
ABSTRACT
The Practical Threat Hunting course has been designed to teach threat hunters and incident responders the core concepts of developing and executing threat hunts. Through this course students can learn to:
- Apply cyber threat intelligence concepts to hunt for adversary activity in your environment
- Establish a repeatable hunt methodology and develop hunt use cases
- Leverage end point data to hunt
- Establish measures of effectiveness for hunt program
This course includes practical labs that challenge the students to develop hypotheses and hunt missions in order to hunt for evidence of compromise through multiple scenarios including social engineering, network and system compromise, and APT nation-state actors. The labs are designed so that students have an opportunity to experience hunting using environments like the command line, Jupyter Notebook, and forensic tools like Velociraptor.
INTENDED AUDIENCE
- Security Engineers & Blue Teamers seeking to understand exploit development principles to improve detection engineering and behavioral monitoring.
- Vulnerability Researchers transitionary from user-mode analysis to kernel-mode internals.
- Reverse Engineers interested in driver communication architectures, undocumented kernel interfaces, and pool-grooming mechanics.
COURSE STRUCTURE
The course is comprised of the following modules, with labs included through the instruction.
Introduction to Threat Hunting
Understand the core concepts that constitute threat hunting. An overview of the characteristics of a threat hunt is provided along with the benefits of performing threat hunts and also the challenges that threat hunters should be aware of. The key concept of leveraging threat intelligence is introduced to students.
Introduction to Threat Modeling
Understand how threat modeling is key to any effective threat hunt. An overview is provided of the basics of threat modeling. Students are then provided a breakdown of the workflow of threat modeling and how it ties into threat hunting. The importance of using threat intelligence for threat modeling is also discussed.
Threat Hunt Program Framework
Understand what constitutes a threat hunt program framework. This module can be beneficial to understand the requirements of a formal threat hunt program.
Threat Hunt Operational Drivers
Understand what is needed from a hunt mission capability. An overview is provided of the areas in which an organization needs to have capabilities to execute effective threat hunts. Discussions are conducted on the benefits of having these capabilities and challenges if an organization is deficient in any of them.
A4 Framework
This module introduces the students to the A4 framework of threat hunting. This framework is reinforced for the students through the rest of the course as it is used as part of all the hands-on labs.
Threat Hunt Library
Understand the importance of developing and maintaining a Threat Hunt Library. Students can participate in exercises that will reinforce the importance of developing and maintaining a threat hunt library. As part of the labs, students will be asked to develop a threat hunt library that they can take with them at the conclusion of the course.
Labs
Students will be challenged to complete multiple labs where they will develop hypotheses and hunt missions, using threat intelligence, for specific scenarios. The students will then be provided access to an environment in which they will be able to execute the hunt missions that they design.
Use case
Gain an understanding of a critical outcome of threat hunts. Understand how threat hunt missions are used to generate use cases. As part of this module an overview of Sigma rules will be provided. Students can then develop use cases based on the hunt missions they developed as part of the hands-on labs.
Prerequisites
Students should possess knowledge of computer and operating system fundamentals. Python programming is not required; however, familiarity with the language or programming concepts will help students when working on some of the labs.
Hardware and Software Requirements
Students should bring their own laptop computer with the latest browser of choice and the ability to connect to the Internet. Students will receive class handouts, temporary credentials to get access to Mandiant Advantage, and directions on how to connect to the lab environment.
Cancellations are not permitted but attendee changes can be accommodated anytime prior to the start of the course.
Note: In the event of a class cancellation, Ringzer0 will endeavor to offer transfer to another training at no additional charge.