My eCTHPv2 Journey
The eCTHP certification stands for eLearnSecurity Certified Threat Hunting Professional in which it is now in its version 2 of the course as of this writing. If you have read my previous write up review for eCPPTv2. Yes, I did use the INE course and it is a separate $400 for the certification itself. If you didn’t have the INE subscription it is no problem but you have to give extra effort in studying.
Before I start by giving you some of experience and exam tips let me give you some of my background prior on taking this certification. First I was previously part of Threat Responder team (sort of) and we use Splunk-based SIEM for hunting threats in our network. This is the first time I use the Splunk in my life and I AM REALLY NOT FAMILIAR on what it does and how to use the query. I basically just use my basic knowledge of building and reading a query using SQL. This goes on for 4 months, and I just first tried to dig deep into Splunk last September 2021. I am telling you this because you don’t need to be a Superman Expert in Splunk but it will help you greatly if you are able to master this in your skillset.
Simultaneously, what I did is to study the Threat Hunting Professional course of INE and the Splunk Fundamentals 1 course offered free by Splunk when you register on their website.
For the Splunk Fundamentals 1 course there are 10 modules overall which are mostly videos and you can also download the PDF of the course. I was really happy about it because I now understand the terms which is guided with an explanation. Substitute this with Netflix and you are good to go, I binge watch this and the quizzes for almost 2 weeks, still I am not an expert, but I have a basic knowledge to create a query for my hunt. If you will ask me I didn’t go through on building the labs on the course, I don’t have any memory left in my computer so I skip those parts.
If you are going through INE course I suggest first to install this applications, you will be using it throughout the entire course and for the exam as well.
· Microsoft’s Remote Desktop — already installed in your computer if you are using Windows.
· PuTTY — https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
· OpenVPN GUI — https://openvpn.net/community-resources/how-to-install-the-openvpn-gui-on-windows/
For the INE Threat Hunting Professional course there are 3 main parts to study.
· Introduction to Threat Hunting
· Threat Hunting: Hunting the Network & Network Analysis
· Threat Hunting: Hunting the Endpoint & Endpoint Analysis
First part is a sweet juice because it is pacing you to a concept of what Threat Hunting is and its counterpart Incident Response. This module also focus mainly in creating a IOC Rule using Yara and using the tool Mandiant Redline tool to hunt for IOC with the rules you created. I came back to this for about 2 times in my study just to get my knowledge in creating IOC rules.
Second Module is much juicier, using PCAP files I have greatly learned how to analyze it with various tools not just using common tools like tcpdump and Wireshark but also using Network Miner, RSA Netwitness, etc. As expected their labs are really a sent from heaven, but the downside is that it is still laggy even if you are in Remote Desktop. I go through this module at least 3 times in my re-run.
Last but not the least my most favorite part of the course and I know for sure for all the eCTHPv2 takers as well, the last module. It is the longest and most painful module of the course which mainly uses Splunk, ELK, Volatility Framework, etc., I mainly focus on this module and had a re-run for about 4–5 times. This module will teach you how to analyze a memory file, hunt for malware, and uses SIEM-based tool for hunting suspicious and malicious activities and etc.
On top of that I also build my own labs to further prepare, using the Cyberdefenders Boss Of The SOC v1 which I will be honest with you, I only finish the first 5 questions. So please don’t be lazy, I regret not finishing it as I was still having a hard time using a queries in Splunk. If you still need guide on the challenge you can still use google, for me there is no shame on using it.
So what if I don’t have the INE subscription?
Yeah you can still achieve to pass in my experience. As I said before you have to give extra effort in studying, below are the things that might help you.
- Do Cyberdefender Boss Of the SOC v1 and v2. This is overall a 14 GB file and some of you don’t have the luxury in building a labs, I used Virtualbox for the lab. Alternatively I found that TryHackMe have a room for V2 and V3. I didn’t found any V1 it THM in my search. This will help you get a hands on in building Splunk queries and navigate live on its dashboard.
2. ELK-Based SIEM — most people found ELK to be horrible to use, but in my experience it has almost the same features with Splunk, I found the filtering and arranging the table easy to use. Unfortunately I can’t find any resources for Kibana to practice. For me if you study well the queries of Splunk it is easy to transition to Kibana Query Language (KQL). Here is the resource you can study for KQL.
3. Volatility Framework — study this one, just trust me. Nuff said.
https://www.andreafortuna.org/category/volatility/
4. MITRE ATT&CK —Familiarize yourself how to search for TTPs. AttackIQ Academy offers free courses for this, you will also get free badges for your Credly accounts and courses also gives you CPE credits for (ISC)2.
My Experience
For me this is a Easy to Medium difficulty, if you are new to Blue Teaming I might say don’t go straight forward to this exam. I have eJPT and eCPPTv2 in my belt, but still, this one really kicks me in my bum. I have work experience in SOC/IR but for only 1 year and half. I didn’t have the experience to write a report, which if you might ask, I also use the format in my Pentest Report from eCPPTV2.
Overall if you do study the course with INE, it is enough, the labs are really great but don’t settle and be complacent with that as your resource. You should be challenging yourself if you want to be a successful Threat Hunter.
I don’t want to be dramatic but literally this is the only exam that gives me anxiety. I took the exam on Dec. 2, 2021 and pass the report on Dec. 6, 2021. The result came back to me this morning as of this writing when I have a work shift (January 3, 2021), so go to a doctor and get an anxiety pill, good for 1 month. JK :P
Thank you for reading this, I hope I did help you for your upcoming exam. Kudos!
