This year at Black Hat, I’ll be teaching a new class as a follow-on to my popular Cyber Defense Bootcamp class. During the Cyber Defense Bootcamp Class (2010 – 2012), the focus was to provide new enterprise defenders the hands-on training they would need to start investigating incidents. This class included everything from open source analysis, network forensics, device forensics, and malware analysis. The premise was that much like in the military, new recruits don’t start with a tank; they need to learn all kinds of basics to do their job. Throughout the various classes, the students learned quite a bit about what it takes to identify and analyze an incident in the context of a security operations center.
Since joining CrowdStrike, I’ve been spending a lot of time focused on intelligence-driven security as a component of active defense. As a result of this focus and the intent of keeping fresh material at Black Hat, I have designed a new class called Cyber Intelligence F3EAD. I’m extremely passionate about the need for intelligence-driven security and the over-arching concept of active defense, which CrowdStrike has been intently focused on, and I look forward to working with students at Black Hat USA. The course description follows for those who are looking for a new, innovative class for this year’s training.
The U.S. Special Operations Forces pioneered a methodology called F3EAD, which enabled, among other things, the ability to take out insurgent and terrorist networks. This methodology focuses on “Finding” the adversary, “Fixing” their location, “Finishing” their operational utility, and collecting the materials associated with the target. This material is then “Exploited,” or used to extract operational details of the network they are associated with, “Analyzed” for intelligence that is useful to find other targets, and “Disseminated” for other friendly forces to conduct operations.
This class focuses on modifying the F3EAD method battlefield from the 50,000-foot view and piecing together all aspects of the cyber adversary’s operations.
From what altitude are you viewing the cyber battlefield?