Mossé Security teaches students a unique approach to threat hunting based on data science, active deception and the development of custom intrusion detection tools.
In this five-day master course, students will learn how to hunt for threat actors on large scale computer networks. No prior knowledge in incident response, threat hunting, reverse engineering or malware analysis is required prior to attending this course. Detailed step-by-step instructions will be given, and students will leave this course with practical skills to hunt for attackers on their networks, or their clients’ networks.
Our approach to teaching Threat Hunting is to teach the fundamental concepts and strategies that can be used to detect threat actors on any operating systems and types of networks. In this way, we ensure that our students can immediately apply the techniques they have learnt, and rapidly build upon their skills to hunt for more complex attack techniques.
Theoretical knowledge makes up 40% of the course content, and 60% is devoted to practical exercises. At the end of the course, a Threat Hunting exercise is conducted that can be reproduced at your workplace.
- What is Threat Hunting and how to do it?
- The Threat Hunting process
- The Threat Hunting toolset
- Building a Threat Hunting division
- Preparing a Threat Hunting playbook
- User-land vs. kernel-land
- Processes, thread, services and drivers
- The registry
- The file system
- Event logs
- Users and groups
- Access tokens
- Schedules tasks
- Active Directory
- Windows Management Instrumentation
- Networking
- Command execution and scripting
- Mastering Numpy and Pandas
- Mastering Google BigQuery
- Mastering Graph Databases
- Using the Jupyter Notebook
- Rapid environment deployment with Ansible
- Rapid web services with Google App Engine
- Messaging services with Google Pub/Sub
- Rapid capture of security data using WMI and PowerShell
- Building a lightweight incident response data collection tool
- Rapid incident detection using Pandas, statistics and data
- visualisation
- Rapid file acquisition techniques
- Building your own real-time endpoint detection and response tool
- Monitoring processes, services and drivers
- Monitoring sensitive user accounts
- Monitoring event logs
- Building a threat graph
- Detecting compromise phases:
- Initial compromise
- Privilege escalation
- Host reconnaissance
- Network reconnaissance
- Password dumping
- Persistence
- Lateral movement
- Building IOCs based on endpoint behavior
- Building a malware research lab in the cloud
- Using virtual machines to analyse malware
- Using a virtual network to extract IOCs
- Static code analysis
- Reverse engineering common attacker toolkits
- Building countermeasures against attacker toolkits
- Analysing Netflow data
- Analysing PCAP files
- Analysing web server logs
- Detecting covert communication channels
- Extract IOCs from NSM data
- Pre-incident preparation
- Security logs to enable
- Checklists, report templates, processes, policies
- Network design and architecture for incident response
- The RIR Process
- Initial response
- Investigation
- Remediation
- Reporting
- Extracting lessons learnt
- Building the timeline of a security intrusion
- Communicating effectively during incident response
The last day of the training is a large-scale threat hunting workshop across hundreds of machines, multiple organisations and going against many adversary groups.
Newcomers to the IT security industry, security analysts, threat hunters, incident responders, malware analysts, security engineers, and forensics analysts.
Recommended Study
We recommend that you read about the Windows components listed under Module 2 “Windows Internals”. Even if those components will be covered in detailed during the course, studying them prior to the course will make it a lot easier for you to understand every other module in the class.
Software Requirement
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.
You will learn strategies and tactics to deliver threat hunting campaigns on large scale computer networks:
- The threat hunting process and how to build a threat hunting team
- Key Windows internals knowledge for threat hunting
- How to use data science to hunt for adversaries on large networks
- Search for indicators of compromise (IOCs) across the entire kill chain
- Build your own compromise assessment tools
- Build your own real-time endpoint detection and response tool
- Rapidly reverse-engineer malware
- Extract indicators of compromise on the network and the endpoints
- Rapidly respond and contain intrusions
Register
Not currently scheduled
Fast track the availability of this course.
Add to watch list or call 1300 794 006.
Add to watch list or call 1300 794 006.
Request a Quote
About Microsoft On-Demand Learning
Build your Microsoft technical expertise while balancing the demands of your schedule. The new MOC On-Demand series courses combine high-quality video lectures, live hands-on labs and knowledge-checks in a self-paced format to help you build skills as your schedule allows—all at once or five minutes at a time.
MOC On-Demand at a Glance
Self-Paced Learning
Immediate Feedback on Mastery
SATV Eligible
Direct From the Source
Learn Anywhere Anytime
Live Hands-on
Labs
