eLS THP (Threat Hunting Professional)

Mooseboost

I have seen a few posts about it, but how many people on here have completed the course? I have done analyst work in the past and some pentesting, but no specific threat hunting. This is a skillset I am looking to develop and outside of SANS (which is way out of budget right now), this is the only other course I can really find.

For anyone who has done it, did you find the content worth it? I've worked through their PTS and PTP courses and though the material was good, but I have heard that some of the other courses are not as well designed. If you do hunting in your day-to-day and have done the course, do you feel it teaches real-world hunting or is it more of an academic "this isn't how we actually do it".

vynx

maybe try to search in the google for people who have that cert ?

Mooseboost

Yeah man, let me tell ya - people everywhere have this cert. Google is overflowing with reviews.

KAmes4545

I looked on Linkedin for eCTHP and found only 7 people listing it there. I'm also interesting in this, so if you don't end up reaching out, I think I might just to get a little bit more information before purchasing. I would just like to ask questions like which version would they recommend (full or elite) etc.

chrisone

eCTHP is fairly new, so you might not find many people at the moment with the certification. There were a few people on here who purchased the course and created a post about it. Search for it here on TE, then bump it or PM them about updates. Last I heard they were benefiting from the course.

Check the syllabus topics and you might just have to take a leap of faith on your own judgment.

Mooseboost

Yeah, I think it is going to have to be a leap of faith. I was hoping there were a few members here who may be doing it but had not made any progression or review threads. The only person I know of who posted that was actually doing it was supasecuritybro and he has it on hold for now. I might ping him and see if he has started back with it.

The main downside I have when it comes to looking at the syllabus is that I don't do threat hunting in my current role - so I don't know if the course is comprehensive or not. I've always been positive about eLS and their training, so I don't doubt the course is good. A lot of the recent eLS bashing seems to be over them adding so many new courses and raising some of the pricing, so I don't know if the negative reviews are legit or just people upset. This course will be completely out of pocket for me though so, I definitely want the most bang for my buck.

vynx

KAmes4545 wrote: »

I looked on Linkedin for eCTHP and found only 7 people listing it there. I'm also interesting in this, so if you don't end up reaching out, I think I might just to get a little bit more information before purchasing. I would just like to ask questions like which version would they recommend (full or elite) etc.

i hope i can become one of that 7 people, i think elite would be good choice.

supasecuritybro

Hey @mooseboost, what are your questions that I can answer for you?

beads

Interesting idea but not really sure as to what the levels really entail or how good/poor the labs maybe until someone goes into depth with the course. Of course once the PDF gets copied a few thousand times by your closest 1000 friends its all over.

- b/eads

Mooseboost

supasecuritybro wrote: »

Hey @mooseboost, what are your questions that I can answer for you?

I know you work with SIEM a good bit, do you feel the course is geared more towards threat hunting in a SIEM or in more of an on-system incident response situation? Do you feel like there has been a good ROI or do you think you already had a good grasp of the majority of the content prior to the course?

For the course itself, do you feel the content is well thought out? I've heard a ton of complaints about PTX feeling incomplete. I am hoping this is not the case for THP.

supasecuritybro

Mooseboost wrote: »

I know you work with SIEM a good bit, do you feel the course is geared more towards threat hunting in a SIEM or in more of an on-system incident response situation? Do you feel like there has been a good ROI or do you think you already had a good grasp of the majority of the content prior to the course?

For the course itself, do you feel the content is well thought out? I've heard a ton of complaints about PTX feeling incomplete. I am hoping this is not the case for THP.

I cannot say that the course is lacking. I believe it has the right amount of content for someone who is starting off into a security analyst position. You do have to have a computer background (like any security professional should), it covers some basics and quickly moves into the stuff for the hunting aspect. I haven't made it into the endpoint/SIEM part but it has been a good quality material. It really provided the foundation I needed for some ideas I was tossing in my mind that I didn't have a starting place.

Once I get done with the SIEM part, I will circle back to you.

The labs do not feel like they have a lot of meat in them, its like, build this IOC and look for this result so far. That doesn't feel very robust to me. For the intro price, it was the right cost. Then again to get a decent threat hunting cert, you'd have to go into the SANS route, FOR508 or FOR572 or SEC511 or SEC599, and each are in the 6300 price range. So it depends on your threshold for investment.

MalwareMike

Great recap so far.

KAmes4545

Couldn't get much feedback from people that have completed besides "it's OK". Ended up getting the course myself and working through the information as well. Looks like supasecuritybro is working on it once again Good luck!

renzoncruz

How was it so far? I am planning to buy this course too after my DFP and PTP.

1point8t

I've completed the entire course, and re-reviewed certain sections a few times, and feel that it has helped me get a better understanding of the threat hunting processes and tools. The labs were good but I felt that the endpoint section could have used more material and more labs, especially surrounding the use of Powershell as an IR toolkit and hunting with ELK. From my perspective the course is on the right track and could benefit from another revision shortly.

Shortly after completing this course I was able to get my hands on the SANS 508 (Advanced Digital Forensics, Incident Response, and Threat Hunting) course material from a colleague and felt that the ELS THP course helped better prepare me for that advanced level course. It isn't right to compare both courses as the THP guides you gently into threat hunting and some basic IR processes while SANS 508 ramps up fairly quickly. In addition, ELS is practically 15-20% of the price of SANS 508.

I never took the THP exam as I've been concentrating on the SANS 508 material and trying to prepare for the GCFA.

MalwareMike

How was the GCFA material? I've thought about taking it as one of my electives. How much of the course is hunting compared to forensics..?

1point8t

The GCFA material is great, I thoroughly enjoyed it. In my opinion the material and labs are heavily focused on forensics and IR with some (less than half a book) for threat hunting. It is important to note that having a good understanding of how the attack occurs and analyzing specific artifacts (login events, application execution, etc) will make you a better threat hunter.

MitM

I was thinking about this course. Are they ever discounted?

SANS would be ideal, maybe in the future

KAmes4545

So I just finished all the labs and course work for eTHP. I have to say I'm kind of disappointed in some ways with the labs. What frustrated me the most about the labs were the workarounds that you have to do for some of the labs to get them to work. They also never provide these workarounds in the course material. For example, they ask you to gather data from a machine remotely, well you can't use the tools that are given, none of them work. I go on the forums and they tell you that you need to remote in the other machine and do a time sync... um... ok, but how was I suppose to know this? This is only one example of this happening but happened 3 or 4 times to me in the 9 labs. Each person taking this course will have to go to the forums for these workarounds. I felt like in some cases I'm troubleshoot the environment more than doing the course work. Also, the forums aren't exactly helpful/friendly. When people ask about the issues they have with the labs on the forums they are greeted with "Please use the search functionality of the forums" I don't disagree, but maybe just link the other post and ask the user if it helps solve their issue would be more appropriate and more customer friendly? I also wish there was more lab work and more scenarios to work on, I feel like I need to  work outside the lab to even get the basic understanding of the tools presented in the labs. My fear is the exam is kind of like the lab environment and I struggle more with troubleshooting issues then actually doing an investigation, but I guess I'll find out.

Skyyyyy2001

@KAmes4545 keep up posted on the exam result. We will be interested to know. Have tried feedback to Armando on this?

u1tras

So, as I promised there is my review of the 1st THP course section. Finished it in 3 days (4-5 hours per day in comfortable pace). There are a lot of slides, about 1-3 sentences on the slide. Everything is short and to the point, nothing irrelevant. The quality of the video is very good. Althought there were some unclear moments, but nothing serious, you can follow to the provided links and find any answers there. Lab VM was a littte bit slow and gave me a basic practical experience in the topic. Concerning the theory, there was one strange (IMO) division into 2 types of threat hunters. I always though that there is only one type which must do all mentioned activities. I also posted a few proposals for the Lab on ELS forum.
My personal recommendation - look at the forum before starting any Lab - in this case everything should go smoothly. 

cyberguypr

I am curious, what are those two types of hunters that they mention?

u1tras

cyberguypr said:

I am curious, what are those two types of hunters that they mention?

1st type hunter - hunts for threats with CTI and IOCs. 2nd type - hunts for previously unknown types of threats. I suppose with using MITRE ATT&CK and other related info about adversaries' TTPs. 2nd type should be discovered in upcoming modules. I thought there is only one type of hunter which always should do both. It's not a problem for me, just an interesting point of view:)

u1tras

I should also add that after the 1st THP module I decided to enroll into IHRP course. I see that eLS is definitely versed in its' stuff. 

r3nzsec

Hey @u1tras how was the THP so far? I'm planning to purchase this and will use 200 USD off this month

u1tras

r3nzsec said:

Hey @u1tras how was the THP so far? I'm planning to purchase this and will use 200 USD off this month

Hi @r3nzsec! I've finished my exam on Jan 11 and now I'm waiting response from eLS with exam result. After that I'll try to write my course and exam review.

JoJoCal19

Good luck, hope you passed!! I'm definitely interested in reading a review of this course. I'm thinking of pursuing it in the future.

u1tras

How much time usually eLS conducts an exam report review? Does anybody know?   

u1tras

JoJoCal19 said:

Good luck, hope you passed!! I'm definitely interested in reading a review of this course. I'm thinking of pursuing it in the future.

Thanks, hope I will! The exam was very interesting and I was getting a real pleasure while taking it.

KAmes4545

It took about a week to get my result for the exam.

Looking online for other people I saw as little as 4 hours up to 25 business days. Those for other exams though. 

The exam is definitely a nice surprise compared to the course work. 

u1tras

KAmes4545 said:

It took about a week to get my result for the exam.

Looking online for other people I saw as little as 4 hours up to 25 business days. Those for other exams though. 

The exam is definitely a nice surprise compared to the course work. 

Up to 25 business days?! That's awful. Does eLS have only one person for exam results review who can dedicate to it only 3 hrs per week?
How about SLA? I really surprised, even more than with exam challenges.