You will learn strategies and tactics to deliver threat hunting campaigns on large scale computer networks:
- The threat hunting process and how to build a threat hunting team
- Key Windows internals knowledge for threat hunting
- How to use data science to hunt for adversaries on large networks
- Search for indicators of compromise (IOCs) across the entire kill chain
- Build your own compromise assessment tools
- Build your own real-time endpoint detection and response tool
- Rapidly reverse-engineer malware
- Extract indicators of compromise on the network and the endpoints
- Rapidly respond and contain intrusions
Newcomers to the IT security industry, security analysts, threat hunters, incident responders, malware analysts, security engineers, and forensics analysts.
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.
Module 1: Introduction
We begin the class with a lecture and open discussion about Threat Hunting. MCSI will answer the most commonly asked questions about Threat Hunting:
- What is Threat Hunting?
- How do we get business buy-in to invest in Threat Hunting?
- What are the main approaches to Threat Hunting?
- What’s a sound Threat Hunting methodology?
- What skills do you need to have to be a proficient Threat Hunter?
- How do we build a team that does Threat Hunting?
- What documentation and deliverables do we need to generate?
- What are the main challenges that Threat Hunters face?
- How do we demonstrate a return-on-investment?
Module 2: Windows Internals
In this module, we impart all the fundamental Operating System concepts Threat Hunters need to master to deliver Threat Hunting engagements in Windows network environments:
- User-land vs. kernel-land
- Processes, threads, services and drivers
- The registry
- The file system
- Event logs
- Users and groups
- Access tokens
- Schedules tasks
- Active Directory
- Windows Management Instrumentation
- Command execution and scripting
Module 3: Modelling Cyber Adversaries
We use the MITRE ATT&CK Matrix to create a shared language between security team members to communicate about threat actors, attack techniques, tactics and procedures (TTPs). Then, we present multiple case studies of network intrusions and map attacker TTPs to the MITRE Matrix to design threat hunts.
- Animal Farm
- Equation Group
- Project Sauron
Module 4: Threat Hunting using Python
MCSI teaches how to use Python and its data science libraries (Pandas and Parquet) to hunt for intrusions in large-scale datasets generated by enterprise digital forensics tools.
- Jupyter Notebook
- Apache Parquet
In this module, you will practice against three training datasets: an entry-level one with 50 machines, two beyond beginner one with 200 and 500 machines.
By the end of this module, we will be ready to perform threat hunts in small-scale networks.
Module 5: Structured Root Cause Analysis
Threat Hunters are bound to find anomalies on networks that no one has ever documented on the Internet. Thus, we will equip you with a robust structured root-cause analysis methodology that will help you troubleshoot, investigate and rapidly come to a conclusion on suspicious items.
- Limitations of intuition and random Googling
- Switching to a structured approach
- Clarifying the fault/problem/suspicious item
- Top 9 questions to answer about any incident
- Hypothesis generation and testing
Module 6: Intermediate Exercise
For three (3) hours you will be tasks with applying all the knowledge, concepts, tools and techniques imparted in the course so far on a dataset with 1000 machine, 1000+ domain users, false positives and real threat actors. At the end of this cyber wargame, the instructor will lead a formal debriefing learning session to mentor all students on areas they could improve on.
Module 7: Rapid Malware Analysis
MCSI teaches a rapid reverse-engineering methodology to help threat hunters validate whether suspicious binaries are malware or not. Even people who have never done any reverse engineering before will be able to perform basic malware analysis tasks after undertaking this module.
- Different purposes for reverse engineering binaries
- Rapid binary invalidation techniques
- Reverse engineering using graphs
- Using annotations, structured documentation, and code similarities
Module 8: Rapid Incident Response
In medium and large-scale network environments, Threat Hunters are bound to regularly discover security incidents. Luckily, not all these incidents will be major breaches, and thus, MCSI will impart you with a rapid incident response methodology to quickly investigate, resolve and recover from security events.
- Communication protocols to handle an incident
- Digital forensics tools for Windows
- Understanding the impact of the intrusion
- Denying the adversary future access into the network environment
- Writing an incident analysis report
- Proposing a cyber security uplift plan to prevent future intrusions that follow the same attack campaign
Module 9: Threat Intelligence
We end the course by imparting you with techniques to produce your own threat intelligence based on materials captured from incident response and threat hunting.
- The different types of threat intelligence that can be produced
- The most valuable type of threat intelligence for private sector organization
- Using structured approaches to producing intelligence that’s meaningful and impactful
- Preparing a threat intelligence “product” for your organization
The final Threat Hunting exercise will require you to analyse a dataset of 5000 machines compromised by an adversary that uses tradecraft similar to FIN7 and produce a threat intelligence report to help an imaginary organization make cyber security investments and divestments.
We recommend that you read about the Windows components listed under Module 2 “Windows Internals”. Even if those components will be covered in detailed during the course, studying them prior to the course will make it a lot easier for you to understand every other module in the class.
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.