SEC487

Thanks for visiting this page! It’ll serve as a central point for information relating to the SANS Institute Open Source Intelligence (OSINT) Gathering and Analysis class (SEC487).

“Do I Need a Class on OSINT?” Test

Here is a quick test to see if you could benefit from this class.

  1. Do you frequently try to find information about people on the internet?
  2. Do you look up information about IP addresses, subnets, and/or domains on the internet?
  3. Do you use the dark web (or want to start)?
  4. Do you currently only use the simple search fields in social media sites to perform your searches?
  5. Do you use the same web sites and tools for your searches and are sometimes frustrated when they don’t give you positive results?
  6. Have you ever wanted to try to use some “hacker tools” for OSINT but never invested the time?
  7. Do you use your own, personal accounts when performing your queries on social media sites?

If you answered “yes” to any of these questions, then SEC487 is for you.

About the Class FAQ

Q: How long is the class and what do we do in it?

A: This is a 6 day class (if you do it in-person).

  • The first 4.5 days are classic lecture and lab.
  • There are over 23 labs in the class. That means a LOT of hands-on work for you!
  • The last part of day 5, we have a solo CTF (Capture the Flag) where you work an OSINT investigation by yourself; leveraging the labs and knowledge gained in the course. This gives students time to work an assessment, time to try out new tools and techniques, and allows for students to work at their own speeds.
  • Day 6 is the group CTF where, in teams of 2-4 students, you will work on a large challenge and then present your findings to the class.

Q: What professions/people should take this class?

A: While far from complete, we have topics in the class that would be helpful to people that are:

  • Cyber Incident Responders
  • Cyber Threat Intelligence Analysts
  • Digital Forensics (DFIR)
  • Penetration Testers
  • Law Enforcement
  • Intelligence Analysts
  • Recruiters/Sources
  • Private Investigators
  • Insurance Investigators
  • Human Resources Personnel
  • Researchers
  • Students
  • Parents
  • Parents of Parents
  • Parents of Students
  • (You get the idea.)

Q: I’ve never done OSINT and don’t do “cyber things” at work. Will I get anything out of the class?

A: YES! I’ve been pleasantly surprised to find out how many different, non-cyber jobs use OSINT techniques but they don’t call it “OSINT”. A good example is in recruiting, they may refer to the “boolean searches” they use to find candidates. We may call those “Google Dorks” or advanced search engine queries (and there is a site that has thousands of them at https://www.exploit-db.com/google-hacking-database/). If you look information up on the internet, you are most likely using OSINT and we can teach you to do it even better!


Q: I’ve been doing work in the [law enforcement/intel/private investigator/insurance investigator/recruiter/cyber] field for a while. Will the course be valuable to me or is it going to be too basic?

A: Alumni of the class remarked that they learned some new tricks, new tools, or new web sites that they can immediately use back at work. If you have been doing this for a while, chances are good that you may know of many of the techniques and tools that we use but maybe haven’t made the time to try them. In class, we give you that time. Additionally, if you’ve been OSINTing/recruiting/investigating for a while, you will know that everyone goes about the process a little differently. Learning others’ techniques and site preferences can broaden your OSINT reach and help you achieve your goals. There is a detailed account of what we learn each day at https://www.sans.org/course/open-source-intelligence-gathering.


Q: I’m concerned that I don’t know enough about computers to take the class.

A: When creating this class, I made sure to start at the beginning with each topic and move forward. We define terms and acronyms and, while we do go into depth about many topics, we do it at a pace so that everyone can learn.


Q: I’m concerned that I don’t know enough about OSINT to take the class.

A: This course is a survey course where we have a huge number of topics that we touch upon during the week of class. We start at the basics of each and move deeper, providing you with many URLs and online resources along the way. We give you the pieces of the tech that you need to know to be successful.


Q: Do I need to know how to write computer programs?

A: No. But you will learn how to run python programs that others have made to accomplish your OSINT goals.


Q: Is this course focused on only the United States and people/data there or is it more globally scoped?

A: While I call the United States home, I understand that there are MANY of you that do not. And as such your targets, be they computers or people, may not reside in the United States. Our examples, courseware, and labs have international components to them. Yes, there is a large amount of the courseware that covers data in the United States and how to find it but we also move around the world collecting and analyzing data.


Media Mentioning SEC487

Exploring Information Security Podcast

  • http://www.timothydeblock.com/eis/134 – Timothy De Block and Micah Hoffman talk about:
    • What is SANS SEC487?
    • Who should attend the course?
    • What was the origin of the course?
  • http://www.timothydeblock.com/eis/136 – Timothy De Block and Micah Hoffman talk about:
    • What’s the most exciting aspect of the course?
    • Why operational security is important
    • Why disinformation is useful

Timothy De Block Blog


Public Resources

SEC487 Public Wiki

Students get an enhanced version of the basic wiki at https://github.com/sans-blue-team/sec487-wiki in their course materials. The one that is public contents links and tools tips and other information that may be useful.

SEC487 Start.me Page

Check out the links on the SEC487 Start.me page at https://start.me/p/DP2aj8/osint-sec487 (or https://the.osint.ninja/487).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

A WordPress.com Website.

Up ↑

%d bloggers like this: