• +91 - 9582 90 7788

Threat Hunting – Hunt attacks proactively

Adversaries are building exploits in such a way that they are becoming so difficult to detect by preventive measures in our organisation. Passive techniques of watching for signs of intrusion are less and less effective. Environments are complicated, and no technology can find 100 percent of malicious activity, so humans have to “go on the hunt.”

Key is proactively hunt for attacks that get past security systems.With Threat hunting, security professionals don’t wait to take action until they’ve received a security alert or, even worse, suffer a data breach. Instead, hunting entails looking for opponents who are already in your environment. Hunting leads to discovering undesirable activity in your environment and using this information to improve your security posture.

Course Objectives: This Course has been designed for security professionals to: Proactively hunt for threats at network and endpoint level, Constantly fine tune your organization defense, Use Threat Intelligence and IOC to hunt threats, Use tools such as Sysmon and ELK to analyse attack patterns , use of PowerShell to automate threat hunting.

Prerequisites: Solid understanding of networking concepts and application layer protocols, knowledge of System internals, Intermediate understating of penetration testing tools.

Course syllabus

  • Overview of Current Security Trends
  • Top information security attack vectors
    1. Motives , Goals and Objectives of Information Security Attacks
    2. Types of Attacks
    3. Essential terminologies
  • Hacking Concepts , Types and Phases
  • Reactive security Vs Proactive security
  • Understanding Statement of Breach
  • Understanding Incident Response
    1. Key tools , techniques and procedures
    2. Scoping
    3. Intelligence Development
    4. Remediation
    5. Recovery
  • Defining Threat Hunting
    1. Why to Hunt
    2. Where to hunt
  • How to get started and who should be Hunting
  • Understanding techniques and Skills required for successful Hunts
  • Evolution of Threat Hunting
  • TTP ( Tools , Techniques and procedures )
  • EDR ( Endpoint Detection and Response )
  • MDR ( Managed Detection and Response )
  • Use Case/Hypotheses
  • IOC ( Indicator of compromise )
  • Cyber Kill Chain
  • Threat intelligence
  • Advanced persistent threats
  • Pyramid of Pain
  • The Diamond Model
  • Threat Hunting Maturity Model
  • Understanding Cyber threat intelligence
    1. Describing Threats
    2. Understanding Risk
    3. Threat Modeling
    4. Traditional intelligence cycle
    5. Case Study
  • Threat Sharing and Exchanges
    1. Malware information sharing platform (MISP )
    2. Threat Connect
    3. Government sponsored threat sharing
    4. Collaborative research into Threats ( CRITs )
    5. Structured threat information Exchange (STIX )
    6. Cyber Observable Expression ( CyBOX )
    7. Trusted Automated Exchange of Indicator ( TAXII )
    8. Case Study
  • Introduction to Open Source Intelligence (OSINT )
    1. Open source information transition
    2. Elements of OSINT
    3. What OSINT can do
  • OSINT Cycle
  • OSINT Tools
  • Limitations of OSINT
  • TCP/IP refresher
  • Understanding different network protocols and services
    1. Arp, ICMP, DNS, HTTP, SSH, DHCP
    2. Firewalls , web proxies , Network intrusion prevention systems
    3. Central log servers
  • Foundational Packet Capture Tools – TCMPDUMP and Wireshark
  • TCPDUMP Primer
    1. Different command line flags
    2. Pcap file format
    3. Berkeley Packet Filter (BPF)
  • Wireshark Primer
    1. User interface
    2. Filters
    3. Useful features for hunting
  • Overview on different network hunting tools
  • Understanding Web proxies and HTTP logs
    1. Why examine web proxies
    2. Web proxy functionality
    3. Squid Configuration
    4. Understanding Squid log file
    5. Web proxy log analysis tools
  • Hunting Webshells
    1. Why do attackers use Webshells
    2. How do they use them
    3. Web shells in the news
    4. Web shell obfuscation methods
  • Web Shell Detection methods
  • Case Study!
  • Understanding different firewall families
    1. Why investigate firewalls
    2. How to collect evidences
    3. Understanding log formats
  • Understanding company security policy and environment
    1. Firewall security requirements for your organization
    2. Permitted communications
    3. Enforcement points
    4. Allowed transaction flows in your environment
    5. Identify connection with your business partners and guess access networks
    6. Identify how resources, applications and services need to be protected by your firewall
  • Typical NIPS AND NIDS functionality
    1. Modes of Detection
    2. NIDS/NIPS evidence acquisition
  • Introduction to Snort Architecture and Snort Rule language
  • Understanding IDS/IPS security policy and environment
  • Analyzing firewall , NIPS and apache logs using Linux system utilities
    1. Cat and grep to filter logs
    2. Awk to analyse logs
    3. Sed , sort and uniq to extract important metrics
  • Using Python for Log analysis
    1. Python basics
    2. Reading logs using python
    3. Log parsing
  • Understanding system basics
    1. Overview of memory
    2. System processes
    3. File structure
  • Understand why hunting in memory is essential
  • Memory based attack techniques
    1. Classic Memory/shellcode injection
    2. Reflective Dll
    3. Memory module
    4. Process hollowing
    5. PEB Unlinking
    6. Gargoyle
  • Existing tool and approaches
    1. Rekall
    2. Volatility
    3. Redline
    4. Comae Windows Memory Toolkit
  • Understanding windows Event Logs and Event IDs
    1. Suspicious Account Usage & Creation
    2. Passwords
    3. Hashes (PTH)
    4. Forged Kerberos Tickets
    5. RDP
    6. PsExec
    7. WMIX
    8. Scheduled Tasks
    9. Service Creation
    10. Admin Shares
    11. Lateral Movement
  • Understanding Kansa Powershell framework
    1. How to setup and run Kansa
    2. Understanding various power shell scripts in Kansa to hunt malware
  • Introduction to PSHunt
  • PSHunt components and modules
    1. Scanners
    2. Surveys
    3. Discovery
    4. Utilities
    5. File analysis
    6. Survey Analysis
  • Overview on ELK stack ( Elasticsearch , Logstash & Kibana )
  • Understanding Elasticsearch basics
  • Understanding Logstash basics
  • Understanding Kibana basics
  • Setting up ELK on Linux Distro
  • Building Visualizations and dashboards

Register now for demo sessions on our customized cyber security training programs Register for Demo

  • Evaluate how you can benefit from Cyber Security courses
  • Highly customized and industry most cost-effective cyber security training modules with comprehensive coverage
  • Newly introduced threat hunting program with security analytics.
  • 24*7 anytime any-ware access to Cyberpeople online cloud lab along with various lab scenarios