INE eLearnSecurity Certified Threat Hunting Professional - eCTHPv2 Passed
chrisone
Member Posts: 2,278 ■■■■■■■■■□
I recently got the pass on the eCTHPv2 exam from elearnsecurity.
Brief summary:
Experience at time of test: 5 years security, 10 network engineer with network security
Time spent studying: 3 months
Purchase: Elite Bundle with 120hrs of lab, 56 hours used for lab
Additional reading: Yes... a lot.
Cert attempts: 2
Course:
The course has an amazing amount of content. This is not a beginners course and you are expected to know how to perform a full incident response (see eCIR), SIEM (ELK & Splunk) data searching, Threat Intelligence, IOC researching, intermediate ethical hacking theory & practice (you don't need an OSCP), reporting skills, pcap analysis (chris sanders packet analysis book is great), understand normal traffic patterns (ARP, DNS, DHCP, HTTP, HTTPS, etc), some python, malware concepts & experience understanding what they do and how they perform, bash, powershell, logging (endpoint & network), windows event ID's, process injection, basic AD red team ideas (no need to know how to perform these attacks), understanding the cyber kill chain.
Sigh... ok, yes that was a lot to digest but these skills take years to develop.
The labs were very good and had you practicing more content than what was on the exam. There are so many open source threat hunting tools you can use and practice with. So many ideas to explore to help you with your own work environment. I already have at least 5 tools from this course I am POCing at work to help find suspicious activity (web shells, endpoint telemetry data, osquery, powershell threat hunting tools, memory image creation). This course forced me to develop a skill set of researching threat IOCs and having me search for them within a live network environment. You can easily get accustomed to waiting for your security appliances to trigger an alert for you. But what if there are no signatures or indications of a breach? An awesome read is from Microsoft "Assume Breach." Blue teamers should assume your network has already been breached. It is time to hunt for these adversaries!
Exam:
Before attempting eCTHPv2 I had previously passed the IHRP eCIR exam. eCIR was not easy, I feel it is difficult to sift entire data sets in a short amount of time to find all malicious traces of initial compromise, privesc, lateral movement, cred dumping, malicious binaries, persistence, etc. Because eCIR is incident response, you are really challenged to map it all out and report on it.
eCTHPv2 expects you to already have those skills and go beyond. Identifying malicious behavior hidden through the data sets without any alerts or pcaps to check. eCTHP really challenges you to research threats/IOCs and hunt for traces in the network for such activity. THPv2 also challenges you to hunt for malware within memory imagedump. Can you spot the malware given a memory imagedump? How good are your volatility skills? How good are you at hunting for TTPs in your environment? If given a TTP can you research the IOC's and develop your own search queries? Are you familiar with MITRE ATT&CK framework? SIGMA is your friend.
Conclusion:
I am very satisfied with this course and highly recommend it to those who wish to accelerate their blue team skills to the next level. If you have at least 2+ years in a blue team position and at least 1+ year reading up on penetration testing or red team tactics, you should not have much of a problem following along with the content. Even then the course really does its best to hold your hand.
This was a very brief high level overview of the course. I find myself tired after these exams to write a full blown detailed review or to even check my spelling and run off sentences hahaha. If you have any questions please feel free to ask. I will do my best to get back to you.
Thank you for your time and good luck to anyone pursuing this course & certification.
Brief summary:
Experience at time of test: 5 years security, 10 network engineer with network security
Time spent studying: 3 months
Purchase: Elite Bundle with 120hrs of lab, 56 hours used for lab
Additional reading: Yes... a lot.
Cert attempts: 2
Course:
The course has an amazing amount of content. This is not a beginners course and you are expected to know how to perform a full incident response (see eCIR), SIEM (ELK & Splunk) data searching, Threat Intelligence, IOC researching, intermediate ethical hacking theory & practice (you don't need an OSCP), reporting skills, pcap analysis (chris sanders packet analysis book is great), understand normal traffic patterns (ARP, DNS, DHCP, HTTP, HTTPS, etc), some python, malware concepts & experience understanding what they do and how they perform, bash, powershell, logging (endpoint & network), windows event ID's, process injection, basic AD red team ideas (no need to know how to perform these attacks), understanding the cyber kill chain.
Sigh... ok, yes that was a lot to digest but these skills take years to develop.
The labs were very good and had you practicing more content than what was on the exam. There are so many open source threat hunting tools you can use and practice with. So many ideas to explore to help you with your own work environment. I already have at least 5 tools from this course I am POCing at work to help find suspicious activity (web shells, endpoint telemetry data, osquery, powershell threat hunting tools, memory image creation). This course forced me to develop a skill set of researching threat IOCs and having me search for them within a live network environment. You can easily get accustomed to waiting for your security appliances to trigger an alert for you. But what if there are no signatures or indications of a breach? An awesome read is from Microsoft "Assume Breach." Blue teamers should assume your network has already been breached. It is time to hunt for these adversaries!
Exam:
Before attempting eCTHPv2 I had previously passed the IHRP eCIR exam. eCIR was not easy, I feel it is difficult to sift entire data sets in a short amount of time to find all malicious traces of initial compromise, privesc, lateral movement, cred dumping, malicious binaries, persistence, etc. Because eCIR is incident response, you are really challenged to map it all out and report on it.
eCTHPv2 expects you to already have those skills and go beyond. Identifying malicious behavior hidden through the data sets without any alerts or pcaps to check. eCTHP really challenges you to research threats/IOCs and hunt for traces in the network for such activity. THPv2 also challenges you to hunt for malware within memory imagedump. Can you spot the malware given a memory imagedump? How good are your volatility skills? How good are you at hunting for TTPs in your environment? If given a TTP can you research the IOC's and develop your own search queries? Are you familiar with MITRE ATT&CK framework? SIGMA is your friend.
Conclusion:
I am very satisfied with this course and highly recommend it to those who wish to accelerate their blue team skills to the next level. If you have at least 2+ years in a blue team position and at least 1+ year reading up on penetration testing or red team tactics, you should not have much of a problem following along with the content. Even then the course really does its best to hold your hand.
This was a very brief high level overview of the course. I find myself tired after these exams to write a full blown detailed review or to even check my spelling and run off sentences hahaha. If you have any questions please feel free to ask. I will do my best to get back to you.
Thank you for your time and good luck to anyone pursuing this course & certification.
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX
2023 Cert Goals: SC-100, eCPTX
Comments
-
chrisone Member Posts: 2,278 ■■■■■■■■■□Thank you @SteveLavoie & @JDMurray
The exam was difficult and there was a lot of content to digest. It was totally worth it to get you to sit down and focus on some high level blue team action. Red team certs always get the fun check box marked off, this time the blue team side did as well
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX