eLearnSecurity Threat Hunting Professional (THP) course and eCTHPv2 exam (Dec 2020)
Threat hunting (TH) is a new trend in cybersecurity when companies, from small to large spending from few thousands to millions, soon realize that their detection system containing all expensive tools (such as AV, IDS/IPS, Firewall, EDR, SIEM, etc.) can’t detect all intrusions. They need a specialized squad to patrol the environment and hunt for abnormal events.
eLearnSecurity is one of the first training providers offering a specialized course for threat hunting, namely Threat Hunting Profession (THP), and the associated certificate eCTHPv2.
P/S: If you are interested in becoming a threat hunter, penetration testing skills are certainly vital. I have also shared my view on another excellent course from eLearnSecurity: Penetration Testing Professional course (PTP) and eCPPTv2 exam (July 2020)
The article aims to share the author’s view after taking the course with 3 sections as below:
- THP curriculum details
- eCTHPv2 exam
- Personal point of view
THP curriculum details
THP aims to provide you with the necessary knowledge to start your first hunt. It begins the journey with TH introduction and the role of threat intelligence in TH. Then the course walks you through both network hunting and endpoint hunting.
THP curriculum contains three main parts as below:
- Part 1: Introduction to threat hunting
As the name indicates, this part mainly introduces terms and concepts related to TH such as NIST incident response framework, pyramid of paint by David Bianco, cyber kill chain, diamond model, MITRE ATT&CK, threat intelligence, hunting hypothesis/methodology, and metrics, etc. Furthermore, the hunting mindset and the role of threat intelligence to TH are also covered and emphasized.
In general, if you are new to cybersecurity fields, the section is interesting as you will get familiar with terms/concepts that cybersecurity people talk about and apply in their day-to-day jobs.
Personally, I don’t find this part so helpful given that I am a blue team defender and have been regularly participating in TH for more than a year. The reason for my opinion is that aside from the term/concept introduction, it is NOT into the details of how you should approach, plan, and execute a hunt. So if you are like me who is looking for a better hunting approach from more experienced hunters to improve yourself, then this part doesn’t fulfill that desire. - Part 2: Network hunting
This section starts with TCP/IP and OSI model introduction which is aligned with almost all courses about networking. Then the course presents details about normal and suspicious behaviors (hunting tips) of multiple common protocols such as ARP, DHCP, DNS, and HTTP(s). Hunting tools are then introduced which covers de factor standard tools such as Wireshark, T-shark, Tcpdump, and Networkminer, etc. Lastly, the section ends with web shell hunting which is basically just the introduction of some specialized tools for the purpose.
Again, if you are new to the field, the content is certainly interesting, especially with the lab exercises. However, if you are a professional analyst, you may not learn new knowledge here, maybe some tips/tricks and some new tools. - Part 3: Endpoint hunting
This section is the most interesting part of the course, it covers various aspect of endpoint hunting. The section begins with the discussion of the normal behavior of Windows OS processes, which is almost similar to the first page of the popular SANS’s poster Find Evil — Known Normal. It then covers malware in detail such as clarification, evasion technique, persistent mechanism, injection techniques, various types of hooking, and DLL/COM hijacking. From that, the slides introduce multiple detection tools to identify malware in various forms such as hide in plain sight, code injection, fileless malware, etc. Continuingly, you get familiar with memory analysis with FireEye’s Redline and Volatility tools for offline systems as well as various techniques/tools for hunting on live systems. Particularly, .NET hunting and Event Tracing for Windows (ETW) are interesting since there are quite a few sources touching these topics. Furthermore, .NET malware is trending as a perfect replacement for PowerShell with few to zero logging from most enterprise environments.
I learn a lot from this section and the related labs. However, few tools covered in the material don’t work as expected. It would be great if eLearnSecurity reviews and updates learning material frequently. In addition, I felt several labs are not in deep to enhance learners’ experience, but just tool orientation (something like run a tool and observe results).
eCTHPv2 exam
One of the things I like most about eLearnSecurity is their practical exam and eCTHPv2 is not an exception. It is not a multi-choice but a full 3-day challenge including a written report. eLearnSecurity evaluates your performance based on the submitted report.
When starting, you would receive a letter of hunting engagement containing 3 scenarios, and the necessary, but insufficient condition to pass the exam is to get 75 out of 100 points. You are also required to perform thorough hunting and report any threat identified.
Basically, you would be given an intelligent analysis report which you can use to derive the attackers’ Tactics, Techniques, and Procedures (TTP). Then, you apply that knowledge to hunt for traces of adversaries, it could be via log events in Splunk or ELK stack, it could also be captured PCAP files or memory images.
Personally, I clarify the exam in the easy/medium spectrum. I completed all 3 scenarios after a few hours. So if you study the course material well and practice all the labs, you should be able to walk through the exam naturally.
Improvement point: the idea of the exam is practical, in which you are given an intelligent report to learn about your adversaries and hunt for them via various means. However, I would recommend the scenarios should be built up from real malware and a real analysis report. The simulated version is pretty simple and does not reflect the complication of threat actors in the real world.
Personal point of view
Since the need for threat hunting is increasing, the course does provide solid ground knowledge for new and intermediate cybersecurity folks. For more experienced folks, you may find part 1 (introduction to threat hunting) and part 2 (network hunting) less interesting than the last part (endpoint hunting) which covers a lot of useful stuff for practical hunting. Personally, I just skimmed through parts 1 and 2 in an hour or two and focused on endpoint hunting materials in a few days.
In general, the course structure and labs are good; I would surely recommend the course for anyone who is new to hunting. However, the course is not suitable for advanced learners who are looking for a course with full of new stuff and challenges to practice their skills.
