eCTHPv2 Certification Experience
I recently took the Certified Threat Hunting Professional Version 2 (eCTHPv2) certification by eLearnSecurity and I decided to share my experience after passing the exam on my first attempt. For those who are not aware of the eCTHPv2, it is a practical certification on threat hunting and threat identification aimed at IT professionals. I have provided a link to the eLearnSecurity website below where you can learn more about the eCTHPv2 certification.
INE Training Material
The training material for the eCTHPv2 is provided by INE and was a mixture of videos, lecture slides and lab exercises (Premium Subscription required for labs). The training material focuses mostly on hunting in Windows OS environments but I found the training material and lab exercises were solid, with only some minor issues around outdated links. The lab exercises were the most valuable part of the training for me and helped me to get more familiar with the tools throughout the course.
The training material is broken out across three modules:
- Introduction to Threat Hunting
- Threat Hunting: Hunting the Network & Network Analysis
- Threat Hunting: Hunting the Endpoint & Endpoint Analysis
Introduction to Threat Hunting
This module provides a brief overview of what threat hunting is and introduces students to different threat hunting terminology used in the industry. The module also covers the hunter’s mindset, outlining how threat hunting exercises can be conducted and whether a hunter’s mindset will lean towards threat intelligence or DFIR.
Threat Hunting: Hunting the Network & Network Analysis
The next module in the course teaches students the fundamentals of networking and network traffic analysis. The module steps through the process of using tools such as NetworkMiner and Wireshark to recognize normal or malicious network traffic. The module also teaches students how to perform threat hunts for web shells.
Threat Hunting: Hunting the Endpoint & Endpoint Analysis
This is the largest of the three modules and forms the backbone of the course. Students are introduced to the Windows OS and learn how to identify normal or malicious activity on a Windows endpoint. The module teaches students how malware operates, how to detect malware in memory using volatility, and leveraging ELK/Splunk SIEM’s to hunt for malicious activity on an endpoint.
Additional Resources
I found the INE training material and lab exercises covered everything I needed to know to prepare for the exam. However, I found the following resources were useful for practicing with the tools and concepts covered in the course.
CyberDefenders is a training platform focused on the defensive side of cybersecurity. I found this was a great resource to practice malicious network traffic analysis, memory analysis, malware analysis, etc.
Blue Team Labs Online (BTLO) is a platform released by SBT for defenders to practice their skills in security investigations and challenges covering phishing, incident response, digital forensics, security operations, reverse engineering, and threat hunting. There are free and paid tiers available:
TryHackMe is a cybersecurity training platform that provides rooms which cover tools (e.g. Splunk, Autopsy, Wireshark, Volatility, Yara), forensics challenges and entire learning paths geared towards cyber defense. This platform also has free and paid tiers available:
My Exam Experience
After completing the INE training, I purchased my eCTHPv2 exam voucher. Once I started the exam, I was provided the scope of engagement via email, which outlined the report requirements and contained everything I needed to know to take the exam.
For the exam, I was provided with a series of realistic threat hunting scenarios that I needed to investigate using the tools and techniques demonstrated throughout the INE training material. The duration of the exam is four days in total. Students have access to the exam lab environment, where they can perform their investigation. After two days from starting your exam, you will lose access to the exam lab environment and will have two more days to complete and submit the exam report.
I found the exam to be challenging but not overwhelming. I think two days of access to the exam lab environment was enough time to perform all the necessary activities and my connection to the lab environment was stable. I spent the full two days working through the exam lab environment and documented everything I needed to complete the report, taking breaks for meals and sleep.
I spent the following two days completing the exam report based on the template provided in the scope of engagement. Once I was satisfied that my report was ready, I uploaded it and an email was delivered to me confirming that it had been received. Exam report grading takes around 30 business days and after 21 business days, I received an email about a shiny new certificate waiting for me in the members area 😄!
eCTHPv2 Exam Advice
For anyone who might be preparing for the eCTHPv2 exam, I have outlined some advice that might be considered helpful below.
Training Material
- Take notes while working through the training material, especially in the labs, that you can quickly refer back to during the exam.
- Complete each of the lab exercises at least once and understand the concepts being demonstrated.
- I found the CyberDefenders training platform was an excellent resource for practicing the tools and concepts presented in the course.
- Knowledge around identifying pentesting activities or malware behavior is important. I found the Splunk/ELK SIEM labs were very important for learning how to hunt for malicious activities, so spend some additional time going through them and understand the concepts being shown.
Sitting the Exam
- Read the letter of engagement carefully and pay attention to the instructions being delivered in the letter.
- Before I started working through the exam, I looked through each of the threat hunting scenarios and made sure I understood what was being asked.
- Record each step you take during the exam and take plenty of screenshots that you can use later when completing your report.
- Be patient and take your time. There are no extra points for completing the exam quickly, so take advantage of the four days and be thorough in your threat hunting investigation.
Final Thoughts
Overall, I had a lot of fun taking the eCTHPv2 exam and I would recommend anyone looking for a place to start in threat hunting, to give the eLearnSecurity Certified Threat Hunting Professional (eCTHPv2) a try. I found the content of the course was delivered well by INE and the labs were especially good for getting hands on with tools and techniques demonstrated in the training material. Thank you for reading till the end and best of luck in your exams!
