Threat Hunting & Attack Simulations

Objectives:

• Enable proactive detection and investigation of threats.
• Develop hypothesis-driven analysis skills.
• Conduct simulated attacks to test defenses.

Curriculum:

• Fundamentals of Threat Hunting
• Data Collection & Telemetry Analysis
• Using MITRE ATT&CK Framework
• Behavior-based Detection Techniques
• Threat Hunting Tools & Platforms
• Planning & Executing Attack Campaigns
• Detecting & Responding to Attacks
• Continuous Improvement & False Positive Reduction

12-Week Threat Hunting & Attack Simulations Curriculum

Week 1: Introduction to Threat Hunting.

The course kicks off with an overview of threat hunting fundamentals, distinguishing proactive hunting from reactive incident response. Participants will learn the importance of hypothesis-driven investigation, understanding threat landscapes, and integrating threat intelligence into hunting strategies. The session emphasizes mindset shifts needed for proactive defense.

Week 2: Data Collection & Telemetry Analysis

Learners will explore the types of telemetry data essential for threat hunting, including network logs, endpoint data, DNS records, and user activity logs. Techniques for collecting, normalizing, and analyzing this data will be demonstrated, with hands-on exercises in querying and visualizing data using platforms like Kibana.

Week 3: Using MITRE ATT&CK Framework

Participants will learn to leverage the MITRE ATT&CK framework to map attacker TTPs to observed behaviors and develop hypotheses. They will practice applying the framework to categorize and analyze suspicious activities and understand attack patterns frequently encountered in real- world scenarios.

Week 4: Behavior-based Detection Techniques

This week emphasizes understanding attacker behaviors and identifying anomalies instead of relying solely on signatures. Techniques include analyzing process behavior, file modifications, privilege escalations, and lateral movement. Labs will include developing behavioral detection rules and detecting unusual patterns.

Week 5: Threat Hunting Tools & Platforms

Participants will familiarize themselves with popular threat hunting tools such as Elastic Security, Kibana, Osquery, and Sigma rules. They’ll learn how to deploy, configure, and utilize these tools effectively for hunting activities. Labs will include writing custom queries and rules to identify malicious behaviors.

Week 6: Planning & Executing Attack Campaigns

This week guides learners through planning simulated attack campaigns, developing hypotheses based on intelligence, and executing these within controlled environments to test defenses. They will learn attack lifecycle stages, infrastructure planning, and simulating attack vectors.

Week 7: Detecting & Responding to Attacks

Participants will practice identifying ongoing attacks through hunting methods, analyzing indicators, and deploying detection rules. They will simulate responding to detected threats, containing malicious activities, and escalating findings appropriately.

Week 8: Continuous Improvement & Reducing False Positives

This session focuses on refining hunting processes based on previous findings, tuning rules, and reducing false positives. Participants will review detection efficacy, incorporate lessons learned, and optimize workflows to improve accuracy and efficiency.

Week 9: Attack Simulation Exercises

Using tools like Atomic Red Team, learners will execute predefined attack simulations to test organizational defenses. These controlled exercises will mimic real attack techniques, allowing students to observe detection gaps and response procedures in a safe environment.

Week 10: Threat Hunting Exercises

Building on previous weeks, students will conduct comprehensive threat hunts based on hypothetical threat scenarios. They will analyze data, generate hypotheses, investigate anomalies, and document findings, enhancing their proactive detection skills.

Week 11: Incident Response Tabletop & Debrief

This week involves tabletop exercises where teams respond to simulated threats uncovered during hunting activities. Students will simulate incident handling, coordination, and decision-making, emphasizing communication,documentation, and lessons learned.

Week 12: Capstone Project & Final Review

The program concludes with a capstone project: designing and executing a full threat hunt and attack simulation based on a fictional scenario, then creating detailed reports of findings and recommended actions. Final review, mock scenarios, and Q&A sessions will prepare learners for real-world threat detection roles and certifications.

Labs/Tools/Simulations:

• Elastic Security & Kibana
• Osquery & Sigma rules
• Attack simulation with Atomic Red Team
• Threat hunting exercises
• Incident response tabletop scenarios

Internships & Projects:

• Developing threat hunting hypotheses
• Detecting simulated attacks
• Hunting engagements on real environments

Certifications:

• Certified Threat Hunter (CTH)
• GIAC Cyber Threat Intelligence (GCTI)

Job Readiness Program:

• Practical exercises in detection
• Resume and interview practices
• Industry case study discussions