Threat Hunting and Detection Engineering

Course Abstract

This class is designed to introduce students to the understanding of threat hunting and detection engineering. Threat hunting is a proactive cybersecurity approach aimed at identifying and mitigating potential security threats before they can cause harm to an organization’s systems, networks, or data and Detection Engineering (DE) is a discipline within cybersecurity that focuses on developing and improving the capabilities of security systems to detect malicious activities and threats effectively. DE involves the creation, implementation, and refinement of detection mechanisms, rules, algorithms, and processes to identify suspicious or unauthorized behaviour within an organization’s IT infrastructure.

Through an applied understanding of introduction of the concept TH & DE, students should be able to identify available processes and frameworks to detect undetected threats, that can be used to enhance security posture, stay ahead of threat actors and improve incident response by uncovering the indicator of compromise and suspicious activities.

Our threat hunting approach is based on students’ familiarity with their IT environments, with DE students should learn how to develop rules, signatures, or patterns that can identify specific types of malicious activities or behaviours. DE students also will work on developing and refining machine learning algorithms and statistical models to detect anomalies or patterns indicative of cyber threats.

This class will focus on a few type active APT groups and hope every student can apply the skills and experience in their IT environment.

Course Outline

• Introduction of Threat Hunting and Detection Engineering
  • The concept of Threat Hunting & Detection Engineering
  • The Cyber Kill Chain
  • MITRE & ATT&CK framework
  • The Pyramid of Pain
  • Old school vs modern cyber attacks
  • The problems on the current detection problems
  • The solutions for better detection
• Threat Hunting
  • What is threat hunting?
  • Types of threat hunting
  • The threat hunting mind and skill sets
  • The threat hunting process
  • The threat hunting loops
  • The hunting models
  • Start threat hunting by building the hypothesis
• Your data source is everything.
  • Where is my data?
  • Operating System and logs 
  • Networking and logs
  • Data sources 
  • End point data
  • Network data
  • Security Data
• Understanding the threat actor & adversary
  • Mapping the Adversary
  • The ATT&CK framework
  • Tactics, techniques, sub-techniques and procedures
  • The ATT&CK Matrix
  • The ATT&CK Navigator
  • Mapping with ATT&CK
• Working with data
  • Using data dictionaries
  • Open source security event metadata
  • Using Sigma
• Emulating the adversary
  • What is adversary emulation?
  • MITRE & ATT&CK emulation plan
  • Atomic red team
  • Mordor
  • Caldera
  • Other tools
• Working with a research environment
  • Choose your virtual environment for research
  • KALI PURPLE
  • ELK
  • SYSMON / SYSMON MAP
  • HELK
• HUNTING the adversary
  • MITRE evaluations
  • Hunting for APT group
• Documenting & Automating process
  • Documenting your hunts
  • KanBan Boards
  • The Jupyter notebook
  • The threat hunting playbook
• Building a detection engineering for malware research development
  • Technical Requirement
  • The ELK
  • Deploying the ELK
  • Configuring the ELK
  • Setting up Fleet Server
  • Installing and configuration of the ELK
  • Building your first detection
• Working together with the incident response team
  • The impact of communication on the success of threat hunting program