Just picked up ELS's Threat Hunting Course!
nebula105
Posts: 60Member ■■■□□□□□□□
Good day everyone!
I've been curious about what threat hunting really is; and I've been waiting for reviews on ELS's Threat Hunting course.
Looks like it isn't a popular course, but hey, I was inspired by supasecuritybro's thread so I took the dive and paid for the Full version.
Time to dig in, and hopefully I can complete this by Feb, as I'm scheduled to attend the SANS GCIH course in March 18.
If you're looking for mini reviews on this course, I'll (hopefully) be regularly posting my updates in this thread
I've been curious about what threat hunting really is; and I've been waiting for reviews on ELS's Threat Hunting course.
Looks like it isn't a popular course, but hey, I was inspired by supasecuritybro's thread so I took the dive and paid for the Full version.
Time to dig in, and hopefully I can complete this by Feb, as I'm scheduled to attend the SANS GCIH course in March 18.
If you're looking for mini reviews on this course, I'll (hopefully) be regularly posting my updates in this thread
0
Comments
Current Goal: eCPPT
Continuous Education Plan: eCTHP (paused), CISM, OSCP, AWS
Book/CBT/Study Material: CCSA R80.10
Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat,
Certs: SLAE, Certified Red Team Professional - Pentester Academy (in progress), Certified Red Team Expert - Pentester Academy
1) First 2 deck of slides really talk a lot about Threat Hunting. They're a pretty alright introduction to threat hunting!
2) 3rd module contains mentions of several reports from security vendors that "I should have read, but didn't". These reports either talk about recent attacker trends, or recent malware investigations. I've read some as they are in my news feeds, but I've missed out some. Could be very useful.
I'm so tempted to skip reading the slides and dive straight into the tools but eh, I'll take it slow and steady to absorb all the information I can get
Next up, module 4 (Threat Hunting Methodology) tonight, then some videos!
I've seen YARA mentioned here and there, and have been tossed several IOCs (IPs, URLs, hashes) and YARA rules to "look out for and block them on our IPS/Firewall", but I've honestly never had the time to look up more about YARA rules; so I usually toss the YARA files aside.
After going through the first 3 videos, I am ashamed, but happy to say that:
1) I finally understand how YARA rules are created,
2) Understand the purpose of YARA rules.
I'm now moving on to the fourth video; using YARA Rules in Redline.
To be fair, this can all be Google'd online or you can experiment it on your own. But it sure helps when you have an instructor to quickly walk you through!
So, Network Miner, Mandiant Redline, RSA Netwitness Investigator and some options in Wireshark that I never explored.
A few days after I went through the videos, an incident occurred at my organization and I had the opportunity to use the above tools.
Needless to say, it really, really helped me out in the incident; and it's been resolved
Slowly moving on to the Sysmon and ELK next!
i try but got error logstash on port 5044 not running because error like cipher TLS not found ... any advise ?
TBH, you really couldn't expect a lot at the time of writing since it was released December 12th
I'm doing this one as well ATM ..
Is it good? I am now working as a threat hunter and this would be beneficial for me for sure.
That is very interesting, something to consider. I am interested in updates, I want to know if this data can really be effectively be used to build a threat hunting capability within an organization, and importantly detect threats prior to a known incident.
I've had to put this on pause, as I'm typing this from the SANS GCIH course!
I will likely only be continuing this from the end of May onwards