Threat Hunting
BT223
Table of Contents
Description
In today’s cybersecurity landscape, it isn’t possible to prevent every attack. Threat hunting is the proactive technique that focuses on pursuing attacks and the evidence that attackers leave behind when they patrol an attack using malware or expose sensitive data.
The process is important and is based on thinking that the attacker has already managed to infiltrate and test everything possible to detect intrusion earlier to stop them before intruders can carry out their attacks and exploit them illegally.
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories,
- Self-work at home between lessons,
- Repetition of materials, self-learning, performing tasks, etc …
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium system
Target audience
This course targets people with networking knowledge who want to acquire the threat hunting capabilities to protect their organization better. Primarily:
- Security Testers
- Cybersecurity consultants
- Red Team specialists
- White hat hackers (Ethical Hackers)
Objectives
- Identify and create intelligence requirements through practices
Generate threat intelligence to detect and respond
Learn the different sources to collect adversary data
Create Indicators of Compromise (IOCs)
Pre-requisites
- Linux
- Networking
Syllabus
Description
In this module, students will learn about techniques and procedures necessary to effectively hunt, detect, and contain various adversaries and minimize incidents.
Technical content
- Intrusion Analysis
Phases of Threat Intelligence
Phases of the Intrusion Kill Chain
Understanding MITRE ATT&CK
Identifying Intrusions in Logs
Creating Automation for Notification of Malicious Activity
Analyzing Network-Based Tools Logs
Analyzing Host-Based Tools Logs
Linking Intrusions - Memory Forensics
Process Injection
Thread Injection
Malware Analysis
Malicious Document Analysis
Description
Students will use practical tools to collect data throughout this module. Students will deepen their understanding of various information sources.
Technical content
- Hunting
Parsing Relevant Data Techniques
VirusTotal
OSINT
Dynamic Indicators
Tracking Network Traffic
Passive DNS
Ransomware Traffic - Sources
Malware Analysis Data Bases
Intrusion Key Indicators
Domain Data Collection
Open-Source Intelligence Tools
C2 Samples
Description
During this module, students will be creating tool automation to take threat intelligence to a higher level. Students will understand how to use their knowledge and maximize the use of different filtering and customization options for searching.
Technical content
- Automation
YARA Examples
Working with YARA
Automating Malware Analysis
Configuring Honeypots
Extracting and Analysing Honeypots Logs - Domain Automation
Running Campaigns
Checking Key Indicators Inside Domains
Creating Your Indicators
Tactical Intelligence Tools
Operational Intelligence Tools - Darknet
Relevant Leaks
Hacking Forums
Labs
- Lab 1 Security Procedures
- Lab 2 Setting your Domain
- Lab 3 Identifying Attacks
- Lab 4 Analyzing C&C Communications
- Lab 5 Reversing Malware Network Behavior
- Lab 6 Analyzing Network Attacks
- Lab 7 Working with CVE
- Lab 8 Working with Firewalls
- Lab 9 IPv6 Security
- Lab 10 IDS Configurations
- Lab 11 Honeypots
- Lab 12 Securing Linux
- Lab 13 Securing Windows
Real Cases Studies
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberarena
- In situe classroom with proctored labs and scenarios executed in our Cyberarena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group:
defense
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.
Certification
This course prepares the participant to the following certification:
- GCED (SANS)
- CySA+ (CompTIA)
- Security+ (CompTIA)
- GISP (SANS), GISF (SANS)
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic