COURSE OBJECTIVE:
After completing this course you should be able to:
• Define threat hunting and identify core concepts used to conduct threat hunting investigations
• Examine threat hunting investigation concepts, frameworks, and threat models
• Define cyber threat hunting process fundamentals
• Define threat hunting methodologies and procedures
• Describe network-based threat hunting
• Identify and review endpoint-based threat hunting
• Identify and review endpoint memory-based threats and develop endpoint-based threat detection
• Define threat hunting methods, processes, and Cisco tools that can be utilized for threat hunting
• Describe the process of threat hunting from a practical perspective
• Describe the process of threat hunt reporting
TARGET AUDIENCE:
Anyone involved in the hunting of threats within a network.
COURSE PREREQUISITES:
Attendees should meet the following prerequisites:
• General knowledge of networks
• Cisco CCNP Security certification
COURSE CONTENT:
Threat Hunting Theory
• Threat Hunting Concepts
• Threat Hunting Types
• Conventional Threat Detection vs Threat Hunting
Threat Hunting Concepts, Frameworks and Threat Models
• Cybersecurity Concepts
• Common Threat Hunting Platforms
• Threat Hunting Frameworks
• Threat Modeling
• Case Study: Use the PASTA Threat Model
Threat Hunting Process Fundamentals
• Threat Hunting Approaches
• Threat Hunting Tactics and Threat Intelligence
• Defining Threat Hunt Scope and Boundaries
• Planning the Threat Hunt Process
Threat Hunting Methodologies and Procedures
• Investigative Thinking
• Identify Common Anolmalies
• Analyze Device and System Logs
• Determine the Best Threat Hunt Methods
• Automate the Threat Hunting Process
Network-Based Threat Hunting
• Operational Security Considerations
• Performing Network Data Analysis and Detection Development
• Performing Threat Hunting in the Cloud
Endpoint-Based Threat Hunting
• Threat Hunting for Endpoint-Based Threats
• Acquiring Data from Endpoint
• Performing Host-Based Analysis
Endpoint-Based Threat Detection Development
• Analyze Endpoint Memory
• Examining Systems Memory Using Forensics
• Developing Endpoint Detection Methods
• Uncovering New Threats, Indicators and Building TTPs
Threat Hunting with Cisco Tools
• Threat Hunting with Cisco Tools
• Cisco XDR Components
Threat Hunting Investigation Summary: A Practical Approach
• Conducting a Threat Hunt
Reporting the Aftermath of a Threat Hunt Investigation
• Measure the Success of a Threat Hunt
• Report Your Findings
• Threat Hunting Outcomes
Labs
• Discovery Lab 1: Categorize Threats with MITRE ATTACK Tactics and Techniques
• Discovery Lab 2: Compare Techniques Used by Different APTs with MITRE ATTACK Navigator
• Discovery Lab 3: Model Threats Using MITRE ATTACK and D3FEND
• Discovery Lab 4: Prioritize Threat Hunting Using the MITRE ATTACK Framework and Cyber Kill Chain
• Discovery Lab 5: Determine the Priority Level of Attacks Using MITRE CAPEC
• Discovery Lab 6: Explore the TaHiTI Methodology
• Discovery Lab 7: Perform Threat Analysis Searches Using OSINT
• Discovery Lab 8: Attribute Threats to Adversary Groups and Software with MITRE ATTACK
• Discovery Lab 9: Emulate Adversaries with MITRE Caldera
• Discovery Lab 10: Find Evidence of Compromise Using Native Windows Tools
• Discovery Lab 11: Hunt for Suspicious Activities Using Open-Source Tools and SIEM
• Discovery Lab 12: Capturing of Network Traffic
• Discovery Lab 13: Extraction of IOC from Network Packets
• Discovery Lab 14: Usage of ELK Stack for Hunting Large Volumes of Network Data
• Discovery Lab 15: Analyzing Windows Event Logs and Mapping Them with MITRE Matrix
• Discovery Lab 16: Endpoint Data Acquisition
• Discovery Lab 17: Inspect Endpoints with PowerShell
• Discovery Lab 18: Perform Memory Forensics with Velociraptor
• Discovery Lab 19: Detect Malicious Processes on Endpoints
• Discovery Lab 20: Identify Suspicious Files Using Threat Analysis
• Discovery Lab 21: Conduct Threat Hunting Using Cisco Secure Firewall, Cisco Secure Network Analytics, and Splunk
• Discovery Lab 22: Conduct Threat Hunt Using Cisco XDR Control Center and Investigate
• Discovery Lab 23: Initiate, Conduct, and Conclude a Threat Hunt
FOLLOW ON COURSES:
Not available. Please contact.