted by al88 View Post
    I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam :/
    Please let me know what you think of it. All the best!
    Reply With Quote Quote  

  13. Member
    Join Date
    Jan 2014
    Posts
    39

    Certifications
    CISSP, eJPT, OSWP, GCIH, eNDP, GICSP, GPEN, GCTI, eCPPT, GCFA, eCTHP, GRID, GCFE, GCWN
    #12
    Quote Originally Posted by al88 View Post
    I sure hope so, i got an email that the material changed from the time i took it.. i don't know how would that affect my chances in the exam :/
    I finished the exam this morning and passed.
    With materials that were thaught in Q3 '16.
    I felt I was "missing" things with some of the questions ...

    Anyway,

    I kind of disagree with you about the coverage of the course material. (although that might be due to my third point and conclusion )
    If you're looking for material that shows you how to deal with intelligence and how to start of creating your own products in this realm, I sincerely believe that this course does offer you what you need.
    If you look at it from the perspective of a semi-tech analyst that is not directly involved in the monitoring, incident handling or other CSOC related functions, but has to provide the context, the relationships with previous or other campaigns, providing the bigger picture in order to prioritize tasks, budget and even areas of interest, then again, I honestly believe this course provides what you need.

    I'm currently taking the eLearnSecurity THP as well, and although there are overlaps (it would be weird if there weren't), the eLS is more practical-oriented and is thus more of interest for those involved in the tactical/operational but lacks the background of an incident handler or network analyst. I haven't done the 508, but these two may resemble.

    cheerz
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks