Advanced Threat Hunting with Falcon - FHT 302

Using CrowdStrike® Falcon, participants will learn to threat hunt for indications of adversarial compromise. Participants will also detect when and how the compromise occurred, identify affected systems and generate key sources of threat intelligence. Instructors will guide learners through the operationalization of threat intelligence and reporting of findings. This hands-on course is intended for current incident responders, threat hunters and intel analysts with intermediate knowledge of threat hunting principles.

Duration: 3 days

To obtain the maximum benefit from this class, you should meet the following requirements:

• Perform basic operations on a personal computer
• Completion of FHT 202: Falcon Platform for Hunters strongly recommended
• Have intermediate knowledge of cybersecurity incident investigation and the incident lifecycle
• Comprehend course curriculum presented in English
• Be familiar with Microsoft Windows environmen

Students who complete this course should be able to:

• Apply industry-standard threat hunting concepts and doctrinal intelligence methodologies to their investigations
• Apply threat intelligence analysis within a threat hunt in order to discover indications of an adversarial compromise
• Develop initial threat hunting findings, create lead resolutions through the operationalization of threat intelligence and report findings

DAY 1

WELCOME

• Who we are
• Who you are
• Administrative items
• Course overview/agenda

INTRODUCTION

• Introduction to the case studies
• Review scenarios

DEFINITIONS AND CONCEPTS

• Summarize threat hunting and threat intelligence
• Differentiate between IOAs and IOCs
• Conduct a threat hunt maturity assessment

THREAT HUNTING TRIGGERS

• Discover typical endpoint events that trigger an enterprise threat hunt
• Act on discovered IOAs, IOCs or anomalies

DAY 2

THREAT HUNTING METHODOLOGIES

• Learn CrowdStrike threat hunting methodologies
• Research publicly available information using best practices of OSINT
• Query internal data stores for artifacts found in your environment
• Investigate and research IOAs and IOCs to discover adversarial presence

THREAT INTELLIGENCE

• Review threat intelligence case study
• Describe the different sources of threat intelligence
• Review CrowdStrike intelligence products
• Discuss how threat intelligence impacts threat hunting

INTEL MODELS AND FRAMEWORKS

• Apply models and frameworks to understand adversary intent and capabilities
• Complete TTP identification using the MITRE ATT&CK framework
• Apply the Diamond Model to a sample scenario

FRAMEWORK DEEP DIVE

• Analyze adversary actions through the MITRE lens
• Use frameworks to develop the focus of the threat hunt
• Understand how ATT&CK is incorporated into Falcon
• Inspect the ATT&CK framework components in Falcon detection and Incident pages
• Apply morphological analysis with the ATT&CK framework to kill the attack
• Use the ATT&CK Navigator to intimately understand the attacker's next moves

CROWDSTRIKE SEARCH METHODOLOGY

• Summarize SEARCH threat hunt methodology
• Analyze the environment for adversary activity using SEARCH methodology

DAY 3

CAPSTONE

• Complete a threat hunt using scenario-based learning
• Refine your understanding of the attack using doctrinal intelligence analysis
• Complete a threat hunt report based on findings from the capstone exercise

AUTOMATING THE THREAT HUNT

• Understand the use of SQRRL for efficient hunting
• Develop API scripts to automate common hunting tasks
• Create custom IOAs and allow Falcon to continually hunt for you