SANS Recommendations for Defensive Cyber Analysts

I keep fielding this question in private, so I finally decided to answer it in public: “What SANS courses should I take?” Although I have a much longer answer to give about training in general, this article answers that specific question based on my own personal experience, having taken several SANS courses over the years.

In Cybersecurity Tools & Resources, I share some helpful guides for career planning. Every time someone asks about taking any course, I first refer them to those resources:

“For general cybersecurity career planning, I recommend reviewing the How to Start a Cybersecurity Career graphic, the related Cybersecurity Role Map, and Lesley Carhart’s Starting an InfoSec Career – The Megamix – Chapters 4-5 for some help here. Mike Sass’s Infosec Skill Sets breaks down this nebulous field into domains in a similar form as Henry Jiang’s famous Cybersecurity Domain Map,Getting Into Information Security describes how to get into this field, and his article A 5 Year Infosec Education Retrospective contains good guidance on training, education, and certification. You may also find Paul Jerimy’s Security Certification Roadmap helpful as well. I also frequently refer people to SANS’s helpful Cyber Security Roadmap as well as CompTIA’s more general IT Certification Roadmap. Together these should give you an idea of the career paths available in this field and what it would take to go down them; from there we can make a plan for your future.”

In particular, given the focus of this article, I recommend checking out SANS’s Cyber Security Roadmap, which bins the company’s courses into tracks that you can follow based on your interests.

Based on my own experience, as a strictly defensive cyber analyst, I recommend starting with FOR578: Cyber Threat Intelligence, then taking FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response followed by FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and SEC555: SIEM with Tactical Analytics. 578 will help you understand threat actors, which is a great starting point for an effective defense. 572 delves into network analysis, the most common data source for defensive cyber analysts. 508 then covers host analysis, the important second half of a cyber analyst’s job. Finally, 555 touches both host and network analysis as well as data collection, transport, and presentation in a SIEM. In terms of SANS courses for defensive cyber analysts, this pipeline will cover most of your bases.

I have also taken SEC497: Practical Open-Source Intelligence (OSINT), SEC505: Securing Windows and PowerShell Automation, and SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. I typically do not recommend those courses. 497 covers OSINT as a discipline well, but for defensive cyber analysts, much of that material falls outside the scope of their duties. 505 would benefit those deploying, operating, and maintaining IT infrastructure more so than defensive cyber analysts. Finally, although I liked 599, I do not think it is necessary in addition to 578, 572, 508, and 555, each of which touches on the idea of combating advanced adversaries.

In the future, I look forward to taking SEC504: Hacker Tools, Techniques, and Incident Handling, SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals, and FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques. I expect these to round out my “full stack” defensive cyber analyst education, covering everything from the threat intel that drives a cyber program and the ability to hunt at scale to incident handling and low-level host, network, and malware analysis. For now, though, when someone asks, “What SANS courses should I take?” “578, 572, 508, and 555” is my answer.