eLearnSecurity Threat Hunting Professional - My course and exam review

u1tras · January 2019

Hello all,

I've just finished THP course from eLearnSecurity and passed certification exam. So, as I promised here is my course review.

Background

Before I start my course review itself, I'd like to shortly describe how I came up with an idea to take it. Originally, I'm a Red teamer and have over 6 years experience in Pentesting and AppSec domains. I was hooked with blue team activities after participating in one project of my company. But the term "blue team" is too general and I needed to pick up something. My choice fell on Threat Hunting.

However, there are a few issues connected with learning Threat Hunting. First, it is a relatively new discipline and it is hard to find out what exactly you should do and what crucial skills it requires. You can check this post where we were discussing this issue with @LionelTeo and other nice guys:

https://community.infosecinstitute.com/discussion/133391/becoming-a-threat-hunter-what-do-you-recommend#latest

Secondly, threat hunting is a very wide infosec discipline. Good hunter should be able to demonstrate knowledge and strong practical skills in at least Security Operations, DFIR, CTI and Penetration testing domains.

Having all this information I started searching trainings and courses. Most of them were too expensive for me (Mosse Security, 7Safe, InfoSec institute etc.), didn't have remote eLearning option or promised to make me a hunter within 3-5 days (that's really funny). I've heard a lot of good reviews about eLearnSecurity courses and after getting $200 gift booked THP course before New Year.

Course review

I really liked topics covered in the course, especially Threat Intelligence, Threat hunting methodology and reporting. Slides were pretty good, everything is short and to the point. I highly recommend to dive deep into threat hunting world while you studying course materials and follow to all links provided in the slides. Don't hurry, read them carefully. It will help you on your exam. Videos also were great, high quality, nothing redundant.

Labs. I really liked labs, but some of them were a little bit boring (personally for me). I like challenges and from my perspective it would be great to add some challenge "style" to the labs. I think making them more like exam challenges would be great.

The greatest weakness of the course, and perhabs the only, is the lack of ELK hunting labs. You can't hunt effectively in modern enterprise without using some SIEM solution and its command line, queries, dashboards etc. ELK videos were nice, but it's definitely not enough. I talked to Dimitrios about this issue and he promised to add such labs in a new THP course version. He also mentioned that recently launched IHRP course will contain plenty of ELK labs. So, I'm happy that I've booked this course too:)

Exam

To better prepare for exam I recommend to read carefully THP and eCTHP forums. You should also feel very confident with all tools covered in the course. Google and try to find some useful articles about the tools, their use, useful options and (it is necessary) conduct practical investigations with them. This will really make a big difference to your exam. Don't be lazy, just do it. Read carefully what exactly exam challenge wants from you, don't hurry up. I took an exam with second shot, because I missed one important detail examiner wanted to "hear" from me.

Manage your time, start from the task where you feel confident and move further step by step. It is possible to go through some challenges in parallel, use this option for time consuming tasks.

Personal Takeaways

The best quality for Threat hunter is to be able to think like an attacker.

Good hunter should know very well attacker's TTPs and be able to reproduce them. This is necessary in order to create a proper detection content and counteract them. During hunting control your mindset, make hypothesis, prove or reject them. When evil discovered - be ready for DFIR activities (more for companies without dedicated DFIR teams).

Timeline

17.12.18 - course started

02.01.19 - course finished (3-6 hrs/day)

09.01.19 - materials and labs have repeated twice (20 labs hrs spent in total)

10.01.19 - exam started

11.01.19 - report uploaded

16.01.19 - report assessed (Fail)

17.01.19 - report corrected and uploaded

19.01.19 - report assessed (Certified)

Gboyega · January 2019

This is a great write-up Vadim

u1tras · January 2019

Gboyega said:

This is a great write-up Vadim

Thanks! Hope it will be useful.

LonerVamp · January 2019

Good job, and nice post!

There's a YouTube video that's really informative about Threat Hunting by Devon Kerr and Cyberwardog titled: "Quantify Your Hunt: Not Your Parents’ Red Team - SANS Threat Hunting Summit 2018"

u1tras · January 2019

Thanks! And for the video too.

chrisone · January 2019

Very awesome write up! Thanks for sharing!

Cyberscum · January 2019

_Great write up. Elearn does a great job presenting the info for digest.

JDMurray · January 2019

Threat hunting webcasts can also be found at Black Hills Information Security.

EverettCampbell · January 2019

thank you so much

u1tras · January 2019

Thanks guys! Hope it will be useful

u1tras · January 2019

JDMurray said:

Threat hunting webcasts can also be found at Black Hills Information Security.

Thank you @JDMurray, this is a great resource.

Skyyyyy2001 · January 2019

Very good review, thanks.

Glad that I have purchased IHRP course.

r3nzsec · February 2019

awesome Vadim!!

u1tras · February 2019

r3nzsec said:

awesome Vadim!!

Thank you, @r3nzsec!

eLearnSecurity Threat Hunting Professional - My course and exam review

Comments