SecurityBSides Trainings
Course Description
Threat hunting is fast becoming the biggest asset for any information security team. To reduce dwell time, threat hunters apply the scientific method: develop hypotheses about attacker behavior and test them.
Hunters do not rely on previously uncovered indicators of compromise (IoCs) but rather develop hypotheses based on their extensive knowledge of attackers’ tactics, techniques, and procedures (TTPs) as well as personal
experience in handling incidents. This proactive approach helps security teams catch cybercriminals off guard and take them down.
Threat hunting adds to the offensive capabilities of information security teams, which are gradually becoming commonplace worldwide.
Group-IB’s Threat Hunter course explores what makes a good threat hunter and the techniques they use to put forward successful hypotheses.
Threat hunting adds to the offensive capabilities of information security teams, which are gradually becoming commonplace worldwide.
Group-IB’s Threat Hunter course explores what makes a good threat hunter and the techniques they use to put forward successful hypotheses.
Prerequisite
- Understanding of networks and network technologies
- Experience and skills in administrative infrastructure
- Knowledge of how file systems are structured
- Understanding of how cyberattacks are carried out
- Basic knowledge of how malware operates
Instructor - Svetlana Ostrovskaya
Principal Incident Response and Digital Forensics Analyst (MEA) and Author of Practical Memory Forensics: Jumpstart effective forensic analysis of volatile memory
Key Learning Objective
Agenda
-
-
Room: TBD
Day 1: Theory and demonstration
Threat hunting is one of the biggest trends in cybersecurity. But what is it, exactly? What does the job entail and how do threat hunters fit into the information security ecosystem? These are some of the questions that will be answered at the start of day one.
Next we will look into the general techniques and models used by threat hunters today and learn how to apply the scientific method (i.e. hypothesis testing) to the threat hunting process. Participants will learn how to get the most out of the MITRE ATT&CK matrix. Understanding how to read and interpret open-source data helps create more accurate hypotheses and catch threat actors.
In addition, participants are introduced to useful logging sources and the opportunities they offer threat hunters. Attendees also learn what data should be logged and how to use them to enrich events from other sources. -
Room: TBD
Day 2: Theory and practice
Digital forensics is the cornerstone of cybersecurity. Without a basic understanding of the best practices in the field, threat hunters cannot perform their tasks properly. Day two starts with a discussion about the digital forensics methods that are most useful for threat hunting. Participants then learn how to identify useful events from Windows event logs and how to directly interact with remote hosts, what to look for when hunting for malware, threat actor’s tools, and techniques related to the exploitation of public-facing applications.
The lesson then move to an overview of LOLBAS and Sysmon. Participants learn how to use Sysmon in a threat hunting and practice analyzing its events. -
Room: TBD
Day 3: Theory, demonstration and practice
Up until this point, attendees will likely have learned how to perform threat hunting on a single host. Yet real-world threat hunting requires analyzing dozens of hosts at the same time. As such, the third day of the Threat Hunter course is spent on giving a realistic view of the threat hunting process. Participants receive tools for log collection and analysis on an enterprise-scale and extensively practice hypothesis generation and testing based on MITRE ATT&CK data. -
Room: TBD
Day 4: Practice
On the last day, participants have the opportunity to put all the knowledge and skills they gained into practice. They hunt for threats on their own, working with the ELK stack and answering CTF questions. After solving the questions on their own, participants have the opportunity to discuss the tasks and learn techniques needed to find the relevant information.
-