The MTH Certification offers you an in-depth understanding of cyber threat hunting concepts and techniques. After completing the course, you will be able to effectively detect, diagnose, and respond to cyber threats.

A successful cyber threat hunter must be technically skilled in order to identify, track, and mitigate malicious activities on their networks. They must be able to navigate complex systems and data flows, understand malware and exploits, and have a deep understanding of how networks operate.

Threat hunters must also be familiar with attacker tactics, techniques, and procedures (TTPs). This allows them to identify malicious activity that may not be detectable by traditional security controls. By understanding how attackers operate, threat hunters can better protect their networks from becoming compromised.

Threat hunting is not a simple process. It can be difficult to find and track malicious activity across a complex network. A successful hunter must be able to think critically and solve problems quickly and efficiently.

In order to properly identify malicious activity, threat hunters must have a deep understanding of network security. They need to be familiar with the various security controls and how to use them to detect malicious activity. Experience in network security will also help them understand the patterns of malicious activity and how to properly investigate incidents

The MCSI Threat Hunting certification will equip you with the skillset necessary to carry out the following tasks:

• Capture digital forensics artefacts in large-scale enterprise networks and index them for threat hunting
• Hunt for cyber adversaries that have bypassed/avoided/defeated enterprise security solutions using Python and YARA
• Rapidly analyse suspicious binaries to confirm whether they are malware or not
• Align your approach and methodology to the MITRE ATT&CK Matrix
• Practice threat hunting against thousands of machines and gigabytes worth of malware samples

The MTH Certification reflects the broad spectrum of skills, abilities and knowledge required for success in today's rapidly changing cyber world. It demonstrates that you have the competencies to operate and thrive in any network environment.

A cyber threat hunter can earn a six-figure salary and is in high demand because their skills are so valuable. They are able to detect and prevent cyber attacks, which is why businesses are willing to pay top dollar for their services.

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

• Learn a professional threat hunting procedure that can be applied in enterprise and government networks

  Threat hunting is a process of identifying and eliminating potential threats to an organization's security. It's important to use a structured process for threat hunting in order to ensure that all potential threats are identified and eliminated. A structured process helps to ensure that all possible threats are considered, and it also helps to ensure that your work is efficient and effective.

  Establish Goals and Objectives

  When undertaking any activity, it is important to establish specific goals and objectives in order to achieve the desired outcome. Threat hunting is no exception. By establishing your goals and objectives prior to beginning your hunt, you can ensure that your efforts are focused and directed in the most effective way possible.

  Collect Forensics Data

  The second step in a threat hunting process is to collect forensics data across the network. In order to do this, analysts must first identify the systems and data sources that need to be analyzed. Once these have been identified, investigators can use forensics tools to collect information from these systems. This information can include logs, files, and other data that can help to identify threats. By collecting data from across the network, analysts can get a comprehensive view of all activity on the network.

  Generate Hypotheses

  In a threat hunting engagement, the hypothesis generation phase is where the analyst starts to develop a list of hypotheses about the potential threats that could be impacting the organization. This can be done by reviewing the organization's security logs, network traffic, and other data sources to identify any potential patterns that could indicate malicious activity. The analyst will then test these hypotheses by further investigating the data to see if they can confirm or disprove them.

  Test Hypotheses

  The hypothesis testing phase is where you test your assumptions about the attack. This is where you use your data to determine the likelihood that the attack is real. You can do this by looking for evidence of the attack and trying to determine how likely it is that the attack could have occurred.

  Triage Results

  Triage is the process of analyzing data to determine if it warrants further investigation and, if so, what type of investigation is required. Triage is necessary because it is impossible to investigate every piece of data. By using triage, analysts can focus on the most important data and quickly rule out data that is not relevant to the investigation.

  Investigate potential incidents

  The incident investigation phase in a threat hunting engagement is where the hunters attempt to identify and understand the scope of the incident, identify and isolate any affected systems, and begin to gather evidence about the incident. The hunters will also work to determine the root cause of the incident and any potential vectors that may have been used to compromise the systems.

  Engineer Detections

  Detection engineering is the process of designing and implementing detection controls to identify malicious or unauthorized activity. This is where you codify your threat hunts and deploy long-term security detections.

• Capture digital forensics logs in large-scale computer networks

  Large-scale threat hunting in enterprise or government networks can help identify and mitigate potential security incidents before they cause serious damage. By proactively searching for threats, organizations can identify and address vulnerabilities before they are exploited by malicious actors. This can help protect against data breaches, cyberattacks, and other malicious activities.

  Windows Internals

  Knowing Windows internals is important for threat hunting because it allows you to understand how Windows works. This understanding can help you find malicious activity that may not be visible to someone who does not know Windows internals.

  This course teaches you fundamental Windows knowledge, such as, but not limited to:

  • Processes and DLLs
  • Windows Registry
  • Scheduled Tasks
  • Windows Drivers
  • Windows Services
  • Windows Event Logs

  Data Collection

  Collecting forensics data at scale can be difficult. This course will teach you the tools and techniques necessary to collect data from tens of thousands of machines. You will learn how to use Forensics Collection scripts, Sysinternals utilities, and other third-party tools to efficiently collect data from a large number of machines.

  • Configuring Windows systems to log key security event courses for digital forensics purposes
  • Using open-source tools to capture snapshots of workstations and servers
  • Capturing the physical memory (RAM)
  • Capturing Windows Event Logs

  Network security logs are a valuable source of information for any organization. By collecting and analyzing these logs, you can identify potential security incidents, locate malicious activity, and improve your organization's security posture.

  • Routers and switches
  • Firewalls
  • IDS/IPS
  • Proxies

  SIEM Architecture and Deployment

  A SIEM (security information and event management) is a platform that collects data from various security devices and sources in order to help organizations detect and respond to threats. It does this by consolidating and analyzing data from various devices, such as firewalls, intrusion detection/prevention systems (IDS/IPS), antivirus software, and log files from servers and applications. SIEMs also help organizations meet compliance requirements by providing a complete view of activity across the enterprise.

  In this course, you will learn how to use ELK as a free SIEM for threat hunting. ELK, or Elasticsearch, Logstash, and Kibana, is a free and open source solution for managing large volumes of data. In this course, you will learn how to use ELK to monitor your system activity and detect threats.

  File Decomposition

  Malicious files can often be very complex, containing a variety of code and data that can be used to achieve the attacker’s goals. Decomposing these files can help you to better understand the threats that they pose and the behaviour that they exhibit.

  This can be particularly useful for threat hunting, as it can help you to identify malicious activity that may not be immediately obvious. By understanding the different components of a malicious file, you can more easily spot patterns and indicators of compromise that may otherwise go unnoticed.

• Use Python to hunt for indicators of compromise at scale

  Data Science

  Knowing how to work with large datasets is important for threat hunting because it allows you to analyze more data and identify threats that may have otherwise gone unnoticed. Additionally, large datasets can be used to train machine learning models that can then be used to automate the process of threat hunting.

  Data science tools are important for threat hunting because they help analysts process and analyze large data sets quickly. Additionally, data science tools can help automate the process of threat detection, making it easier and faster for analysts to find threats.

  Python Pandas

  Python Pandas can be used for cyber threat hunting in a few ways. One way is to use the built-in functions to search for specific strings or values in data sets. This can be helpful in identifying malicious activity or data breaches. Another way is to use the data analysis features to identify trends or patterns in data. This can help you to spot suspicious activity that may be indicative of a cyber attack.

  MITRE Matrix

  The MITRE matrix is a tool that can be used for threat hunting. It is a table that organizes threats and vulnerabilities by type and severity. This can help you to organize and present your work.

  This course teaches you threat hunting techniques across the entire MITRE Matrix:

  • Initial Entry
  • Execution
  • Persistence
  • Privilege Escalation
  • Defence Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
• Use YARA to hunt for malicious binaries at scale

  YARA can be a powerful tool for threat hunting. By creating rules that identify specific malware families or indicators of compromise, you can quickly scan your environment for signs of an attack.

  • Build a “goodware” dataset and a malware dataset
  • Learn how to use YARA's professionally and many of its pattern matching techniques
  • Detect obfuscated binaries
  • Detect exploits, vulnerabilities, shellcode and zero-days
  • Identify new malware samples based on features
  • Increase the speed of incident response
  • Build your own private anti-virus software using retro-hunting
• Learn how to investigate cyber intrusions using digital forensics

  The MTH course provides multiple digital forensics case studies for the students to solve. This gives the students the opportunity to apply the skills they have learned in a real-world setting. The case studies are also a great way to learn more about digital forensics.

  • Investigating suspicious SSH tunnels
  • Investigating privilege escalation attacks
  • Detecting persistence techniques and entries
  • Investigating multiple password dumping attack techniques
• Write professional malware analysis reports

  Executive Summary

  An executive summary is a high-level overview of a document that synthesizes the key points. It is typically used to give decision-makers a quick, executive-level understanding of complex topics. The executive summary should be clear, concise, and free of jargon. It should also contain enough detail to give the reader a good understanding of the document's contents.

  Tags and Keywords

  malware can have many different tags and keywords depending on its purpose. Some common tags and keywords for malware include: viruses, worms, Trojan horses, spyware, adware, and ransomware. Identifying and extracting these keywords and tags will help you summarize what the report is about.

  Sensitivity Classification

  The Traffic Light Protocol is a color-coding system used to indicate the sensitivity of information contained within a document. The colors represent different levels of classification, with red being the most sensitive, followed by amber, green, and white. The system is designed to help recipients of a document quickly identify the level of sensitivity of the information contained within.

  When conducting malware analysis, it is often necessary to share findings with other members of the security team. The Traffic Light Protocol can be used to classify the sensitivity of information contained in a report, making it easier for recipients to identify the level of risk associated with the malware.

  Hashes

  A common technique used to detect and analyze malware is to hash the contents of the sample and compare the result to a known database of hashes. This technique is effective because it is quick and does not require any prior knowledge of the sample. The most common algorithms used for hashing are MD5 and SHA-256.

  Methodology

  A malware analysis methodology is a process for reverse engineering malware to determine its functionality, capabilities, and purpose. The goal of malware analysis is to understand what the malware does, how it works, and how it can be detected and removed. The first step in malware analysis is to identify the type of malware and its capabilities. This can be done by looking at the code, researching the malware online, or running it in a controlled environment. Once the malware has been identified, the next step is to determine its purpose. This can be done by looking at the code, observing its behavior, or analyzing how it interacts with other systems.

  Limitations

  There are a number of limitations to malware analysis. Firstly, it can be time consuming and resource intensive. Secondly, there is a lack of standardization in tools and techniques, which can make it difficult to compare results across different analysts. Thirdly, malware can be designed to evade detection by malware analysis techniques, making it difficult to obtain accurate results. Finally, the dynamic nature of malware means that it can be difficult to obtain repeatable results.

  Identification and Classification of Sample(s)

  Information regarding the malware. For example, filename, file size, file type and format, first detection in the wild, and attributed threat actor.

  Features

  Different malware can have different features. For example, some malware is designed to steal information, while other malware is designed to disable systems. These features can then be graded by confidence level.

  Dependencies

  Malware dependencies are what make a given piece of malware effective. Without the proper dependencies, a piece of malware may not be able to function properly or may not be able to infect a system. Malware dependencies can include things such as specific operating system versions, specific hardware, or even specific applications. In some cases, a piece of malware may have dependencies on multiple items in order to function properly. In other cases, a piece of malware may only have a few dependencies. Properly analyzing a piece of malware's dependencies is important in order to determine how effective it may be.

  Conclusions of Code Analysis and Observed Behavior

  Conclusions of code analysis can include an understanding of the functionality of the malware, how it works, and what it is designed to do. Additionally, code analysis can reveal the level of sophistication of the malware and who might have created it. Observations of behavior can also provide information on what the malware does, how it works, and what it is designed to do.

Student Testimonial