Open in app

Sign in

Write

Sign in

eLearnSecurity: Certified Threat Hunting Professional v2 (eCTHPv2) Review

Ellis S
6 min readJul 23, 2020

Looking for that all-rounder, up-to-date and thorough threat hunting certification but want something both practical and affordable? Well look no further.

I would like to first start by saying this is my first ever online journal. It could have been a food blog helping you get started with a ketogenic diet or an article explaining why in fact the year 536AD was actually the worst year ever but here we are with an infosec-themed critique, and that’s how it should be.

Trying to find the best cert for threat hunting, or even Blue Teaming in general, is challenging. On the one hand you have the more well-recognised and HR-friendly SANS courses which do provide a clear Incident Response pathway starting off with SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling but are pretty costly. On the other end of the spectrum, you have the CREST certifications such as Crest Practitioner Intrusion Analyst which are relatively cheap but don’t offer practical training. To put it bluntly, if you want the best of both worlds you go to eLearnSecurity.

eLearnSecurity have been around for some time now (since 2014 to be exact). I first heard about them when a ‘pentest-fanatic’ friend recommended their Junior Penetration Tester (eJPT) cert in 2019. eJPT is undeniably one the best entry-level red team certs out there, having completed it first-hand and from reading other reviews. Fast-forward a year or so later, COVID-19 unfortunately hits us all like a brick wall, I’m bored out of my mind and want to get an Incident Response certification. I was fortunate enough to have attended the launch webinar for the newly refined eLearnSecurity Certified Threat Hunting Professional (eCTHP) back at the end of March which gave me a nice 30% discount plus a free upgrade (from barebone to full) — so it was a no-brainer to purchase.

Structure and Content

The course was made up of 3 sections totalling 12 modules, 21 videos, 24 labs (3 of them are zipped with 2 labs in each so the total is actually 27) and 100s of helpful external articles, videos and documents. The material starts with an introduction to threat hunting, touching on some of the foundations such as the Cyber Kill Chain, Mitre ATT&CK, forming a hypothesis, pyramids of pain, etc.

Cyber Kill Chain & Mitre ATT&CK

The second and third sections are Networking and Endpoint Analysis respectively. The main topics in these sections are hunting for suspicious traffic, web shells, log analysis, memory analysis and SIEMs. Not only does the course teach you the staple tools to hunt with but also exposes you to a multitude of single-purpose tools for specific types of malware, web shells and post-exploit frameworks such Exiftool for finding hidden .php reverse shells in .jpeg images.

The flow of material was great too. Each module led to the next nicely with each building off the previous one. There were a few of “wait, what?” moments but this is not an easy cert and what eCTHP really teaches you is not to be afraid to be thrown in the deep end. Oh, and that Google is your friend and Github is your other half.

Section 2 — Network Analysis

One thing to note is that you should not restrict yourself to the slides in this course. They often link to external articles which do explain things in a much greater depth and are necessary to read through. Plus in a lot of the labs, there are external links for hints to hunt. You may not know it, but it is in fact training you to think like a threat hunter.

Labs

Labs are very good in eCTHP, and are not tightly coupled to the course material either. The content of eCTHP is taught both in the course material and labs. What I mean by this is that some of the tools you won’t see in the course slides and this is to prepare you for a real hunt. You will have to sometimes work with tools you have no experience with using. So don’t let your heart sink when you open the Splunk labs and realise you learned nothing about Splunk from the slides. Expect a steep learning curve if you’re not already familiar with these tools. I had to do a lot more Google/YouTube searches when doing the labs since I preferred to try to solve the questions myself before looking at the solutions.

What you should know

Let me start from the beginning. Prerequisites are really not important if you’re a hard worker but you should at least have some pen testing experience (e.g. eJPT or eCCPT) or you will be finding yourself googling every slide if you don’t have a faint idea of the main adversarial tools. But I will give you several tips to save yourself a bumpy ride and instead a smooth sail:

  1. Use Microsoft OneNote to write up your notes. Call me old-school but I personally find writing out notes the best way of cementing knowledge. If you’re like me, you’re going to have to ditch the pad and digitise.
  2. If you have no Splunk experience, go ahead and do Battle of the SOCs (BOTS)V1 and/or BOTSV2. I was lucky enough to have done these last year so Splunk was nothing new.
  3. You will have a target of completion, let’s say 2 months time from purchase. You will push it back at least several times. This is because you will find yourself completing the modules, moving onto the labs and finding a lot of additional reading needed to complete them. This is why I’m saying if you plan to do only one cert this year, do this one. It’s a beast but once you tame it, you’ll be able to apply the skills to a LOT within the cyber domain.
  4. If you’re working of a singular laptop, buy a monitor. You’ll save yourself a ton of time switching back and forth from notes/labs and in practice when threat hunting you should be using at least two/three monitors anyway.

Exam

Now for the bit you’ve been waiting for. If you were like me and searching for some insight into what the exam was like, then you have come to the right place.

Having completed the eJPT exam which allowed for a generous 72 hour access to the lab environment, I found myself nearly short on time for the eCTHP exam which gave 4 days in total to complete the exam report. The exam consists of three independent scenarios, where you need to analyse them all within 48 hours after which the lab access will be terminated and you’ll have another 48 hours to write the report. Time management is critical here.

I will give you the same advise Dimitrios Bougioukas (IT Director at eLS) provided in the eCTHP sub-forum:

“The exam will be real-world but manageable.

You will be given Threat Intelligence and clear objectives which you will use (or search around a little bit about them) to solve the tasks.”

I learnt a lot within the exam and it was enjoyable at times albeit tough. But if you study everything in the content and labs then you will be fine.

Conclusion

The verdict: 10/10 — This course is vast, thorough and excellent value for money. You will learn a multitude of skills which will help you build a threat hunting mindset, developing your skills in cyber in ways that would surprise you. Furthermore, according to the Cyber Certification Progression Chart, it is more advanced than GCIH (as of 23 July 2020), which is the certification accompanying SANS SEC504, mentioned earlier.

There are other Incident Response organisations also releasing new certifications such Security Blue Team with their recent release of Blue Team Level 1. Their course (now closed) ‘Operation Chimera’ was very well received. The question is, how will they hold up against the Incident Response certifications like eLS and SANS? I hope very highly!

What’s next you ask? If I’m honest, pub.

As always, stay safe!

Elearnsecurity
Threat Hunting
Course Reviews
Splunk
Mitre Attack

--

--

Ellis S

Written by Ellis S

136 Followers

Digital Forensics, Incident Response and Threat Hunting things.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams