The GIAC Cyber Threat Intelligence (GCTI) certification is designed to validate the knowledge and skills of practitioners in the field of cyber threat intelligence. The certification covers strategic, operational, and tactical aspects of cyber threat intelligence, including open-source intelligence, intrusion analysis, attribution, and data collection. The GCTI certification is targeted towards incident response team members, threat hunters, security operations center personnel, information security practitioners, experienced digital forensic analysts, federal agents, and law enforcement officials.
The exam format includes a proctored exam with 75-82 questions to be completed in 2-3 hours and a minimum passing score of 71%. The exam assesses candidates on various objectives, such as analysis of intelligence, campaigns, and attribution, collecting and storing data sets, intelligence application, intelligence fundamentals, kill chain, diamond model, courses of action matrix, malware as a collection source, pivoting, and sharing intelligence.
GIAC has introduced CyberLive testing, a hands-on, real-world practical testing environment where candidates demonstrate their knowledge using actual programs, code, and virtual machines. This approach aims to provide practical testing that validates both knowledge and hands-on skills.
The certification exam is web-based and proctored, with remote proctoring through ProctorU and onsite proctoring through PearsonVUE. Certification attempts are activated after approval, and candidates have 120 days to complete the exam from the date of activation.
In addition to the course offered through SANS, GIAC recommends other resources for preparation, including live training, OnDemand courses, practical work experience, college-level courses, self-paced study, and practice tests. The practice tests are simulations of the real exam to familiarize candidates with the test engine and question style. GIAC emphasizes the importance of leveraging multiple study methods for effective test preparation.
Difficulty: 3 out of 5.
Attended the SANS FOR578 course offering in 2022.
The course provides a solid overview of what type of work to expect and best practices for CTI Analysts.
I will not provide an overview of the taught material as it is publicly available on the SANS site.
I find myself often reaching for my course materials to either improv my analytical processes or confirm I am on target with best practices.
The course will not, and should not be expected to, match how your organization handles CTI. Instead it should be looked at as a great overview of the various techniques and methods to be used as tools in the CTI toolbox alongside practical examples.
There are some tools covered but they are only the tip of the iceberg.
The hands-on experience via labs and teamwork are great and should serve to provide an excellent foundation for your analytical process.
Difficulty: 1 out of 5.
GIAC Cyber Threat Intelligence (CTI) is a course that's great in theory, but fails in practice. Geared as THE course to take for future CTI analysts, really this class is to make others aware of what intelligence analysts in cyber already doing for you. If you come from an intelligence background, the last 60% of this course will be great if you're not technical. If you come from a technical background, the first 40% is going to be great. But if you already have both backgrounds, then almost none of the course is going to be helpful to you.
However if your CTI analysts are just giving you some observables without any context or they're struggling to find relevance within your organization, then they need to go through this course.
As a free alternative, check out Kaite Nickel's blog on how to get started with CTI:
- https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a
- https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36
Pros
- You don't actually need the prerequisites that they list. This is more of a 3XX or 4XX level class.
- Some really good techniques taught to use within a cybersecurity team, e.g. Indicator of Compromise lifecycle
- Great for non-intelligence personnel
- Provide tips on how to identify high-quality intel and low-quality intel
Cons
- Cost
- The capstone isn't worth the time and effort if you're not doing the In-Person or Live Online options
- An idea stretched thin
- Needs more material spent on putting products together in different ways.
- Unlikely that this course/certification is going to get you hired
Difficulty: 2 out of 5.
Masquerading as a non-technical, theory-heavy course in an otherwise technical institution, GIAC Cyber Threat Intelligence (GCTI) and its corresponding FOR578 course are the hidden gems of SANS Institute. Out of the 12 different SANS courses I have sat for, this is one of two that I would recommend wholeheartedly for professionals across nearly all information security domains, and especially for those who work roles that produce or leverage Cyber Threat Intelligence (CTI). That means incident responders, threat hunters, malware analysts, red teamers, and, most importantly, threat intelligence analysts themselves.
Why? Because FOR578/GCTI is an intelligence analysis course, written to address the challenges of producing, leveraging, and analyzing intelligence in information security. That means changing the way students think about cyber attacks, how to precisely differentiate them from one another, and how to respond to them. Perhaps most importantly, the course seeks to demystify overarching concepts like Advanced Persistent Threats (APTs), and to see them as sequences of intrusions, clusters of activity, and patterns of campaigns. The class is explicitly concerned with winning "the long game", and teaching students how to thwart the objectives of offensive cyber operations by correlating details that are very, very difficult to conceal or obfuscate
Additionally, the delivery of the material is top-notch - Robert M. Lee is an engaging and very funny personality. The exam is not designed to break you, but to ensure you think about CTI the way that the class material reinforces you to.
All of this in mind, it does come with several caveats.
1. As of 2023, the price of FOR578/GCTI is somewhere in the range of $9K. No information security training - not a single one of them - is worth this kind of expense out of pocket. I still recommend it to organizations with substantial training budgets. More on that below.
2. Who is the class actually for? FOR578/GCTI is a non-technical course made for technical professionals. If you are involved in a technical roles across incident response, threat hunting malware analysis, and yes, even red teams, then FOR578/GCTI is for you. If you are a CTI analyst - even a junior one or a non-technical one - then you should absolutely seek to take the course at the expense of your employer, or, if at all possible, at the discounted rate SANS Institute provides to its assistants. If you are a non-technical intelligence professional interested in cross-applying your skillset to the world of cyber threat intelligence, this is class to take.
3. This is a course that expects you to go into it with an open mind. It calls out common misconceptions, points at poor threat intelligence practices, and it comes with opinions of its own. Make an active effort to leave it with a significantly different perspective than when you entered. Really attempt to understand the terminologies in the early hours of the course - they will force you to think about information security challenges much differently, and you will be a better information security professional because of it.
