Practical Threat Hunting

The Practical Threat Hunting course has been designed to teach threat hunters and incident responders the core concepts of developing and executing threat hunts. Through this course students can learn to:

• Apply cyber threat intelligence concepts to hunt for adversary activity in your environment
• Establish a repeatable hunt methodology and develop hunt use cases
• Leverage end point data to hunt
• Establish measures of effectiveness for hunt program

This course includes practical labs that challenge the students to develop hypotheses and hunt missions in order to hunt for evidence of compromise through multiple scenarios including social engineering, network and system compromise, and APT nation-state actors. The labs are designed so that students have an opportunity to experience hunting using environments like the command line, Jupyter Notebook, and forensic tools like Velociraptor.

Prerequisites: Students should possess knowledge of computer and operating system fundamentals. Python programming is not required; however, familiarity with the language or programming concepts will help students when working on some of the labs.

The course is comprised of the following modules, with labs included through the instruction.

• Introduction to Threat Hunting – Understand the core concepts that constitute threat hunting. An overview of the characteristics of a threat hunt is provided along with the benefits of performing threat hunts and also the challenges that threat hunters should be aware of. The key concept of leveraging threat intelligence is introduced to students.
• Introduction to Threat Modeling – Understand how threat modeling is key to any effective threat hunt. An overview is provided of the basics of threat modeling. Students are then provided a breakdown of the workflow of threat modeling and how it ties into threat hunting. The importance of using threat intelligence for threat modeling is also discussed.
• Threat Hunt Program Framework- Understand what constitutes a threat hunt program framework. This module can be beneficial to understand the requirements of a formal threat hunt program.
• Threat Hunt Operational Drivers- Understand what is needed from a hunt mission capability. An overview is provided of the areas in which an organization needs to have capabilities to execute effective threat hunts. Discussions are conducted on the benefits of having these capabilities and challenges if an organization is deficient in any of them.
• A4 Framework – This module introduces the students to the A4 framework of threat hunting. This framework is reinforced for the students through the rest of the course as it is used as part of all the hands-on labs.
• Threat Hunt Library – Understand the importance of developing and maintaining a Threat Hunt Library. Students can participate in exercises that will reinforce the importance of developing and maintaining a threat hunt library. As part of the labs, students will be asked to develop a threat hunt library that they can take with them at the conclusion of the course.
• Labs – Students will be challenged to complete multiple labs where they will develop hypotheses and hunt missions, using threat intelligence, for specific scenarios. The students will then be provided access to an environment in which they will be able to execute the hunt missions that they design.
• Use case – Gain an understanding of a critical outcome of threat hunts. Understand how threat hunt missions are used to generate use cases. As part of this module an overview of Sigma rules will be provided. Students can then develop use cases based on the hunt missions they developed as part of the hands-on labs.

The content and pace of this course is intended for threat hunters, information security professionals, incident responders, computer security researchers, corporate investigators, or others requiring an understanding of how threat hunting is performed, and the processes involved in performing threat hunts.

In-classroom and virtual instructor-led training

• 3 days (in-person delivery)
• 4 days (virtual delivery)

Students should bring their own laptop computer with the latest browser of choice and the ability to connect to the Internet. Students will receive class handouts, temporary credentials to get access to Mandiant Advantage, and directions on how to connect to the lab environment.