Target  audience

  Everybody  who  needs  to  know  more  about  what  threat  hunting  is,  why  it  is  necessary,  what is required to start doing it, and how it should be done. Appropriate roles include: CISOs, Security  Managers, SOC staffers, Incident Responders, Forensic Analysts and System Administrators. 

Goals

Participants  will  understand  what  threat  hunting  is,  be  utterly  convinced  of  the  need  for it, know what infrastructure is required to facilitate it, and be able to start doing it with confidence  within their own organizations. 

Price

Price depends on the amount of participants: 5 participants: 1840 €+ VAT
6 participants: 1580 €+ VAT
7 participants: 1400 €+ VAT
8 participants: 1240 €+ VAT
9-10 participants: 1140 €+ VAT
11-12 participants: 980 €+ VAT

Content

Participants learn how to hunt hackers within our Windows 10 lab network, using a range of highly  effective threat hunting technologies and techniques, looking for real life attacks. 

Technologies used:   

• Sysmon: Sysmon is the go-to solution for hunters working with Windows machines, and is the  technology that Microsoft itself uses to hunt hackers within their own networks.   
• WEF: Windows Event Forwarding is the official Microsoft “agentless” mechanism by which  Windows Events are streamed from endpoints into a “data lake”, for analysis by hunters. 
• Elastic stack, formerly “ELK”: The Elastic Stack is a suite of mature open source technologies that  is  popularly  used  for  hunting  by  big  name  companies.  The  principles  that  are  taught  in  this  course  using the Elastic Stack are also more generally applicable to other data lake products such as  Splunk, Sumo and others. 
• WinRM: Windows Remote Management (WinRM) allows hunters to interrogate their fleet of  Windows  machines  in  real  time  from  a  central  collection  point.  Students  will  learn  how  to  issue  various  hunting  questions  to  the  fleet,  and  how  to  process  the  results  in  ways  that  will  highlight  the activities of attackers. 
• PowerShell: PowerShell in Windows is a double-edged sword, being immensely useful for both  defense and offense. In this course students will be taught: 
  • How PowerShell can be safely leveraged in order to hunt attackers 
  • How Windows fleets can be set up to log PowerShell activities 
  • How PowerShell logs can be scanned for attacker activities 
• YARA: YARA is a Google-owned technology which, from their own description, is “the Swiss-army  knife for malware researchers (and everyone else)”. Students will learn how to leverage the power  of YARA in order to pick up the “fingerprints” of malicious activities from log files. 

Hunting techniques: 

• Known bad: Students will learn how to research and develop hunts for known indicators of  attack.   
• Known good: Students will learn how to “find evil by knowing normal”, using various processes of  elimination to reduce a set of raw collected data down to “not known good”. Students will then  determine through investigation whether the remaining data constitute indicators of attack or  benign in nature. Benign items are labeled as “known good” so that they need not be investigated  again. 
• Outliers: Outlier detection is the “power technique” of threat hunting. Students will learn how to  leverage statistical analysis in order to force anomalies in large-scale sets of data to become  apparent, which will commonly highlight indicators of attack. 

It is important to note that although this course is Windows-centric, the building-block technological  capabilities and hunting principles are equally applicable to Linux and MacOS.