I had a great week attending the OSINT SEC487 training conducted by SANS here in Singapore. Initially i wanted to take the SANS Cyber Threat Intelligence FOR578 training as my current field of work is exactly that however, due to schedule and commitment, i couldn't sign up for it. But as I was going through the list of available training that could benefit and enhance my daily job, i stumbled into this OSINT course and thought this could definitely help for my everyday investigation. You see, part of my job is to analyse threat actors, their IOCs, researching about their TTPs and all those CTI stuffs using open source and tools to deliver the work. So when i saw the modules of this training, I knew this would be something that would definitely benefit my current scope of work.
Micah Hoffman (@webbreacher) the OSINT trainer
The wallpaper of the VM provided for the training
I thoroughly enjoyed the training and Micah was a great trainer, well spoken and easily understood. In spite of me doing OSINT and applying it during my work and personal research since 2013, I learned a handful of new things, new techniques and new features of every day things we rely on during the course of training. I would definitely recommend anyone who wants to have an understanding of OSINT especially if you are in the field where you have to rely on open source resources, fundamentals of the deep and dark net and a feel of finding information legally without hacking. One should consider having this training. I do hope SANS would consider exploring an advance version of this expanding its 'sock puppet' technique into a full cyber HUMINT for intelligence collection, gathering, analysis and reporting as a module.
While the training is all fun and good, I was greatly looking forward for the sixth day Capture the Flag event! That's when you get to apply the techniques you learned and apply them AND if you do well, the winning team will get the rare SANS coin.
The SANS SEC487 CTF winner coin
The CTF on the sixth day was a tough one. It wasn't straight forward. You don't know if the answer you found was the right answer and the good thing was you can use whatever technique you learned to find them. The more you think out of the box, the more ways you are able to expand your findings. To win this CTF was not just by doing well but you need to present your findings to everyone and eventually be voted by everyone. In that manner, it was indeed a tough process to win. Imagine thinking you have done well but eventually not voted as the winner. So yeah, tough one!
So after a full five hours of 'find, research, analyse, recommend and report' I was happy that our team - all very passionate in their tasks were able to be voted the winner!
The winning team posing with the trainer
This is my third SANs training and the third time winning their sixth day CTF challenge! The last time was way back in 2013!
SANs 560 (GPEN), 542 (GWAPT) and 487 (OSINT) CTF coins.
Blogposts on past SANs CTF experiences:
http://securityg33k.blogspot.com/2013/09/sans542-gwapt-ctf-won.html
http://securityg33k.blogspot.com/2013/11/sans-560-gpen-training-and-ctf-event.html
http://securityg33k.blogspot.com/2014/01/sans-holiday-hack-challenge-2013.html