On This Page

A Guide to Threat Hunting Utilizing the ELK stack and PowerShell

Cylance | July 22-23 & July 24-25



Overview

The days of using excel to find malicious activity are over. Breaches are only expanding in size, so incident responders need their own way of growing out of the days of using excel to hunt through mountains of data. In this course, you will learn how to create your own enterprise-wide hunting platform using ELK with data enrichment feeds. Additionally, creating the means of retrieving the data from the various endpoints and data sources will also be introduced and explained throughout the course. Students will deploy PowerShell scripts across a customized network environment to gather critical data necessary to respond to an incident. Once the data has been collected students will then enrich the data from both a normalization perspective as well as using visualizations to assist in finding outliers and anomalies within the data sets. This course will teach you how to not only set up an ELK server specifically geared to facilitate powerful hunting, but will also show you how to collect data efficiently from every single endpoint on your network in a very short span of time, thereby enabling you to proactively hunt on a regular basis.

Students should expect to conduct 3-4 labs each day. Labs will include functional components of building out the ELK stack and its respective modules as well as highlight how those components can be leveraged to assist you in finding malicious activity in your environment.

Day 1
  • Overview, introduction to threat hunting, ELK
  • Indicators of Compromise
  • Knowing how to find bad
  • Final Configuration demonstration
  • Data collection methods
  • PowerShell Basics
  • Logstash
  • Elasticsearch basics
  • Kibana basics



Day 2
  • Building Visualizations
  • Building Dashboards
  • Data enrichment
  • Real-time data collection
  • Final Exercise

Who Should Take this Course

CERT analysts, forensic analysts, incident responders and IT administrators. Anyone that has a desire to understand threat hunting, the ELK stack or enhancing the incident response processes at their organization.

Student Requirements

Basic understanding of scripting concepts, basic forensics knowledge, windows OS fundamentals.

What Students Should Bring

  • Windows 7 or Windows 10 laptop with at least 8GB of ram and at least 100GB of free disk space
  • Virtualization software capable of running VMDKs
  • PDF Reader software
  • Computer that possesses a Ethernet port or supporting dongle
  • Computer that possesses USB ports or supporting dongles
  • Willingness to learn and have fun!

What Students Will Be Provided With

  • Thumbdrive loaded with scripts for forensic data collection and other goodies for hunting.
  • ELK configuration files
  • Course materials

Trainers

Thomas Pace began his career in security when he joined the Marine Corps as an infantryman and intelligence specialist. During this time, he deployed to both Iraq and Afghanistan. He then moved on to work for PNC Bank where he was an incident response investigator and assisted in mitigating the ongoing DDoS attacks that were occurring in 2012 and 2013. He then worked for the Department of Energy as a contractor where he leads the incident response and intrusion detection teams, as well as conducts forensic investigations. In addition, he is an Adjunct Professor at Tulane University where he teaches an undergraduate Cyber Security course. Currently, Thomas is a Principal Consultant with Cylance within the Incident Response and Forensics services organization. At Cylance, he assists organizations in remediating incidents and developing incident response policies and procedures. Thomas graduated with a Master's Degree from the University of Pittsburgh with a degree in Information Security. He also possesses the CISSP, SFCP, GCFA, GCIH, GCWN and GCIA certifications.

Michael Scott (et0x) is a Principal Consultant for Cylance where he is responsible for proactively hunting on very large enterprise environments as well as responding to all levels of breaches. He is an active developer and enjoys offensive work as well. Before joining Cylance, he was an IR team lead for the Marine Corps Cyber Warfare Group and was also a Cyber Threat Emulation specialist for MARFORCYBER, under US Cyber Command.

Eric Cornelius is the Director of Critical Infrastructure and Industrial Control Systems (ICS) at Cylance, Inc. where he is responsible for thought leadership, architecture, and consulting implementations. Eric brings a wealth of ICS knowledge and his leadership keeps organizations safe, secure, and resilient against advanced attackers. Eric is also currently a SANS Certified Instructor and has provided invaluable thought leadership in developing the Industrial Control System security curriculum at SANS. Previously, Eric served as the Deputy Director and Chief Technical Analyst for the Control Systems Security Program at the US Department of Homeland Security. Eric earned a bachelor's degree from the New Mexico Institute of Mining and Technology where he was the recipient of many scholarships and awards including the National Science Foundation's Scholarship for Service. Eric went on to work at the Army Research Laboratory's Survivability/Lethality Analysis Directorate where he worked to secure field deployable combat technologies. It was at ARL that Cornelius became interested in non-traditional computing systems, an interest which ultimately led him to the Idaho National Laboratory where he participated in deep-dive vulnerability assessments of a wide range of ICS systems. Eric is the co-author of "Recommended Practice: Creating Cyber Forensics Plans for Control Systems" as part of the DHS National Cyber Security Division, Control Systems Security Program, 2008 and is also a frequent speaker and instructor at ICS events across the globe.