About the course

Threat hunting is fast becoming the biggest asset for any information security team. To reduce dwell time, threat hunters apply the scientific method: develop hypotheses about attacker behaviour and test them. Hunters do not rely on previously uncovered indicators of compromise (IoCs) but rather develop hypotheses based on their extensive knowledge of attackers’ tactics, techniques, and procedures (TTPs) as well as personal experience in handling incidents. This proactive approach helps security teams catch cybercriminals off guard and take them down.

Threat hunting adds to the offensive capabilities of information security teams, which are gradually becoming commonplace worldwide.

Group-IB’s Threat Hunter course explores what makes a good threat hunter and the techniques they use to put forward successful hypotheses.

Key topics covered:

  • Introduction to the threat hunting process
  • Cyber kill-chain and MITRE ATT&CK models for threat hunting
  • Scientific method of hypothesis generation
  • Endpoint log sources and the opportunities they offer
  • Digital forensics for threat hunting needs
  • Hunting for malware, tools, and specific techniques
  • Sysmon and ELK: events, configs, indexing, filtering and querying
  • Baselining activity based on the events flow
  • Deep analysis of hunting results

Skills acquired:

  • Detecting anomalies in network infrastructure
  • Understanding the TTPs most often used by threat actors
  • Understanding the basics of digital forensics and malware analysis
  • Testing hypotheses and obtaining new IoCs for hidden threats
  • Contribute to the detection of hidden threats in the network

Target participants:

  • Technical specialists with experience in IS
  • IS experts
  • Threat hunters

Requirements:

  • Understanding of networks and network technologies
  • Experience and skills in administrative infrastructure
  • Knowledge of how file systems are structured
  • Understanding of how cyberattacks are carried out
  • Basic knowledge of how malware operates
  • Experience in Cyber Threat Intelligence
  • Knowledge of modern EDR technologies
  • Nice to have experience with EDR

Course program

Day 1

arrow_drop_down
Theory
Demonstration

Threat hunting is one of the biggest trends in cybersecurity. But what is it, exactly? What does the job entail and how do threat hunters fit into the information security ecosystem? These are some of the questions that will be answered at the start of day one.

Next we will look into the general techniques and models used by threat hunters today and learn how to apply the scientific method (i.e. hypothesis testing) to the threat hunting process. Participants will learn how to get the most out of the MITRE ATT&CK matrix. Understanding how to read and interpret open-source data helps create more accurate hypotheses and catch threat actors.

In addition, participants are introduced to useful logging sources and the opportunities they offer threat hunters. Attendees also learn what data should be logged and how to use them to enrich events from other sources.

Day 2

arrow_drop_down
Theory
Practice

Digital forensics is the cornerstone of cybersecurity. Without a basic understanding of the best practices in the field, threat hunters cannot perform their tasks properly. Day two starts with a discussion about the digital forensics methods that are most useful for threat hunting.
The lesson then move to an overview of ELK and Sysmon. Participants learn how to use Sysmon and ELK for threat hunting needs and practiсing with indexing, filtering and analysing the events.

Day 3

arrow_drop_down
Theory
Demonstration
Practice

In the real world, threat hunting often involves analysing dozens of hosts simultaneously, and cyber attacks are not always trivial and require deeper analysis.

This day will be a continuation of Day 2 and a deep dive into the actual process of finding threats. You’ll get tools to collect and analyse event logs across the enterprise, and will practise creating hypotheses and testing them based on MITRE ATT&CKⓇ. Participants will continue the second day with examples of cyclic or regular hunts as well as hunts made up of chains of queries or hypotheses. We will also look at the methodology for conducting hunts in the form of a top-level diagram.

Takeaways:

  • Lecture videos and materials used during the training
  • Certificate
  • Valuable insight into malware analysis and how it fits into IS practices
  • Valuable experience and information that can be put into practice and used professionally