Thursday, January 10, 2019

eLearning Security Threat Hunting Professional Certification

I was recently given the opportunity to try out eLearning Security's "Threat Hunting Professional" certification course through work, and it was a good learning experience for the blue team side of knowledge and skills. There seems to be a paucity of information about this course/cert as it is still semi-new, so I would like to give an overview and review of the course.


Course Structure

The modules of the course can largely be categorized into two sections:

  • Network hunting
    • Reading PCAPs/packet analysis
    • Hunting for webshells 
    • Covers a lot of network fundamentals as well that you would find in Network + or CCENT
  • Endpoint hunting
    • Windows processes & behaviors
    • Malware classifications and functionality
    • How to hunt for malware on systems
    • Event logs

Overall I think the structure was well-planned out and each of the labs associated with the modules give you good practice to explore each of the tools and techniques that are shown. However, as this certification is geared more towards someone already in the field it seems, I feel the network section drags on a bit too much with primer information and this should be knowledge that any professional should already have under their belt. Perhaps I am bias since I come from a more network-focused background, though. Once the course jumps into the endpoint material it gets quite interesting. For more details, just check out the syllabus on the homepage.

What to expect from the course

Essentially the course prepares you and gives you the knowledge necessary to use mainly free tools to hunt for threats in networks. It will teach you how to look at things from a hunter perspective and correlate data together. While everything in the course is done in the absence of an Endpoint Detection and Response system (EDR)(though there is some mention of EDR platforms such as Windows Defender ATP), I think this can benefit analysts and hunters who have EDRs deployed in their environment as well. While the EDR will do some of the heavy lifting, it will allow for deeper understanding and also complement the EDR nicely to dig in and isolate threats. The following are some of the major tools that are taught and used during the course:


  • Wireshark
  • Mandiant IOC Editor and Redline
  • Volatility

The course reading (including extra reading provided to expand on certain topics) as well as practice via the labs are more or less sufficient to prepare you for the test, but depending on your knowledge and background YMMV. 

The test



While eLearning Security may not be as known or prestigious as SANS and other certification programs, I really feel that they do a great job at testing with hands-on tests instead of just strictly theory and multiple choice. You will have to apply what you have learned and actually perform hunts for the test. While I will not go into details, just make sure that you are comfortable using the tools you have at your disposal and can write-up your findings well.

They give you plenty of time to complete the test, so there should not be any kind of time pressure if you know your stuff. I admittedly underestimated how long it would take thinking that I could bang it out very quickly, so plan to spend a good amount to time to ensure you have everything organized (data, evidence, etc.) so you can do a proper write up of your conclusion.

Final thoughts


If you are a blue teamer aiming to be more proactive in your environment as opposed to relying solely on detection devices and platforms to alert you to issues, I would highly recommend taking this course to arm yourself with the tools and techniques to accomplish this. Additionally, this is a great entry point into intrusion analysis and even incident response. Cost-wise it is fairly inexpensive for a certification, and I think the knowledge and skills it imparts are of significant value to anyone trying to grow in the infosec field! 



Powered by Blogger.