Upskilling Training

Threat Hunting

Cyber threat hunting is an active cyber defence activity. Threat hunting uses known adversary behaviours to proactively examine the network and endpoints in order to identify new data breaches.

This in-depth threat hunting course provides SOC analyst, Incident Response Team Members and Threat Hunting Teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hacktivists. The course uses a hands-on lab to lead you to challenges and solutions via extensive use of the best of breed investigative tools.

English

Duration 4 Days

Who Should Attend?

All employees who want to know how to detect, investigate, fix and recover systems that have been compromised at the endpoints of the organization. Especially for:

Information Security Professionals
SOC Analysts
Incident Response Team Members
Red Team Members
Penetration Testers
Exploit Developer

Course Syllabus

Introduction to Threat Hunting

What is threat hunting?

Incident Response

Incident Response & Hunting

Risk Assessment

What are risk assessments?
Risk Assessments & Hunting

What is threat intelligence?

Using threat intelligence to Hunt

What is digital forensics?

Using digital forensics to hunt

Threat Hunting/Intelligence Simulation

Threat Hunting Terminology

APT (Advanced Persistent Threat)
TTP (Tools, Tactics, and Procedures)
Pyramid of Pain
The Cyber Kill Chain Model
The Diamond Model

ATT&CK - MITRE's Adversarial Tactics, Techniques, and Common Knowledge

Threat Intelligence

MISP - Open Source Threat Intelligence Platform

Open Standards for Threat Information Sharing

CRITs (Collaborative Research into Threats)
IOCs (Indicators of Compromise)
IOC Editor
OpenIOC
STIX (Structured Threat Information Expression)
CyBOX (Cyber Observable Expression)
TAXII (Trusted Automated Exchange of Indicator)

Threat Reports & Research

Threat Sharing & Exchanges

Government-sponsored threat sharing
DHS/CISCP (Department of Homeland Security / Cyber Information Sharing and Collaboration Program)
US-CERT (US Computer Emergency Readiness Team)

Vendors

Alien Vault OTX (Open Threat Exchange)
Threat Connect
IBM X-Force Exchange
Anomali ThreatStream
Palo Alto Networks AutoFocus
RSA NetWitness Suite

Introduction to Endpoint Hunting

Endpoint Analysis
Introduction to Endpoint Hunting
Introduction
Windows Processes
Endpoint Baselines

Identification of Compromised Systems

Hunting with PowerShell

Kansa
Invoke-IR
Microsoft ATP & ATA

Malware Overview

Introduction
Malware Classifications
Malware Delivery
Malware Evasion Techniques
Malware Persistence

Hunting Malware

Introduction
Detection Tools
Memory Analysis

Malware Persistence Identification

AutoStart Locations, RunKeys
Service Creation
Service Failure Recovery
Scheduled Tasks

Event IDs, Logging, and SIEMs

Event IDs, Logging and SIEMs
Event IDs, Logging and SIEMs
Windows Event Logs
PowerShell Logging
Windows Event IDs
Suspicious Account Usage & Creation
Passwords
Hashes (PTH)
Forged Kerberos Tickets
RDP
PsExec & WMIX
Scheduled Tasks
Service Creation
Admin Shares
Lateral Movement
Windows Event Forwarding
Log Rotation & Log Clearing
Tools
Sysmon

Introduction to Network Hunting

Network Analysis
Introduction
TCP/IP & Networking Primer
Tools

Suspicious Traffic Hunting

Suspicious Traffic Hunting
ARP
ICMP
TCP
DHCP
DNS
HTTP/HTTPS
Tools

SIEMs (ELK & Splunk)

The Hunting ELK

Pre-requisites

This is an advanced course. A solid knowledge of attack techniques, networking, malware investigations, including network and forensic investigations are also prerequisites for attending this course.

Fundamental understanding of computer networks, OSI (TCP/IP), DNS, HTTPS, SMTP, etc. knowledge
Understanding of fundamental information security concepts
Knowledge of networking devices and security solutions: firewalls, antivirus, and endpoint security applications, Switches, Routers
Basic knowledge of Linux and Windows command line

Expert