FOR589: Cybercrime Intelligence — SANS DFIR Course coming in 2024

FOR589: Cybercrime Intelligence — SANS DFIR Course coming in 2024

Learn to traverse the cyber underground, social engineer cybercriminals and investigate illicit cryptocurrency activity. Learn the skills needed to collect, analyze and take action on cybercrime intelligence.

The cybercrime threat landscape continues to rapidly evolve due to technological advancements, increased investments in offensive cyber operations from nation-states, and a cybercriminal ecosystem that breeds new threat actors every day. “The cybercriminal underground plays a big part in the overall threat landscape as it has lowered the barriers to entry for less-sophisticated criminals to collaborate with advanced ones” says SANS FOR589 author and course lead Sean O’Connor. This is especially true in the case of ransomware, which in recent years has seen an explosion in adoption due to Ransomware-as-a-Service (RaaS) operations and the massive increase in cryptocurrency ransom payments by victims.” Although there are many legitimate use cases for the dark web, cryptocurrencies, and the blockchain, this course will focus exclusively on criminal use cases and how to generate cybercrime intelligence from them.

This course will cover how to map infrastructure, analyze capabilities, and uncover the victims of cybercrime, as well as attribute operations to the cybercriminal adversaries behind the keyboard. Students will learn all about the dark web economy, trace, and attribute cryptocurrency transactions, and understand money laundering schemes. This course also teaches students how to perform undercover operations, including how to create sock puppet accounts, interact with threat actors, and how to infiltrate underground communities. Participants will gain hands-on experience with various cybersecurity tools and work on real-life case studies to detect, analyze, and mitigate cyber threats as well as understand the scope, scale, and impact of organized cybercrime. This course is ideal for security professionals, law enforcement officers, and anyone interested in the intricacies of cybercrime intelligence and countermeasures.

Authored by Sean O’Connor, Will Thomas & Conan Beach, the new FOR589: Cybercrime Intelligence course will teach you how to effectively anticipate, prevent, and mitigate potential cybercrime threats, while also helping law enforcement agencies and governments to combat cybercrime and prosecute cybercriminals. FOR589 offers an in-depth understanding of the cybercrime underground and covers the wide variety of tactics and techniques used by cybercriminals to exploit organizations. By focusing on both conventional intelligence and contemporary cybersecurity methodologies, this course will aid in augmenting any existing intelligence operations, proactively addressing risks, and enhancing an overall cybersecurity posture.


Course Days At-A-Glance


There are ways to stay ahead of the cybercrime economy — it starts with knowing the vast landscape you are up against and applying methodology to make sense of it all. Security professionals and law enforcement should be aware of the latest criminal trends. In scenarios where risk is high and room for error is low, peers and victims rely on us for help. To provide that help, our processes and methodology must be defensible. Using these standards for curating and handling cybercrime intelligence, FOR589 will be able to ensure that their selected courses of action are properly guided, decided, and applied. Section 1 introduces standards for intelligence requirements, collection plans, operating procedures, intelligence lifecycles, and knowledge frameworks that students will use to make intelligent decisions while also being mindful of operational security considerations. If we understand our elements and assets at risk, we can map them to our opposing threat actors and attack vectors. This approach allows us to repeatably anticipate emerging threats, stay ahead of cybercriminals, and mitigate risks to defend against threats.



As an intelligence professional, understanding the cybercrime underground is vital to knowing the landscape and economy that you are up against. From attackers to targets, people to communities, currencies to technologies, and capabilities to infrastructure, we must have the know-how to access and traverse it all. With a solid mapping of the cybercrime underground, we meet the adversaries on their own playgrounds to gather underground intelligence at its source. This section will provide students with the resources necessary to find the “known” and explore the “unknown.” By shining a light on the cybercriminal underground, we can find both, which is fundamental to take on emerging risks and threats with identification, protection, detection, response, and recovery. This is also needed to prepare a counterintelligence response. By the end of this section, you will be able to see eye-to-eye with cybercriminals on their own playing field, opening possibilities for a strong defense or a knock-out offense.



Cryptocurrencies are often thought to be anonymous, but they are pseudonymous at best. Since criminals deal heavily in these virtual assets, we should learn to exploit this to unmask them! The prevalence of cryptocurrency in the criminal economy can neither be overstated nor overlooked. In this section, students will learn to trace through cryptocurrency, understand its underlying blockchain technology, and unravel the money laundering schemes layered atop. In addition, we translate these concepts to practical intelligence applications, such as criminal attribution. While these virtual assets have certainly played a prolific role in the funding of services within the cybercriminal underground, they are not bulletproof! Mistakes are made during transactions, creating opportunities to map out criminal counterparties and their affiliated real-life identities. This section teaches empowering cluster-analysis skills that are useful to differentiate senders from receivers, separate services from people, and understand money-laundering schemes. Finally, we explore the practical use of “know-your-customer” (KYC) requests for unmasking criminals.



We’ve assessed the cybercriminal ecosystem. Now let’s infiltrate deeper to facilitate the use of countermeasures. Criminals can be disrupted using social deceit, campaign mapping, and planned takedowns. People, systems, and money possess exploitable characteristics that can be recognized by investigators with the correct access and skills. These characteristics can be collected to inform a variety of countermeasures. This section teaches you how to spot these characteristics, collect them both manually and automatically, and leverage them for criminal investigation and disruption. This section will teach students how to use a combination of rapport and elicitation techniques that exploit core characteristics of a human intelligence (HUMINT) source. Through this process, the intelligence collector will maintain covertly structured control of the conversation to ensure that each cybercriminal source reveals topics that are relevant to the collector’s intelligence requirements. Once cybercriminals and their infrastructure are attributed, a new realm of possibility to enforce countermeasures presents itself, with opportunities ranging from forensic seizures to coordinated takedowns.



Put everything you learned to the test by investigating the cybercriminal underground and unraveling who is behind a new kind of cyber extortion campaign. The final day of FOR589 is a capstone challenge that focuses on responding to criminal activity and launching an investigation. Students engage in a fun and meaningful exercise that brings together various components of the entire course. The capstone will reinforce the principles taught via a simulated scenario that enables students to practice implementing their newly learned skills. Students will be presented with a fictional campaign and then be given a list of items to investigate and analyze. These will include posts, threads, and profiles from cybercriminal underground forums, markets, and leak sites, as well as leaked private chat logs, databases, and adversary infrastructure. There will also be blockchain transactions where students will trace and track threat actors and various types of activities. Students will have to think about how to fulfil intelligence requirements from both a private sector and a law enforcement perspective, using the data sets provided that emulate real-world scenarios investigated by intelligence analysts. Students will be placed on teams and asked to investigate the scenario and share their findings though a presentation for instructors and the class to showcase what they found and how they did it.


FOR589: Cybercrime Intelligence will help you understand:

  • Understand how traditional intelligence collection disciplines have adapted to today’s modern cyber-centric landscape and differentiate what is actionable and what is noise.
  • Discover risks to your organization’s assets and elements, mapped to cybercrime threat actors and threat vectors as priority intelligence requirements.
  • Translate your organization’s risk-guided intelligence requirements into threat-informed collection plans and operational tasks.
  • Address cybercrime risks with threat-informed decisions, enabling you to determine courses of action that are both defensive and responsive, whether to protect your organization or impose costs on criminals with counter-offensive measures.
  • Demystify the underground threat landscape, enabling you to traverse and surveil communities, marketplaces, ransom sites, data breaches, malware logs, and more.
  • Understand how the underground threat landscape has expanded and evolved, lowering the barrier to entry, allowing emerging actors to conduct perceivably advanced operations.
  • Create sock puppets to gain the placement and access needed for intelligence collection use cases, whether to passively browse forums or actively elicit brokers.
  • Build credibility within underground networks to enable your sock puppet to infiltrate invite-only communities and adversarial infrastructure.
  • Vet sources by measuring their level of competence, access, and credibility.
  • Generate actionable cybercrime intelligence by delivering realistic solutions built upon tried-and-true intelligence requirements, collection plans, and operating procedures.
  • Apply practical victimology to map the adversary-target relationship observed in cyberattacks and cyber fraud incidents, useful for research and response purposes alike.
  • Speed up root cause analysis of cyberattacks with breach indicators and identifiers, reducing patient zero identification time from weeks/days to hours/minutes.
  • Develop threat intelligence platforms as early warning systems to detect all-source digital risk exposures within the Internet ecosystem, especially the deep and dark web.
  • Trace cryptocurrency payments using commercial and open-source tools to identify senders and receivers, and attribute them by using cluster analysis.


For those interested in learning more about the course, you can go to the “New SANS Courses” page and scroll down towards the bottom to the “Get More Information” sign-up form (see Figure 1). Once you get to the form, fill in your contact information and select “FOR589: Cybercrime Intelligence” and click Submit.

Figure 1: Sign-up for more information form



With an extensive background spanning 15 years in defense DFIR, private CTI, and security leadership, Sean O’Connor stands as a distinguished expert. As both an accomplished author and dedicated educator, he imparts his knowledge with passion. Sean’s influential speaking engagements resonate widely, and his perspectives often find a place in media narratives, further solidifying his reputation in the field.

Quick Links


Get In Touch

2023 Humint All Rights Reserved