Advanced Network Defender With Threat Intelligence and Threat Hunting
Course Duration |
4 Days |
Introducing The advanced Network Defender With Threat Intelligence and Threat Hunting
When adversaries attack. The time they spend on the network undetected can be up to 6 months or even years. How do you detect attackers in your network that have bypassed all the security measures you have in place? This is where a threat hunting program comes in.
Learning Objectives
- Explain the concept of threats and how it relates to cyber security risks
- Define Cyber Threat Intelligence, what it is and what it is not.
- Be able to differentiate between Threat Intelligence and Threat Hunting
- Explain why Threat Intelligence is an important part of cyber security risk management
- Explain the Lockheed Martin Kill Chain, Diamond Model, and Mitre Framework for Threat intelligence
- Know the tools that are used for Threat Intelligence and be able to use them
- Learn to gather Threat Intelligence feed and process them
- Define Cyber Threat Hunting and explain its value to an organization
- Understand the Threat Hunting process
- Know the difference between Cyber Threat Intelligence and Threat Hunting and Incident Response.
- Learn what data to collect and where to collect it
- Leverage both endpoint and network data for successful hunting
- Understand how to hunt for threats in your organization’s systems and network
- Understand the Hunting Maturity Model to measure your organization’s hunting capability
- Learn how to find and investigate malware, phishing, lateral movement, data exfiltration, and other common threats
Course Description
Day 1
Cyber Threat Intelligence
- Introduction to Threat Intelligence
- Threat Intelligence Frameworks:
- Lockheed Martin Kill Chain
- Diamond Model
- Mitre ATT&CK Framework
- Threat Intelligence (TaHiTI) methodology
Threat Intelligence Use Cases
- Security Operations Center (SOC)
- Incident Response management
- Vulnerability management
Cyber Threat Intelligence (CTI) at the various level:
- Strategic level
- Tactical level
- Operational level
- Technical Intelligence level
The Cyber Threat Intelligence Cycle
- Requirements, Planning, Direction
- Threat Intelligence Data Collection
- Data Processing
- Data Analysis
- Intelligence Reporting
- Dissemination
Day 2
Tools for Threat Intelligence
- Yara for malware identification and classification
- Structured language for cyber threat intelligence (STIX)
- A transport mechanism for sharing cyber threat intelligence (TAXI)
- Sophisticated threats are bypassing both perimeter and endpoint security.
- Increase the speed and accuracy of incident response
- Understand and reduce attack surface exposure / hardened network and endpoints.
- Reduce the time an adversary dwells on the network unnoticed
- Detect/prevent the spread of the attack and lateral movement
- Collect evidence of compromise
Day 3
Threat Hunting
- Introduction to Threat Hunting
- Cyber threat hunting definition and goals
- The pyramid of pain
- The Six D’s of Threat hunting
- Hunting for Indication of compromise (IoC) and Artifacts.
- Cyber threat hunting methodologies and techniques
Threat Hunting Use Cases
- Technology Review
- Real-world Threats
- Hunt Mission
- Data Collection and Hunt Execution
- Analysis
- Refining the Hunt Mission
Threat Hunting Methods
- Threat Hunting with the Mitre Framework
- DEtect Tactics, Techniques & Combat Threats model
- Combining DeTT&CT with Mitre Att&CK
- MITRE ENGAGE
- Using Caldera to simulate threat
Day 4
How to Build a Hunting Lab
- The Technical requirements
- Building the Elastic Machine
- Setting up the OS
- Install and setup Kibana
- Setup a small network for the hunting lab
Hunting for The Indication of Compromise (IoC)
- Hunting for network-based cyber threats
- Hunting for host-based cyber threats
- Cyber threat hunting technologies and tools
Using Elastic Stack for Threat Hunting
- Use available opensource tools for threat hunting
- Introduction to Elastic Stack
- Collection and analyses of data with Elastic Stack
- View Elastic Stack data using Kibana
Other Information
Labs will be used throughout this course. You will have the opportunity to put what you’ve learned into practice through a series of hands-on labs.
Prerequisites
This course assumes that you have a basic understanding of security operations and some understanding of computer networking and security concepts.
What You Will Receive:
- Printed courseware
- Electronic reading materials
- Access to the course lab exercises
- Access to a Cloud Service Provider for the labs
- Additional book on related topics
System Requirements:
Some of the labs will be performed in the cloud and others on your local laptops. As such, you need to have admin access to your system and be able to access the internet.
Therefore, your system should meet the following requirements:
- A modern laptop with full Admin access
- Unrestricted Internet
- An OpenSSH client installed
- A PDF reader
Who Should Attend?
This training is for anyone working in the security Operating Center (SOC) who wants to learn how to get more enriched security operations. The following roles can also benefit from the course:
- Network security professionals
- Incident responders
- Penetration testers
- Red team members and other white hats
- Security analysts
- Security consultants and auditors
- Security Managers who want to create threat-hunting teams
Course duration
This is a Master class course with a duration of 4 days of classroom training and 2 additional days of home study and lab work.