Exploring Information Security

View Original

SANS SEC487 Open-Source Intelligence Gathering and Analysis

Timothy De Block

Snow in McLean, VA

Last week I had the pleasure of attending the brand new SANS course for OSINT in McLean, VA. The creator of the course, Micah Hoffman, has been on the podcast a few times and someone I consider a friend. He'll make his fourth appearance in a future episode on the topic of the SEC487 course. I wanted to take this opportunity to give some impressions of the course, while it's still relatively fresh.

Micah created videos for help with the labs as part of the course. This was one candid moment from those videos.

Simply put, the course is fantastic. I recommend it for those with OSINT experience and those without. I have some OSINT experience. As part of my job, I've investigated internal and external people. Working in a Security Operations Center (SOC) for the State of South Carolina, I did a lot of OSINT looking up IP addresses, URLs, and various other things. I've used it to figure out if a marketing or technical recruiter email is legitimate. I've used it in job hunting.

I still took quite a bit away from the course. I took 18 pages of notes. Another project idea came out of the course, OSINT for the Blue Team. I couldn't wait to get back to work to start building out some OSINT standard operation procedures (SOP). I've already taken my notes and built out a resource page for others to use.

I got to build my first sock puppet. Work on better documentation (I love mindmaps for documentation!). I used Tor for the first time and visited the "dark web." Got a ton of new tools and resources to check out. I'm excited to start using Hunchly and Spiderfoot as part of my processes.  The capture the flag (CTF) on day six was fun and engaging.

We laughed a lot. If you're in the area, I recommend Super Chicken and the food trucks on Pinnacle Drive. Center of the Universe brewing has got some really good beer. Which reminds me, Untapped is a gold mine for OSINT. I got to see snow (see above)! Best of all, I got to see Micah teach a five-day course on one leg. He got really good at the three-point turns towards the end of the week.

See this content in the original post

The course was a beta, so it had it's rough moments. Those were rare. Most of the feedback I had was for improving the course. Moving content to earlier in the week rather than later. Maybe doing a little less on this topic here or more of that topic there. The course is solid and it's only going to get better.

Future dates include:

  • Denver, CO - May/June 2018(not listed yet)

  • Baltimore, MD - September 10-15, 2018

  • Las Vegas, NV - September 23-28, 2018

  • Singapore, Singapore - October 22-27, 2018

Click here for more details.

This blog post first appear on Exploring Information Security.