eLS THP (Threat Hunting Professional)

MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
I have seen a few posts about it, but how many people on here have completed the course? I have done analyst work in the past and some pentesting, but no specific threat hunting. This is a skillset I am looking to develop and outside of SANS (which is way out of budget right now), this is the only other course I can really find.

For anyone who has done it, did you find the content worth it? I've worked through their PTS and PTP courses and though the material was good, but I have heard that some of the other courses are not as well designed. If you do hunting in your day-to-day and have done the course, do you feel it teaches real-world hunting or is it more of an academic "this isn't how we actually do it".
Tagged:
«1

Comments

  • vynxvynx Member Posts: 153 ■■□□□□□□□□
    maybe try to search in the google for people who have that cert ?
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    Yeah man, let me tell ya - people everywhere have this cert. Google is overflowing with reviews.
  • KAmes4545KAmes4545 Member Posts: 13 ■■■□□□□□□□
    I looked on Linkedin for eCTHP and found only 7 people listing it there. I'm also interesting in this, so if you don't end up reaching out, I think I might just to get a little bit more information before purchasing. I would just like to ask questions like which version would they recommend (full or elite) etc.
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    eCTHP is fairly new, so you might not find many people at the moment with the certification. There were a few people on here who purchased the course and created a post about it. Search for it here on TE, then bump it or PM them about updates. Last I heard they were benefiting from the course.

    Check the syllabus topics and you might just have to take a leap of faith on your own judgment.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    Yeah, I think it is going to have to be a leap of faith. I was hoping there were a few members here who may be doing it but had not made any progression or review threads. The only person I know of who posted that was actually doing it was supasecuritybro and he has it on hold for now. I might ping him and see if he has started back with it.

    The main downside I have when it comes to looking at the syllabus is that I don't do threat hunting in my current role - so I don't know if the course is comprehensive or not. I've always been positive about eLS and their training, so I don't doubt the course is good. A lot of the recent eLS bashing seems to be over them adding so many new courses and raising some of the pricing, so I don't know if the negative reviews are legit or just people upset. This course will be completely out of pocket for me though so, I definitely want the most bang for my buck.
  • vynxvynx Member Posts: 153 ■■□□□□□□□□
    KAmes4545 wrote: »
    I looked on Linkedin for eCTHP and found only 7 people listing it there. I'm also interesting in this, so if you don't end up reaching out, I think I might just to get a little bit more information before purchasing. I would just like to ask questions like which version would they recommend (full or elite) etc.


    i hope i can become one of that 7 people, i think elite would be good choice.
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    Hey @mooseboost, what are your questions that I can answer for you?
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Interesting idea but not really sure as to what the levels really entail or how good/poor the labs maybe until someone goes into depth with the course. Of course once the PDF gets copied a few thousand times by your closest 1000 friends its all over.

    - b/eads
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    Hey @mooseboost, what are your questions that I can answer for you?

    I know you work with SIEM a good bit, do you feel the course is geared more towards threat hunting in a SIEM or in more of an on-system incident response situation? Do you feel like there has been a good ROI or do you think you already had a good grasp of the majority of the content prior to the course?

    For the course itself, do you feel the content is well thought out? I've heard a ton of complaints about PTX feeling incomplete. I am hoping this is not the case for THP.
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    Mooseboost wrote: »
    I know you work with SIEM a good bit, do you feel the course is geared more towards threat hunting in a SIEM or in more of an on-system incident response situation? Do you feel like there has been a good ROI or do you think you already had a good grasp of the majority of the content prior to the course?

    For the course itself, do you feel the content is well thought out? I've heard a ton of complaints about PTX feeling incomplete. I am hoping this is not the case for THP.

    I cannot say that the course is lacking. I believe it has the right amount of content for someone who is starting off into a security analyst position. You do have to have a computer background (like any security professional should), it covers some basics and quickly moves into the stuff for the hunting aspect. I haven't made it into the endpoint/SIEM part but it has been a good quality material. It really provided the foundation I needed for some ideas I was tossing in my mind that I didn't have a starting place.

    Once I get done with the SIEM part, I will circle back to you.

    The labs do not feel like they have a lot of meat in them, its like, build this IOC and look for this result so far. That doesn't feel very robust to me. For the intro price, it was the right cost. Then again to get a decent threat hunting cert, you'd have to go into the SANS route, FOR508 or FOR572 or SEC511 or SEC599, and each are in the 6300 price range. So it depends on your threshold for investment.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • MalwareMikeMalwareMike Member Posts: 147 ■■■□□□□□□□
    Great recap so far.
    Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
    2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
    Twitter: https://twitter.com/Malware_Mike
    Website: https://www.malwaremike.com

  • KAmes4545KAmes4545 Member Posts: 13 ■■■□□□□□□□
    Couldn't get much feedback from people that have completed besides "it's OK". Ended up getting the course myself and working through the information as well. Looks like supasecuritybro is working on it once again :) Good luck!
  • renzoncruzrenzoncruz Member Posts: 14 ■■□□□□□□□□
    How was it so far? I am planning to buy this course too after my DFP and PTP.
  • 1point8t1point8t Member Posts: 7 ■■■□□□□□□□
    I've completed the entire course, and re-reviewed certain sections a few times, and feel that it has helped me get a better understanding of the threat hunting processes and tools. The labs were good but I felt that the endpoint section could have used more material and more labs, especially surrounding the use of Powershell as an IR toolkit and hunting with ELK. From my perspective the course is on the right track and could benefit from another revision shortly.

    Shortly after completing this course I was able to get my hands on the SANS 508 (Advanced Digital Forensics, Incident Response, and Threat Hunting) course material from a colleague and felt that the ELS THP course helped better prepare me for that advanced level course. It isn't right to compare both courses as the THP guides you gently into threat hunting and some basic IR processes while SANS 508 ramps up fairly quickly. In addition, ELS is practically 15-20% of the price of SANS 508.

    I never took the THP exam as I've been concentrating on the SANS 508 material and trying to prepare for the GCFA.
  • MalwareMikeMalwareMike Member Posts: 147 ■■■□□□□□□□
    How was the GCFA material? I've thought about taking it as one of my electives. How much of the course is hunting compared to forensics..?
    Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
    2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
    Twitter: https://twitter.com/Malware_Mike
    Website: https://www.malwaremike.com

  • 1point8t1point8t Member Posts: 7 ■■■□□□□□□□
    The GCFA material is great, I thoroughly enjoyed it. In my opinion the material and labs are heavily focused on forensics and IR with some (less than half a book) for threat hunting. It is important to note that having a good understanding of how the attack occurs and analyzing specific artifacts (login events, application execution, etc) will make you a better threat hunter.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    I was thinking about this course. Are they ever discounted?

    SANS would be ideal, maybe in the future
  • KAmes4545KAmes4545 Member Posts: 13 ■■■□□□□□□□
    So I just finished all the labs and course work for eTHP. I have to say I'm kind of disappointed in some ways with the labs. What frustrated me the most about the labs were the workarounds that you have to do for some of the labs to get them to work. They also never provide these workarounds in the course material. For example, they ask you to gather data from a machine remotely, well you can't use the tools that are given, none of them work. I go on the forums and they tell you that you need to remote in the other machine and do a time sync... um... ok, but how was I suppose to know this? This is only one example of this happening but happened 3 or 4 times to me in the 9 labs. Each person taking this course will have to go to the forums for these workarounds. I felt like in some cases I'm troubleshoot the environment more than doing the course work. Also, the forums aren't exactly helpful/friendly. When people ask about the issues they have with the labs on the forums they are greeted with "Please use the search functionality of the forums" I don't disagree, but maybe just link the other post and ask the user if it helps solve their issue would be more appropriate and more customer friendly? I also wish there was more lab work and more scenarios to work on, I feel like I need to  work outside the lab to even get the basic understanding of the tools presented in the labs. My fear is the exam is kind of like the lab environment and I struggle more with troubleshooting issues then actually doing an investigation, but I guess I'll find out.

  • Skyyyyy2001Skyyyyy2001 Member Posts: 57 ■■■□□□□□□□
    @KAmes4545 keep up posted on the exam result. We will be interested to know. Have tried feedback to Armando on this?
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    edited December 2018
    So, as I promised there is my review of the 1st THP course section. Finished it in 3 days (4-5 hours per day in comfortable pace). There are a lot of slides, about 1-3 sentences on the slide. Everything is short and to the point, nothing irrelevant. The quality of the video is very good. Althought there were some unclear moments, but nothing serious, you can follow to the provided links and find any answers there. Lab VM was a littte bit slow and gave me a basic practical experience in the topic. Concerning the theory, there was one strange (IMO) division into 2 types of threat hunters. I always though that there is only one type which must do all mentioned activities. I also posted a few proposals for the Lab on ELS forum.
    My personal recommendation - look at the forum before starting any Lab - in this case everything should go smoothly. 
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    I am curious, what are those two types of hunters that they mention?
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    I am curious, what are those two types of hunters that they mention?
    1st type hunter - hunts for threats with CTI and IOCs. 2nd type - hunts for previously unknown types of threats. I suppose with using MITRE ATT&CK and other related info about adversaries' TTPs. 2nd type should be discovered in upcoming modules. I thought there is only one type of hunter which always should do both. It's not a problem for me, just an interesting point of view:)
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    edited December 2018
    I should also add that after the 1st THP module I decided to enroll into IHRP course. I see that eLS is definitely versed in its' stuff. 
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • r3nzsecr3nzsec Member Posts: 39 ■■■□□□□□□□
    Hey @u1tras how was the THP so far? I'm planning to purchase this and will use 200 USD off this month
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    edited January 2019
    r3nzsec said:
    Hey @u1tras how was the THP so far? I'm planning to purchase this and will use 200 USD off this month
    Hi @r3nzsec! I've finished my exam on Jan 11 and now I'm waiting response from eLS with exam result. After that I'll try to write my course and exam review.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Good luck, hope you passed!! I'm definitely interested in reading a review of this course. I'm thinking of pursuing it in the future.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    How much time usually eLS conducts an exam report review? Does anybody know?   
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    edited January 2019
    JoJoCal19 said:
    Good luck, hope you passed!! I'm definitely interested in reading a review of this course. I'm thinking of pursuing it in the future.
    Thanks, hope I will! :) The exam was very interesting and I was getting a real pleasure while taking it.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • KAmes4545KAmes4545 Member Posts: 13 ■■■□□□□□□□
    edited January 2019
    It took about a week to get my result for the exam.

    Looking online for other people I saw as little as 4 hours up to 25 business days. Those for other exams though. 

    The exam is definitely a nice surprise compared to the course work. 
  • u1trasu1tras Member Posts: 81 ■■■□□□□□□□
    edited January 2019
    KAmes4545 said:
    It took about a week to get my result for the exam.

    Looking online for other people I saw as little as 4 hours up to 25 business days. Those for other exams though. 

    The exam is definitely a nice surprise compared to the course work. 
    Up to 25 business days?! That's awful. Does eLS have only one person for exam results review who can dedicate to it only 3 hrs per week?
    How about SLA? I really surprised, even more than with exam challenges.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
Sign In or Register to comment.