- Security Assessment
- Red Teaming
- Compliance Audit
- Pre-IR Assessment
- Compromise Assessment
- Cyber Education
- GIB Crypto
Threat hunting is fast becoming the biggest asset for any information security team. To reduce dwell time, threat hunters apply the scientific method, developing hypotheses about attacker behavior and testing them. Hunters do not rely on previously uncovered indicators of compromise (IoCs) but rather develop hypotheses based on their extensive knowledge of attackers’ tactics, techniques, and procedures (TTPs) as well as personal experience in handling incidents. This proactive approach helps security teams catch cybercriminals off guard and take them down.
Threat hunting adds to the offensive capabilities of information security teams, which are gradually becoming commonplace worldwide.
Group-IB’s Threat Hunter course explores what makes a good threat hunter and the techniques they use to put forward successful hypotheses.
The Threat Hunter course is divided into four days, during which you’ll learn how to put forward successful hypotheses, get the most out of the MITRE ATT&CKⓇ matrix, leverage digital forensics and malware analysis capabilities within the threat hunting process, and perform threat hunting on an enterprise scale.
The course is designed for newcomers to the field, but experienced professionals are likely to benefit from the structure it provides to existing skills and knowledge. You may also be surprised at how much you’ll learn.
Threat hunting is one of the biggest trends in cybersecurity. But what is it, really? What does the job entail and how do threat hunters fit into the information security ecosystem? These are some of the questions that will be answered at the start of Day 1.
Next, we will look into the general techniques and models used by threat hunters today, and how to apply the scientific method (i.e. hypothesis testing) to the threat hunting process. And, of course, you’ll learn how to get the most out of the MITRE ATT&CKⓇ matrix. Understanding how to read and interpret the open-source database will help you create more accurate hypotheses and catch threat actors more often.
Malware analysis can be the key to unlocking a threat actor’s movements. On Day 2, you’ll learn what sandboxes are and how to use them for dynamic analysis. You’ll also get a firsthand look at how to detonate malware in a controlled environment and have the opportunity to practice the technique.
The day will end with a discussion about tools used for analyzing malicious documents and scripts. You’ll also be shown services and tools that will enrich your malware analysis process with additional information that will take you one step closer to finding the threat actor.
Digital forensics is the cornerstone of cybersecurity. Without a basic understanding of the best practices in the field, threat hunters cannot perform their tasks properly. Day 3 will start with a discussion about the digital forensics methods that are most useful for threat hunting. You’ll then learn how to identify useful events from Windows event logs and how to directly interact with remote hosts.
The lesson will then move to an overview of LOLBAS and Sysmon, and how to use the latter for logging during the threat hunting process. You’ll get a chance to practice analyzing event sequences with Sysmon.
Up until this point, you’ll have learned how to perform threat hunting on a single host. Real-world threat hunting, however, will require you to analyze dozens of hosts at the same time. As such, the last day of the Threat Hunter course will be spent on giving you a realistic view of the threat hunting process. You’ll receive tools for log collection and analysis on an enterprise-scale and have extensive practice with hypothesis generation and testing based on MITRE ATT&CKⓇ data.
Lecture videos and practical materials used during training
Valuable insight into malware analysis and how it can fit into IS practices
Valuable experience and information that you can put into practice and use professionally
Additional requirements will be sent by email before the start of the course.
All course materials will be shared through Google Drive. If you do not have a Gmail account, our instructor will help you set one up before the course begins.
Our training courses are based on 1200+ successful investigations worldwide.
All courses are led by GCFA-, EnCE- and MCFE-certified experts.
The course instructors are current Group-IB specialists, which translates to the most up-to-date and first-hand information for course participants.
Practical exercises based on real-life cases make up 70% of the course.
Course materials are regularly updated with new cases from Group-IB’s experience, which ensures that the course program always reflects the latest trends.
Group-IB’s training courses provide a wide range of competencies for creating an effective information security department in any company.