Upskilling Training

Threat Hunting

Cyber threat hunting is an active cyber defence activity. Threat hunting uses known adversary behaviours to proactively examine the network and endpoints in order to identify new data breaches.

This in-depth threat hunting course provides SOC analyst, Incident Response Team Members and Threat Hunting Teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hacktivists. The course uses a hands-on lab to lead you to challenges and solutions via extensive use of the best of breed investigative tools.

English

Duration 4 Days

Who Should Attend?

All employees who want to know how to detect, investigate, fix and recover systems that have been compromised at the endpoints of the organization. Especially for:

  • Information Security Professionals
  • SOC Analysts
  • Incident Response Team Members
  • Red Team Members
  • Penetration Testers
  • Exploit Developer

Course Syllabus

    Introduction to Threat Hunting

  • What is threat hunting?
    • Incident Response

    • Incident Response & Hunting¬†

      Risk Assessment

    • What are risk assessments?
    • Risk Assessments & Hunting

      What is threat intelligence?

    • Using threat intelligence to Hunt

      What is digital forensics?

    • Using digital forensics to hunt

Threat Hunting/Intelligence Simulation

    Threat Hunting Terminology

  • APT (Advanced Persistent Threat)
  • TTP (Tools, Tactics, and Procedures)
  • Pyramid of Pain
  • The Cyber Kill Chain Model
  • The Diamond Model

ATT&CK - MITRE's Adversarial Tactics, Techniques, and Common Knowledge

    Threat Intelligence

  • MISP - Open Source Threat Intelligence Platform
    • Open Standards for Threat Information Sharing

    • CRITs (Collaborative Research into Threats)
    • IOCs (Indicators of Compromise)
    • IOC Editor
    • OpenIOC
    • STIX (Structured Threat Information Expression)
    • CyBOX (Cyber Observable Expression)
    • TAXII (Trusted Automated Exchange of Indicator)
  • Threat Reports & Research
    • Threat Sharing & Exchanges

    • Government-sponsored threat sharing
    • DHS/CISCP (Department of Homeland Security / Cyber Information Sharing and Collaboration Program)
    • US-CERT (US Computer Emergency Readiness Team)
      • Vendors

      • Alien Vault OTX (Open Threat Exchange)
      • Threat Connect
      • IBM X-Force Exchange
      • Anomali ThreatStream
      • Palo Alto Networks AutoFocus
      • RSA NetWitness Suite

    Introduction to Endpoint Hunting

  • Endpoint Analysis
  • Introduction to Endpoint Hunting
  • Introduction
  • Windows Processes
  • Endpoint Baselines

Identification of Compromised Systems

    Hunting with PowerShell

  • Kansa
  • Invoke-IR
  • Microsoft ATP & ATA

    Malware Overview

  • Introduction
  • Malware Classifications
  • Malware Delivery
  • Malware Evasion Techniques
  • Malware Persistence

    Hunting Malware

  • Introduction
  • Detection Tools
  • Memory Analysis
    • Malware Persistence Identification

    • AutoStart Locations, RunKeys
    • Service Creation
    • Service Failure Recovery
    • Scheduled Tasks

    Event IDs, Logging, and SIEMs

  • Event IDs, Logging and SIEMs
  • Event IDs, Logging and SIEMs
  • Windows Event Logs
  • PowerShell Logging
  • Windows Event IDs
  • Suspicious Account Usage & Creation
  • Passwords
  • Hashes (PTH)
  • Forged Kerberos Tickets
  • RDP
  • PsExec & WMIX
  • Scheduled Tasks
  • Service Creation
  • Admin Shares
  • Lateral Movement
  • Windows Event Forwarding
  • Log Rotation & Log Clearing
  • Tools
  • Sysmon

    Introduction to Network Hunting

  • Network Analysis
  • Introduction
  • TCP/IP & Networking Primer
  • Tools

    Suspicious Traffic Hunting

  • Suspicious Traffic Hunting
  • ARP
  • ICMP
  • TCP
  • DHCP
  • DNS
  • HTTP/HTTPS
  • Tools

SIEMs (ELK & Splunk)

The Hunting ELK

Pre-requisites

This is an advanced course. A solid knowledge of attack techniques, networking, malware investigations, including network and forensic investigations are also prerequisites for attending this course.

  • Fundamental understanding of computer networks, OSI (TCP/IP), DNS, HTTPS, SMTP, etc. knowledge
  • Understanding of fundamental information security concepts
  • Knowledge of networking devices and security solutions: firewalls, antivirus, and endpoint security applications, Switches, Routers
  • Basic knowledge of Linux and Windows command line
Expert