Jonathan Ham on the web
This is the canonical site for all courseware for the 4-hour “Threat Hunting” course at Cyber Huntsville’s Training Exercise, July 22, 2021. Links to course materials will be posted here as they become available.
If there’s something we’ve said we’d post and you don’t see it here, check back, or please email or tweet @jhamcorp!
Cyber Huntsville Training Things like recommended reading lists, etc., coming soon here! Quick Links Threat Hunting
 jham corp.
Most enterprises behave as though cyber threats will come in ways expected and prepared for. Firewalls are in place, as well as intrusion prevention systems (IPS) on the inbound path, and endpoint detection and response (EDR) suites deployed throughout (most of) the enterprise. We're ready, we think. And in most cases we are. We see all of the things that could have been bad but weren't.
So it commonly comes as a great surprise when we discover that we were not really ready at all. The most critical threat emerged in a way we couldn't prevent, we didn't detect, and we couldn’t respond to quickly enough to stave off a level of impact that threatened the very mission of the business.
The art--and somewhat science--of threat hunting begins with deciding not to sit back and wait (and hope) that we are prepared to prevent, detect, and respond to all the things. Instead, we build the ability to look forward in anticipation of dealing with the adverse events that we didn't anticipate.
Our adversaries are keen on finding novel approaches to attacking, circumventing our preparations. As defenders we must be keen on finding novel approaches to defending as well.
This course is about how to shift our perspectives from hoping by luck that we prevent/detect an adversary once they’ve only just begun to attack us, to being able to hunt out when they’ve already gained a foothold in our environment--which they will, eventually.
The key items covered in 4 hours include:
Justifying the value proposition of threat hunting operations
Integrating threat hunting and cyber threat intelligence teams
Leveraging host-based indicators for threat hunting
Leveraging network indicators for threat hunting
Making threat hunting about more than just matching indicators
The goal is to give attendees the basis for moving forward in a more aggressive way to counter the future threat, starting with where they are, right now.

Course Materials/Requirements:
The virtual machine is a slightly modified version of Security Onion, v16.04.6.4, built on VMware Workstation 16 Pro. It should run just fine in either VMware Workstation or Player (other hypervisor platforms may work but have not been tested). The VM has been configured to expect:
64GB HDD space
2 CPU cores
Bridged networking, with 
DHCP available on the local LAN/WLAN.
The files to download are jhc_SO- and jhc_SO-
I advise you to download it and test it out in advance. It is ~3.56GB. The username is “student” and the password (including for “sudo”) is “jhc_packets”.
Whatever you do, please do not update or upgrade anything prior to class, as this may break the labs in unknown ways.

The optional course textbook is Network Forensics: Tracking Hackers Through Cyberspace.

The lecture/lab slides are jhc_CHTH2021.pdf. Yes, it is password protected, with the password to be revealed in class for attendees. :-)
Google Jonathan
Jonathan on LinkedIn
Jonathan on Amazon
@jhamcorp on Twitter
The SANS Institute