ATT&CK® Threat Hunting

Detection Engineering Certification

Learn Threat Hunting & Detection Engineering

Level: Intermediate

CPEs: 9 Hours  |  28 Lectures  |  Full Analytics Walk-through 

Experts from MITRE produced this course to teach students how to utilize knowledge of adversary TTPs as described in the MITRE ATT&CK framework to develop, test, tune, and employ robust analytics to detect and investigate malicious cyber activity.

Learners taking this course will learn how to leverage ATT&CK to develop hypotheses, determine data collection requirements, identify and mitigate collection gaps, test and tune analytics using purple teaming, and conduct a threat-informed hunt.

The ability to apply the TTP-based hunting methodology, as demonstrated by successful completion of this program, supports your dedication to securing critical networks and systems against attacks from advanced cyber adversaries.

5-2

 

Course Prerequisites

  • Have a solid understanding of the ATT&CK Framework
  • Familiarity with Windows, Splunk or ELK, and networking fundamentals

Target Audience

Top job roles related to this credential include:
  • Cybersecurity / Information Security Analyst
  • (Junior/Senior) Threat Hunter
  • Senior Cybersecurity Analyst
  • Network Architect
  • Computer and Information Systems Manager

Course Goals

  • Teach learners to execute a six-step TTP-based hunting methodology centered on use of the ATT&CK® Framework
  • Learn to effectively identify adversarial behaviors of interest
  • Easily articulate hunt-directing hypotheses that inform the development of written analytics that drive information needs and data collection requirements

Threat Hunting Detection Engineering Certification

 

ATT&CK Threat Hunting Detection Engineering Certification is an intermediate level program that affirms your ability to utilize knowledge of adversary TTPs as described in the MITRE ATT&CK framework to develop, test, tune, and employ robust analytics to detect and investigate malicious cyber activity.

You must earn six distinct badges to be eligible for the ATT&CK for Threat Hunting Detection Engineering Certification.

MITRE ATT&CK Fundamentals
MITRE ATT&CK Fundamentals

ATT&CK Fundamentals

Start with the basics; unlearn bad behaviors and relearn ATT&CK the way MITRE intended. Learners will understand the structure and philosophy that continually shapes ATT&CK. This course helps Defenders identify the available ATT&CK resources and operational use cases while also recognizing how ATT&CK empowers defenders through understanding threats.

MITRE ATT&CK Threat Hunting Fundamentals
MITRE ATT&CK Threat Hunting Fundamentals

Fundamentals

The Threat Hunting Fundamentals Badge verifies an understanding of how ATT&CK can be used as a malicious activity model to conduct the six steps of the TTP-based threat hunt methodology. This badge verifies an understanding of how to contrast key elements of TTP-based hunting with complimentary approaches and fundamental considerations for characterizing malicious activity or behavior and how to use that information to execute a TTP-based hunt. This process shapes information needs and data requirements to develop continual hunt efforts focused on advanced cyber adversary behaviors.

MITRE ATT&CK Threat Hunting Hypotheses
MITRE ATT&CK Threat Hunting Hypotheses

Hypotheses

Certifies an ability to develop and refine hypotheses and abstract analytics that can be used to hunt for evidence indicative of malicious presence. This badge covers the ability to develop a well-formed hypothesis while avoiding common traps such as cognitive bias that can impact hunting efforts and fine-tuning hypotheses to focus on potential attack behaviors and the ability to discuss and formulate abstract analytics that help conduct research to find candidate invariant behaviors.

MITRE ATT&CK Threat Hunting Data Collection Requirements
MITRE ATT&CK Threat Hunting Data Collection Requirements

Data Collection Requirements

Verifies an understanding of how to identify data requirements necessary to conduct TTP-based hunts. This badge covers the ability to describe various types of datatypes, how to identify data collection requirements, and how they map to analytics, and the ability to create a collection plan.

MITRE ATT&CK Threat Hunting Addressing Data Collection Gaps
MITRE ATT&CK Threat Hunting Addressing Data Collection Gaps

Addressing Data Collection Gaps

Certifies an ability to identify gaps in a data collection strategy and develop a plan for addressing those gaps. This badge covers the ability to reconfigure existing tools, deploy new sensors, establish new data flows, and use alternative analytic approaches to close existing data gaps, resulting in new data collection configurations. It also teaches learner how to explain potential impacts to network owners to inform security-based decisions.

MITRE ATT&CK Threat Hunting Tuning Analytics
MITRE ATT&CK Threat Hunting Tuning Analytics

Tuning Analytics

Certifies an ability to convert hypotheses and abstract analytics into concrete analytics that can effectively find malicious adversary behaviors within a given environment. This badge covers the ability to optimize precision and recall through modification of Time, Terrain, and Behavior aspects of developed analytics.


Understanding the Basics of Threat Hunting

Understanding Threat Hunting and Detection Engineering in Enterprise Cyber Security: Enhancing Blue Teaming with MAD20's Hands-On Training

 

Introduction: The Importance of Threat Hunting and Detection Engineering in Blue Teaming

In the dynamic world of cyber security, enterprise organizations face a myriad of sophisticated threats daily. To counter these threats, security teams must go beyond traditional defense mechanisms and adopt proactive strategies. This is where Threat Hunting and Detection Engineering come into play, forming the backbone of effective blue teaming operations.

In this section, we will delve into what is blue teaming, what is Threat Hunting and Detection Engineering, and how these practices are crucial for maintaining a strong security posture. Additionally, we’ll explore how MAD20’s threat-informed defense training equips your team with the necessary skills to excel in these areas.

 

What is Blue Teaming?

Blue Teaming refers to the defensive side of cyber security operations, where the primary goal is to protect an organization’s assets from cyber threats. Blue teams are responsible for monitoring systems, detecting potential threats, responding to incidents, and strengthening security defenses. They are the guardians of the organization, working tirelessly to identify and mitigate vulnerabilities before attackers can exploit them.

 

Key Blue Team Strategies

  1. Continuous Monitoring: Keeping a constant watch over the network to detect any unusual activity that may indicate a threat.
  2. Incident Response: Quickly and effectively responding to security incidents to minimize damage and restore normal operations.
  3. Vulnerability Management: Regularly scanning and patching systems to reduce the attack surface and prevent exploitation.
  4. Threat Hunting and Detection Engineering: Proactively seeking out threats that may have evaded automated defenses and engineering detection capabilities to identify them.

 

What is Threat Hunting?

Threat Hunting is a proactive approach to identifying cyber threats that may have slipped past automated security defenses. Unlike traditional detection methods that rely on predefined signatures and rules, threat hunting involves actively searching for signs of malicious activity within an organization’s environment. This process requires a deep understanding of the threat landscape, as well as the ability to analyze and interpret data from various sources.

Threat hunters operate on the assumption that an organization may already be compromised, and their goal is to uncover hidden threats before they can cause significant harm. By engaging in threat hunting, security teams can detect and neutralize advanced threats that would otherwise go unnoticed.

The Threat Hunting Process

  1. Hypothesis Development: Creating a hypothesis based on known threats, threat intelligence, or unusual activity that warrants further investigation.
  2. Data Collection and Analysis: Gathering data from various sources, such as logs, network traffic, and endpoint activity, to identify potential indicators of compromise (IOCs).
  3. Investigation: Analyzing the collected data to confirm or refute the hypothesis, often involving deep dives into specific events or patterns.
  4. Response and Mitigation: If a threat is identified, the blue team takes immediate action to contain and mitigate the threat, preventing further damage.

 

What is Detection Engineering?

Detection Engineering is the process of designing, implementing, and refining detection mechanisms to identify malicious activities within an organization’s environment. Detection engineering focuses on building robust detection capabilities that can identify both known and unknown threats. This involves creating custom detection rules, refining existing ones, and ensuring that detection systems are properly tuned to minimize false positives and false negatives.

Detection engineers work closely with threat hunters and incident responders to develop detection strategies that align with the organization’s unique threat landscape. By continuously improving detection capabilities, organizations can stay ahead of evolving threats and reduce the likelihood of successful attacks.

The Detection Engineering Process

  1. Threat Modeling: Identifying potential threats based on the organization’s assets, vulnerabilities, and the tactics used by adversaries.
  2. Detection Rule Development: Creating and refining detection rules that can identify specific tactics, techniques, and procedures (TTPs) used by attackers.
  3. System Tuning: Adjusting detection systems to improve accuracy and reduce noise, ensuring that alerts are both meaningful and actionable.
  4. Continuous Improvement: Regularly reviewing and updating detection capabilities to address new threats and evolving adversary techniques.

 

The Benefits of Blue Teaming with Threat Hunting and Detection Engineering

Integrating Threat Hunting and Detection Engineering into your blue teaming efforts provides numerous benefits that can significantly enhance your organization’s security posture.

  1. Proactive Threat Detection

Traditional security measures often rely on automated tools that react to known threats. However, threat hunting allows blue teams to proactively search for and identify threats that may not trigger standard alerts. This proactive approach enables organizations to detect and mitigate threats before they can cause significant damage.

  1. Enhanced Incident Response

By uncovering hidden threats through threat hunting and improving detection capabilities through detection engineering, blue teams can respond to incidents more effectively. This results in faster containment and resolution of security incidents, minimizing the impact on the organization.

  1. Improved Detection Capabilities

Detection engineering allows blue teams to develop custom detection rules that are tailored to their specific threat landscape. This improves the accuracy of detection systems, reducing the number of false positives and ensuring that real threats are promptly identified and addressed.

  1. Adaptability to Evolving Threats

The cyber threat landscape is constantly changing, with attackers continuously developing new tactics and techniques. Threat hunting and detection engineering enable blue teams to adapt to these changes by regularly updating their detection strategies and hunting methodologies to stay ahead of adversaries.

  1. Strengthened Security Posture

By incorporating threat hunting and detection engineering into your blue teaming efforts, your organization can achieve a more robust security posture. These practices not only enhance your ability to detect and respond to threats but also foster a culture of continuous improvement within your security team.

 

Actionable Tips for Implementing Threat Hunting and Detection Engineering

To effectively implement Threat Hunting and Detection Engineering in your organization, consider the following actionable tips:

Invest in Threat Hunting Tools

Utilize specialized tools that support threat hunting, such as SIEM (Security Information and Event Management) platforms, EDR (Endpoint Detection and Response) solutions, and advanced analytics tools. These tools can help your team collect and analyze data more effectively, making it easier to identify potential threats.

Regular Hands-On Training

Ensure that your blue team receives regular hands-on training in threat hunting and detection engineering. MAD20’s threat-informed defense training provides practical experience with these practices, equipping your team with the skills needed to excel in these areas.

Collaborate Across Teams

Encourage collaboration between your blue team, incident response team, and detection engineers. By working together, these teams can share insights and develop more effective detection and response strategies.

Continuously Review and Update Detection Rules

Regularly review and update your detection rules to ensure they remain effective against new and emerging threats. This should be an ongoing process that involves both threat hunters and detection engineers.

 

Recent Statistics on the Impact of Threat Hunting and Detection Engineering

The effectiveness of Threat Hunting and Detection Engineering in enhancing enterprise security is supported by numerous studies and reports:

- A survey by the SANS Institute found that organizations with active threat hunting programs are 50% more likely to detect and respond to security incidents within the first hour of an attack.

- According to a report by CrowdStrike, companies that invest in detection engineering see a 40% reduction in false positives, leading to more efficient security operations.

- Gartner predicts that by 2025, 60% of large enterprises will have dedicated threat hunting teams as part of their blue teaming efforts, up from 25% in 2020.

These statistics underscore the importance of threat hunting and detection engineering in maintaining a strong security posture and effectively countering advanced cyber threats.

 

Conclusion: Empower Your Blue Team with MAD20’s Threat Hunting and Detection Engineering Training

Understanding what is blue teaming and integrating Threat Hunting and Detection Engineering into your security operations can significantly improve your organization’s ability to defend against cyber threats. However, the key to success lies in ensuring that your security team has the necessary skills and knowledge.

MAD20’s Threat Hunting and Detection Engineering training offers a hands-on, practical approach to blue teaming, providing your team with the tools they need to detect, respond to, and mitigate advanced threats.

Don’t wait until a cyber attack disrupts your operations—empower your blue team with the skills to proactively defend against today’s most sophisticated threats. Explore MAD20’s Threat Hunting and Detection Engineering course today and take the first step toward a more resilient security posture.