Mossé Security teaches students a unique approach to threat hunting based on data science, active deception and the development of custom intrusion detection tools.
In this five-day master course, students will learn how to hunt for threat actors on large scale computer networks. No prior knowledge in incident response, threat hunting, reverse engineering or malware analysis is required prior to attending this course. Detailed step-by-step instructions will be given, and students will leave this course with practical skills to hunt for attackers on their networks, or their clients’ networks.
Our approach to teaching Threat Hunting is to teach the fundamental concepts and strategies that can be used to detect threat actors on any operating systems and types of networks. In this way, we ensure that our students can immediately apply the techniques they have learnt, and rapidly build upon their skills to hunt for more complex attack techniques.
Theoretical knowledge makes up 40% of the course content, and 60% is devoted to practical exercises. At the end of the course, a Threat Hunting exercise is conducted that can be reproduced at your workplace.
You will learn strategies and tactics to deliver threat hunting campaigns on large scale computer networks:
The threat hunting process and how to build a threat hunting team
Key Windows internals knowledge for threat hunting
How to use data science to hunt for adversaries on large networks
Search for indicators of compromise (IOCs) across the entire kill chain
Build your own compromise assessment tools
Build your own real-time endpoint detection and response tool
Rapidly reverse-engineer malware
Extract indicators of compromise on the network and the endpoints
Rapidly respond and contain intrusions
Newcomers to the IT security industry, security analysts, threat hunters, incident responders, malware analysts, security engineers, and forensics analysts.
This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.
Module 1: Introduction
What is Threat Hunting and how to do it?
The Threat Hunting process
The Threat Hunting toolset
Building a Threat Hunting division
Preparing a Threat Hunting playbook
Module 2: Windows Internals
User-land vs. kernel-land
Processes, thread, services and drivers
The file system
Users and groups
Windows Management Instrumentation
Command execution and scripting
Module 3: Data Science Toolset
Mastering Numpy and Pandas
Mastering Google BigQuery
Mastering Graph Databases
Using the Jupyter Notebook
Rapid environment deployment with Ansible
Rapid web services with Google App Engine
Messaging services with Google Pub/Sub
Module 4: Compromise Assessments
Rapid capture of security data using WMI and PowerShell
Building a lightweight incident response data collection tool
Rapid incident detection using Pandas, statistics and data visualisation
Rapid file acquisition techniques
Module 5: Real-Time Endpoint Monitoring
Building your own real-time endpoint detection and response tool
Monitoring processes, services and drivers
Monitoring sensitive user accounts
Monitoring event logs
Building a threat graph
Detecting compromise phases:
Building IOCs based on endpoint behavior
Module 6: Rapid Malware Analysis
Building a malware research lab in the cloud
Using virtual machines to analyse malware
Using a virtual network to extract IOCs
Static code analysis
Reverse engineering common attacker toolkits
Building countermeasures against attacker toolkits
Module 7: Network Security Monitoring
Analysing Netflow data
Analysing PCAP files
Analysing web server logs
Detecting covert communication channels
Extract IOCs from NSM data
Module 8: Rapid Incident Response
Security logs to enable
Checklists, report templates, processes, policies
Network design and architecture for incident response
The RIR Process
Extracting lessons learnt
Building the timeline of a security intrusion
Communicating effectively during incident response
Module 9: Threat Hunting Workshop
The last day of the training is a large-scale threat hunting workshop across hundreds of machines, multiple organisations and going against many adversary groups.
Payment methods are either booking online via Event Brite or contacting us for an invoice.
Payment is required at the time of booking.
Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
Payment must be made in full prior to any rescheduling.
Student substitutions can be made in writing 48 hours prior to a class start.
If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited.
Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.
We recommend that you read about the Windows components listed under Module 2 “Windows Internals”. Even if those components will be covered in detailed during the course, studying them prior to the course will make it a lot easier for you to understand every other module in the class.
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.