eLearnSecurity Threat Hunting Professional - My course and exam review

u1trasu1tras OSCP, eCTHPMoscowMember Posts: 81 ■■■□□□□□□□
Hello all,

I've just finished THP course from eLearnSecurity and passed certification exam. So, as I promised here is my course review.
Before I start my course review itself, I'd like to shortly describe how I came up with an idea to take it. Originally, I'm a Red teamer and have over 6 years experience in Pentesting and AppSec domains. I was hooked with blue team activities after participating in one project of my company. But the term "blue team" is too general and I needed to pick up something. My choice fell on Threat Hunting.
However, there are a few issues connected with learning Threat Hunting. First, it is a relatively new discipline and it is hard to find out what exactly you should do and what crucial skills it requires. You can check this post where we were discussing this issue with @LionelTeo and other nice guys:
Secondly, threat hunting is a very wide infosec discipline. Good hunter should be able to demonstrate knowledge and strong practical skills in at least Security Operations, DFIR, CTI and Penetration testing domains.
Having all this information I started searching trainings and courses. Most of them were too expensive for me (Mosse Security, 7Safe, InfoSec institute etc.), didn't have remote eLearning option or promised to make me a hunter within 3-5 days (that's really funny). I've heard a lot of good reviews about eLearnSecurity courses and after getting $200 gift booked THP course before New Year.
Course review
I really liked topics covered in the course, especially Threat Intelligence, Threat hunting methodology and reporting. Slides were pretty good, everything is short and to the point. I highly recommend to dive deep into threat hunting world while you studying course materials and follow to all links provided in the slides. Don't hurry, read them carefully. It will help you on your exam. Videos also were great, high quality, nothing redundant.
Labs. I really liked labs, but some of them were a little bit boring (personally for me). I like challenges and from my perspective it would be great to add some challenge "style" to the labs. I think making them more like exam challenges would be great.
The greatest weakness of the course, and perhabs the only, is the lack of ELK hunting labs. You can't hunt effectively in modern enterprise without using some SIEM solution and its command line, queries, dashboards etc. ELK videos were nice, but it's definitely not enough. I talked to Dimitrios about this issue and he promised to add such labs in a new THP course version. He also mentioned that recently launched IHRP course will contain plenty of ELK labs. So, I'm happy that I've booked this course too:)
To better prepare for exam I recommend to read carefully THP and eCTHP forums. You should also feel very confident with all tools covered in the course. Google and try to find some useful articles about the tools, their use, useful options and (it is necessary) conduct practical investigations with them. This will really make a big difference to your exam. Don't be lazy, just do it. Read carefully what exactly exam challenge wants from you, don't hurry up. I took an exam with second shot, because I missed one important detail examiner wanted to "hear" from me.
Manage your time, start from the task where you feel confident and move further step by step. It is possible to go through some challenges in parallel, use this option for time consuming tasks.
Personal Takeaways
The best quality for Threat hunter is to be able to think like an attacker. 
Good hunter should know very well attacker's TTPs and be able to reproduce them. This is necessary in order to create a proper detection content and counteract them. During hunting control your mindset, make hypothesis, prove or reject them. When evil discovered - be ready for DFIR activities (more for companies without dedicated DFIR teams).
17.12.18 - course started
02.01.19 - course finished (3-6 hrs/day)
09.01.19 - materials and labs have repeated twice (20 labs hrs spent in total)
10.01.19 - exam started
11.01.19 - report uploaded
16.01.19 - report assessed (Fail)
17.01.19 - report corrected and uploaded
19.01.19 - report assessed (Certified)
Certs: OSCP, eCTHP
2019 Goals:
eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610


Sign In or Register to comment.