Goals
- This one-day technical training is an extension to the "Security monitoring and incident response" course and covers basic theoretical approaches and practical aspects of network and endpoint threat hunting.Target Audience:- L1 SOC operators- Junior CSIRT analysts- Other IT specialists with interest in cyber security.Contents
Introduction- Basic principles and approaches to threat hunting- Where does threat hunting fit in existing security frameworksBefore the actual hunt- Threat modelling- Threat intelligence- Sources of TTPs and IoCs and working with them- Formulating hypothesisThreat hunting on endpoints- Data sources- Baselining- File system- Processes- Persistence- Advanced YARA rules- Tools for verification of IoC occurrence- Working with EDRThreat hunting on a network- Data sources- Unusual network behavior- Detecting data exfiltration- Analysis of packet capturesGeneral threat hunting recommendations- Metrics for threat hunting program evaluation- AutomationPrerequisites
- Previous attendance at the "Security monitoring and incident response" training or equivalent level of knowledge and experience is required.Study Materials
For the on-site training, participants will receive a printed version of the study materials.For the online training, participants will receive access to an electronic version of the study materials.
