Threat Hunting Professional (THP)

COURSE DESCRIPTION

Regardless of which side you are on, blue or red, good understanding of Threat Hunting and Threat Intelligence is vital if you want to be a complete IT Security professional. You cannot be a professional defender without good knowledge of attacking techniques. The same goes for penetration testers.

The Threat Hunting Professional (THP) course was designed to provide IT security professionals with the skills necessary not only to proactively hunt for threats but also to become a stealthier penetration tester.

As a blue team member, you would use the techniques covered in the Threat Hunting Professional (THP) course to:

• Establish a proactive defense mentality and start your own threat hunting program/procedure
• Proactively hunt for threats in your organization’s network, endpoints or perimeter and be several steps ahead of forthcoming adversaries
• Constantly fine-tune your organization’s defenses based on the latest attacker Techniques, Tactics and Procedures
• Use threat intelligence or hypotheses to hunt for known and unknown threats
• Inspect network traffic and identify abnormal activity in it
• Perform memory forensics using Redline, Volatility and a variety of tools to identify in-memory malware
• Use tools such as Sysmon and SilkETW to collect event logs
• Detect advanced hacking techniques such as AMSI bypasses, COM Hijacking and sophisticated/evasive malware
• Use tools such as PowerShell, ELK and Splunk to analyze Windows events and
• detect attacks such as DCSync, Kerberoasting and obfuscated PowerShell commands

As a red team member, you would use the techniques covered in the Threat Hunting Professional (THP) course to:

• Get familiar with the detection techniques being used by mature organizations
• Identify how an attack looks like in the wire and in memory
• Identify the most common events that are analyzed, in order to avoid triggering them
• Fine-tune your attack strategy, attack vectors, and infrastructure, so that you remain under the radar
• Understand how you could leverage Threat Intelligence to upgrade your arsenal and deliver advanced adversary simulations, and more

Course material

• HQ video training material
• Interactive slides
• Hands-on challenges in our industry-leading virtual labs

PREREQUISITES

This course covers the foundational topics for threat hunting and threat intelligence; however, a good working knowledge coupled with experience in information technology, with a focus on security, prior to the class will be needed to help aid you in your learning. You should have:

• A solid understanding of computer networks: switches, routing, security devices, common network protocols, etc. (Recommended)
• Intermediate understanding of IT security matters
• Intermediate to advanced understanding of penetration testing tools and methods. (Recommendation: IHRP course)

WHO SHOULD TAKE THIS COURSE?

This training course is primarily intended for SOC/IT Security analysts that would like to proactively detect attacks and/or possible malware behavior in their environments.

The target audience of this course are:

• Security Operations Center analysts and engineers
• Incident response team members
• Penetration testers/Red team members
• Network security engineers
• Information security consultants and IT auditors
• Managers who want to understand how to create threat hunting teams and intelligence capabilities

ORGANIZATION OF CONTENTS

The student is provided with a suggested learning path to ensure the maximum success rate and the minimum effort.

SECTION 01: THREAT HUNTING

• Module 1: Introduction to Threat Hunting
• Module 2: Threat Hunting Terminology
• Module 3: Threat Intelligence
• Module 4: Threat Hunting Hypothesis

SECTION 02: HUNTING THE NETWORK – NETWORK ANALYSIS

• Module 1: Introduction to Network Hunting
• Module 2: Suspicious Traffic Hunting
• Module 3: Hunting Webshells

SECTION 03: HUNTING THE ENDPOINT – ENDPOINT ANALYSIS

• Module 1: Introduction to Endpoint Hunting
• Module 2: Malware Overview
• Module 3: Hunting Malware
• Module 4: Event IDs, Logging, and SIEMs
• Module 5: Hunting with PowerShell

LABS

The THP course is a practice-based curriculum containing 27 hands-on labs. Being integrated with Hera Lab, the most sophisticated virtual lab in IT Security, it offers an unmatched practical learning experience. Hera is the only virtual lab that provides fully isolated per-student access to each of the real-world network scenarios available on the platform. Students can access Hera Lab from anywhere through VPN.

Modules will be accompanied by many hands-on labs.

• Lab 1: Hunting with IoCs
• Lab 2: Hunting Insider Threats Part 1
• Lab 3: Hunting Insider Threats Part 2
• Lab 4: Network Hunting & Forensics
• Lab 5: Hunting Web Shells Part 1
• Lab 6: Hunting Web Shells Part 2
• Lab 7: Hunting in Memory (2 Labs)
• Lab 8: Hunting for Process Injection & Proactive API Monitoring
• Lab 9: Advanced Endpoint Hunting (2 Labs)
• Lab 10: Hunting Malware Part 1
• Lab 11: Hunting Malware Part 2
• Lab 12: Hunting Empire
• Lab 13: Hunting Responder
• Lab 14: Hunting .Net Malware (2 Labs)
• Lab 15: Hunting for WMI Abuse, Parent Process Spoofing & Access Token Theft
• Lab 16: Hunting with ELK (3 Labs)
• Lab 17: Hunting with Splunk (5 Labs)
• Lab 18: Hunting at Scale with Osquery