Practical Threat Hunting
Hi, I’m Chris Sanders.
It was a painful experience the first time I tried hunting for threats on my network without alerts.
I sat and stared at my screen as my stomach sank and I felt a lump form in the back of my throat. I had an endless amount of data at my disposal, but I had no idea where to start. I thought I was going to be sick.
After banging my head against the keyboard for a while, I decided to look through old investigation tickets for inspiration where I ran across a piece of malware I’d looked at months earlier. The malware wasn’t anything special, but it communicated over HTTP for command and control and used a custom user-agent that was distinctive.
That got the wheels turning, and I started asking questions.
It wasn’t just that the custom user-agent made the malware unique, it made it unique relative to all the other user agents on my network. It wasn’t one I had ever seen before and certainly wasn’t something I expected. Maybe I could use the idea of a unique HTTP user-agent for hunting similar malware?
I fired up the terminal and searched for a chunk of HTTP proxy data from the past week. Using a little command-line kung-fu, I pulled out all the unique user agents, counted them, and sorted them by the frequency of occurrence. All the usual suspects were present at the top of the list: Chrome, Firefox, Internet Explorer. But, the bottom of the list yielded something a lot more interesting. There were at least half a dozen HTTP user agents I didn’t recognize. I’d found my first hunting anomalies! After further investigation, at least a couple turned out to be malware that our IDS had missed.
My first successful hunting experience was a revelation.
But, it wasn’t so easy to repeat this success. As time went on, I eventually learned to scour blogs looking for ideas that would help me get started on more hunting expeditions. If I could make those first few searches, that at least gave me something to work with. While I had found a few fish, I didn’t quite know how to fish yet. It turns out that I wasn’t alone.
Hunting is a powerful technique, but it relies on you alone to find evil. There are so many places to look and so many things to look for. How do you structure it? Where do you find inspiration? Where do you start?
These are hard questions to answer, and you’re bound to run across common hunting myths while seeking answers.
3 Myths About Threat Hunting
Learning how to be an effective threat hunter is made more difficult because there are so many myths out there about the process. When I figured these out, it changed the way I looked at everything.
MYTH #1: Threat Hunting is Only for Experts
WHAT I WAS TOLD: You can only start threat hunting once you’ve got several years of experience. There’s no point in starting early because it’s above your head.
THE TRUTH: Threat hunting is a skill that can be learned like any other, and the barrier to entry is much lower than you think. If you’ve done any investigative work before, you already possess many of the skills you need to be an effective hunter. You just need to learn how to structure, refine, and practice those skills. Here are three words I want you to embrace: Everybody can hunt.
MYTH #2: Threat hunting is hard because you probably don’t have enough data
WHAT I WAS TOLD: You need a bunch of diverse data sources with a ton of retention to even think about hunting. Most of your searches will be over months or years of data.
THE TRUTH: The hard part about threat hunting isn’t a lack of data, it’s too much data and the ability to start small and expand as necessary. While diverse data sets are beneficial, there’s plenty of hunting to be done in many of the most common data set found in security organizations.
MYTH #3: You need special, expensive tools to be a good hunter
WHAT I WAS TOLD: There’s no point in threat hunting unless you’re willing to spend a boatload of money on a commercial SIEM or fancy machine learning tools.
THE TRUTH: Most real-world hunting is based on searching and simple data transformations like aggregations. While some commercial tools make this easier, you can find plenty of evil with free log aggregation tools, or even by using command line tools with data you’ve narrowed down from your searches.
It took me a long time, but I started to get comfortable dissecting attacks, coming up with a plan, and searching through data without any real guidance. This isn’t intuitive, and there aren’t many resources out there to help people who are new to threat hunting to make it more approachable.
You’ve heard the phrase, “Give a man a fish and you’ll feed him for a day. Teach him to fish and you feed him for a lifetime.” There are plenty of blog posts and videos out there that show you how to hunt for one thing, but nothing that really teaches how to dissect attacks and come up with your own hunting strategies so that you’ll never be at a loss for evil to seek out.
I decided to change that.
Practical Threat Hunting is a foundational course that will teach you how to approach threat hunting using a proven, structured, repeatable framework. I created this course to help people figure out what to hunt for, where to find it, and how to look for it.
Practical Threat Hunting is for you if…
- You’ve ever sat at a screen feeling paralyzed by not knowing what to look for next.
- You’ve always wanted to be able to find evil on your network without alerts, but don’t know how to approach it.
- You struggle to dissect attacks and derive hunting strategies from them.
- You have a mountain of data at your disposal but don’t know which techniques are best suited for gaining the necessary perspective over it to spot anomalies.
- You want to add threat hunting capabilities to your security team but don’t know how to get buy-in from management or prove just how valuable it can be.
- You’re tired of being told hunting is as simple as “knowing what’s normal so you can spot evil” — there’s more to it than that!
Practical Threat Hunting is the course that will teach you to hunt in a way that will never leave you at a shortage of places to start or techniques to manipulate data to spot anomalies. You’ll build skills through a series of expert-led lectures, scenario-based demonstrations, and hands-on lab exercises. Through a combination of theory and application, you’ll learn the basics of threat hunting and apply them to your network immediately.
- Two hunting frameworks: Attack-Based Hunting (ABH) and Data-Based Hunting (DBH)
- Techniques for leveraging threat intelligence and the MITRE ATT&CK framework for hunting input
- The 9 most common types of anomalies you’ll encounter when reviewing evidence.
- The 4 ways threat hunters most commonly transform data to spot anomalies
- Typical staffing models for hunting capabilities in organizations of all sizes along with pros/cons
- 5 metrics that support and enable threat hunting operations
- An ideal design for a hunter’s wiki/knowledgebase
- A 5-step framework for dissecting and simulating attacks to prepare for hunting expeditions
- A list of my favorite hunting data sources and tools
- A curated list of hunting expeditions to get you started
- A list of my favorite Twitter follows for daily threat hunting input
You can view the detailed course syllabus here.
Practical Threat Hunting will teach you how to become an effective threat hunter regardless of the toolset by focusing on the habits and techniques used by experts.
Practical Threat Hunting includes:
Over 15 hours of demonstration videos. These videos will break down the concepts and skills you need to become an effective threat hunter.
Hands-on labs to help you develop and test your skills. You’ll complete hunting labs using an ELK-based virtual machine we’ve loaded with log data representing several real-world scenarios. Not familiar with ELK? Don’t worry, I’ve provided a short primer video to get you started and you can also watch videos of me working through the labs. I’ve also provided all the raw log data so you can work with it on the command line, or import it into your analysis tool of choice.
Access to My Hunting Vault. I’ve compiled all the hunting expeditions mentioned in the course (along with several others) into PDF files you can use to reference as you’re hunting in your network. I’ve also included a wealth of additional information in PDF form, including a curated list of my favorite threat hunting tools and Twitter follows for hunting inspiration.
Membership in our exclusive students-only learning community. In our discourse-powered forum, you can ask questions, share hunting strategies, view community investigation playbooks, participate in our virtual reading group, learn about upcoming courses, network with other students, and communicate directly with AND course authors. I also post short blog entries here that don’t appear on my public blog.
Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
Frequently Asked Questions
Is this course live?
This is NOT a live course. It’s an online video course you can take at your own pace.
How long do I have access to the course material?
You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.
Are there any prerequisites or lab requirements for this course?
This course is designed for all security practitioner skill levels and assumes no prior hunting experience. Some investigation experience is recommended (my Investigation Theory course is a good place to start there). The lab data is provided in standalone JSON text files, or as part of a virtual machine running the ELK stack. If you want to use the VM, you’ll need to meet the following requirements:
- A virtualization platform such as VMWare or VirtualBox
- At least 4 GB of available RAM, although 6 is recommended for optimal performance.
- At least 15GB of available hard drive space.
How much time does it take to do this course?
Given the amount of content and varying experience, it takes people dramatically different times to complete the material. There is about 15 hours of recorded video, plus the lab activities and individual exercises. Most choose to spread it out over several weeks as they take time to practice the concepts demonstrated.
How many CPEs/CMUs is this course worth?
Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course averages 22 hours of video+lab work.
Am I ready for this course?
A lot of people will tell you that you need several years of experience to start hunting, but I think that’s malarky. In fact, I think most new analysts should start threat hunting within a year of beginning their first security role. With that in mind, I recommend having at least some investigative experience before starting this class. My Investigation Theory course is a great place to start but isn’t a prerequisite on its own. You’ll have an easier time in this class if you also have a basic understanding of common network security data types (OS logs, flow data, application logs, etc). If all else fails and you don’t know if you’re ready to start hunting, e-mail me and I’ll be glad to help you figure that out one on one.
Do you offer discounts for groups from the same organization?
Bulk discounts are available for organizations that want to purchase multiple licenses for this Practical Threat Hunting training course. Please contact us to discuss payment and pricing.
“Excellent course, great labs and the material is awesome. My only complaint is that it is finished. Really enjoyed it.” – Nicklas Jeijser
“It was a complete course on threat hunting. I’ve taken other certifications for “threat hunting” and this is the first that felt like I actually learned how to go about it. ” – Analyst
“I would highly recommend as a starting point or a supplementary resource for analysts interested in the threat hunting world. I have learned more about the process of threat hunting not only in terms of toolset available, but also methodologies and investigation flow. I would like to thank you for creating the course. One of the few places where so much info about cyber threat hunting can be found in a single place” – Tomasz
“I would recommend this course to someone who has never heard about it, especially if they are new to this field. I think the framework provided gives a sound platform to start your hunts from.” – Tony
“Take it! Chris does an awesome job of explaining his theories on threat hunting and how it is different from other disciplines. A fantastic course and I am glad I had the opportunity to take it!” – Analyst
“This was a complete course on threat hunting. I’ve taken other certifications for “threat hunting” and this is the first that felt like I actually learned how to go about it.” – Analyst
“It has good material to start understanding better threat hunting and how to think about a process to do it. Labs are good examples to apply to daily threat hunting exercises and are very close to real data.” – Alexandra
“I was expecting a great course and I got one. I love the fact that the course also took an academic approach and discussed the models and frameworks. A lot of insights from the trainer and other practitioners. It is probably the best course money can buy and it saves your wallet by being reasonably priced.” – Ye Thura Thet