eCTHPv2 Certification Experience
I recently took the Certified Threat Hunting Professional Version 2 (eCTHPv2) certification by eLearnSecurity and I decided to share my experience after passing the exam on my first attempt.Since I received questions about the exam from many of my friends, I felt the need to write here as well.
Let me summarize for my friends who don’t know,
eLearnSecurity’s Certified Threat Hunting Professional is an expert-level certification that proves your threat hunting and threat identification capabilities. Students are tested through real-world scenarios modeled after cutting-edge malware that simulates corporate network vulnerabilities.
First of all, I highly recommend INE’s laboratory environment.
I learned a lot from the sample labs there.Because all pdfs, lectures, video lectures, and sample labs are available on this platform.
You do not have to take an INE lab to take the exam. You can only take the exam by purchasing a certificate.But as I said, I learned everything in these labs. And in the exam, I applied what I learned in the labs.
By obtaining the eCTHPv2, your skills in the following areas will be assessed and certified:
- Network packet/traffic analysis
- Data enrichment with Threat Intelligence
- Data correlation
- In-depth knowledge of tools such as Wireshark, Redline & IOC editor
- IOC-based threat hunting
- Memory analysis/forensics
- Windows/Linux event analysis
- Log analysis
- Detection of any stage of the “Cyber Kill Chain” (Information Gathering, Exploitation, Post-exploitation)
For more => https://elearnsecurity.com/
The training material is broken out across three modules:
Introduction to Threat Hunting
Threat Hunting: Hunting the Network & Network Analysis
Threat Hunting: Hunting the Endpoint & Endpoint Analysis
The training material focuses mostly on hunting in Windows OS environments.
Introduction to Threat Hunting topics, this section talks about Threat Hunting Terminology, threat hunting fundamentals, information security fundamentals, and cyber security fundamentals.Additionally, there is mention of the Threat Intelligence area, IOCs, creating YARA and YARA rules.
Threat Hunting: Hunting the Network & Network Analysis topics,this section talks about There are network analysis applications such as Wireshark, networkminer, and RSA NetWitness Investigator, and last Web shell Network Hunting ve Forensics labs.
Threat Hunting: Hunting the Endpoint & Endpoint Analysis part was my favorite part.
Hunting malware analyzes,various hunting in memory labs,advanced endpoint hunting labs(AMSI bypasses , Parent PID spoofing and, Reflective DLL injection, Process Doppelganging), Threat hunting studies on Splunk ,Elk on Sysmon.
Throughout the course, there will be external links that will lead you to the other resources, which will give you a deeper understanding of the particular topic you are learning. I recommend you to go through these external links both in the slides and in the labs. Not only some of them helped me to gain a deeper understanding of the topics, but as well helped my exam.
Exam Day
After a busy work schedule, I determined my exam day. After completing the INE training, I purchased my eCTHPv2 exam voucher. Once I started the exam, I was provided the scope of engagement via email, which outlined the report requirements and contained everything I needed to know to take the exam.
For the exam, I was provided with a series of realistic threat hunting scenarios that I needed to investigate using the tools and techniques demonstrated throughout the INE training material. The duration of the exam is four days in total. Students have access to the exam lab environment, where they can perform their investigation. After two days from starting your exam, you will lose access to the exam lab environment and will have two more days to complete and submit the exam report. The exam is challenging yet very fun to play with. You will be given some realistic scenarios to hunt with.
So you have 2 days for the exam and 2 days for the reporting. There are different VPNs for each machine, that is, each lab question. And unfortunately, when a lab is open and connected to a vpn, you cannot open another lab. I spent the full two days working through the exam lab environment and documented everything I needed to complete the report, taking breaks for meals and sleep. A supervisor is not watching you live, so you can rest easy.
Don’t worry about writing a report. They give you a sample template. You write your report based on it. I spent 2 days solving labs. While solving, I recorded screenshots. Because I was going to need it when I was writing the report. Once I was satisfied that my report was ready, I uploaded it and an email was delivered to me confirming that it had been received. Exam report grading takes around 30 business days.
eCTHPv2 Exam Advice
For anyone who might be preparing for the eCTHPv2 exam, I have outlined some advice that might be considered helpful below.
Training Material
Take notes while working through the training material, especially in the labs, that you can quickly refer back to during the exam.
Complete each of the lab exercises at least once and understand the concepts being demonstrated.
I found blueteamlabs.online and CyberDefenders training platform were an excellent resource for practicing the tools and concepts presented in the course. Knowledge around identifying pentesting activities or malware behavior is important. So you can learn basic pentest information from platforms like Hackthebox and Tryhackme. I found the Splunk/ELK SIEM labs were very important for learning how to hunt for malicious activities, so spend some additional time going through them and understand the concepts being shown. And in addition: Go through all the course material, labs, and the external links you see, read the letter of engagement carefully after the exam starts, at least read twice, and understanding all the requirements. Take good notes and lots of screenshots
I hope everyone who takes the exam will be successful. Good luck guys 🙏🏻
