eLearnSecurity Threat Hunting Professional - My course and exam review

u1trasu1tras OSCP, eCTHPMoscowMember Posts: 81 ■■■□□□□□□□
Hello all,

I've just finished THP course from eLearnSecurity and passed certification exam. So, as I promised here is my course review.
Background
Before I start my course review itself, I'd like to shortly describe how I came up with an idea to take it. Originally, I'm a Red teamer and have over 6 years experience in Pentesting and AppSec domains. I was hooked with blue team activities after participating in one project of my company. But the term "blue team" is too general and I needed to pick up something. My choice fell on Threat Hunting.
However, there are a few issues connected with learning Threat Hunting. First, it is a relatively new discipline and it is hard to find out what exactly you should do and what crucial skills it requires. You can check this post where we were discussing this issue with @LionelTeo and other nice guys:
Secondly, threat hunting is a very wide infosec discipline. Good hunter should be able to demonstrate knowledge and strong practical skills in at least Security Operations, DFIR, CTI and Penetration testing domains.
Having all this information I started searching trainings and courses. Most of them were too expensive for me (Mosse Security, 7Safe, InfoSec institute etc.), didn't have remote eLearning option or promised to make me a hunter within 3-5 days (that's really funny). I've heard a lot of good reviews about eLearnSecurity courses and after getting $200 gift booked THP course before New Year.
Course review
I really liked topics covered in the course, especially Threat Intelligence, Threat hunting methodology and reporting. Slides were pretty good, everything is short and to the point. I highly recommend to dive deep into threat hunting world while you studying course materials and follow to all links provided in the slides. Don't hurry, read them carefully. It will help you on your exam. Videos also were great, high quality, nothing redundant.
Labs. I really liked labs, but some of them were a little bit boring (personally for me). I like challenges and from my perspective it would be great to add some challenge "style" to the labs. I think making them more like exam challenges would be great.
The greatest weakness of the course, and perhabs the only, is the lack of ELK hunting labs. You can't hunt effectively in modern enterprise without using some SIEM solution and its command line, queries, dashboards etc. ELK videos were nice, but it's definitely not enough. I talked to Dimitrios about this issue and he promised to add such labs in a new THP course version. He also mentioned that recently launched IHRP course will contain plenty of ELK labs. So, I'm happy that I've booked this course too:)
Exam
To better prepare for exam I recommend to read carefully THP and eCTHP forums. You should also feel very confident with all tools covered in the course. Google and try to find some useful articles about the tools, their use, useful options and (it is necessary) conduct practical investigations with them. This will really make a big difference to your exam. Don't be lazy, just do it. Read carefully what exactly exam challenge wants from you, don't hurry up. I took an exam with second shot, because I missed one important detail examiner wanted to "hear" from me.
Manage your time, start from the task where you feel confident and move further step by step. It is possible to go through some challenges in parallel, use this option for time consuming tasks.
Personal Takeaways
The best quality for Threat hunter is to be able to think like an attacker. 
Good hunter should know very well attacker's TTPs and be able to reproduce them. This is necessary in order to create a proper detection content and counteract them. During hunting control your mindset, make hypothesis, prove or reject them. When evil discovered - be ready for DFIR activities (more for companies without dedicated DFIR teams).
Timeline
17.12.18 - course started
02.01.19 - course finished (3-6 hrs/day)
09.01.19 - materials and labs have repeated twice (20 labs hrs spent in total)
10.01.19 - exam started
11.01.19 - report uploaded
16.01.19 - report assessed (Fail)
17.01.19 - report corrected and uploaded
19.01.19 - report assessed (Certified)
Certs: OSCP, eCTHP
2019 Goals:
eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610

Comments

  • GboyegaGboyega Registered Users Posts: 6 ■■□□□□□□□□
    This is a great write-up Vadim

  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Gboyega said:
    This is a great write-up Vadim

    Thanks! Hope it will be useful.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SAA, CCSK Member Posts: 471 ■■■■■■■□□□
    Good job, and nice post!

    There's a YouTube video that's really informative about Threat Hunting by Devon Kerr and Cyberwardog titled: "Quantify Your Hunt: Not Your Parents’ Red Team - SANS Threat Hunting Summit 2018"



    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SA-A, CCSK
    2020 goals: AWS Security Specialty, AWAE or SLAE, CISSP-ISSAP?
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Thanks! And for the video too. 
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • chrisonechrisone Senior Member Member Posts: 1,964 ■■■■■■■■□□
    Very awesome write up! Thanks for sharing!
    Certs: CISSP, CRTP, eCPPT, LFCS, CEH, AZ-900, Retired Cisco CCNP/SP/DP
    2020 Goals:
    Courses: VHL (completed), CQURE: Windows Security Crash Course (in-progress), Corelan: Advanced Exploit Development
    Certs: VHL: Advanced+ (completed), OSCP (in-progress), SLAE32, OSCE, AZ-500
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    _Great write up.  Elearn does a great job presenting the info for digest. 
  • JDMurrayJDMurray Certification Invigilator Surf City, USAAdmin Posts: 11,583 Admin
    Threat hunting webcasts can also be found at Black Hills Information Security.
  • EverettCampbellEverettCampbell Expert SEO Member Posts: 1 ■■□□□□□□□□
    thank you so much
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    Thanks guys! Hope it will be useful ;)
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    JDMurray said:
    Threat hunting webcasts can also be found at Black Hills Information Security.
    Thank you @JDMurray, this is a great resource.
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
  • Skyyyyy2001Skyyyyy2001 Member Posts: 57 ■■■□□□□□□□
    Very good review, thanks.

    Glad that I have purchased IHRP course.
  • r3nzsecr3nzsec Member Posts: 39 ■■■□□□□□□□
    awesome Vadim!! :) 
  • u1trasu1tras OSCP, eCTHP MoscowMember Posts: 81 ■■■□□□□□□□
    r3nzsec said:
    awesome Vadim!! :) 
    Thank you, @r3nzsec!
    Certs: OSCP, eCTHP
    2019 Goals:
    eCTHP (done), FOR578 (done), FOR555 (done), Python (in progress), ELK, eCIR, SEC599, NetWars DFIR, FOR610
Sign In or Register to comment.