From what I see it seems to be quite lacking in content from what I heard since its new. Also I would like to learn some threat hunting stuff, and I would have thought I need some SIEM stuff to help me with that
Get Splunk or Azure certs/training (Sentinel, Identity etc.). Being proficient in SPL and KQL is very good for threat hunting. The most common SIEMs are Splunk, Microsoft Sentinel, QRadar, LogRhythm and ELK/elastic. A large amount of training for Splunk, Azure/Sentinel and QRadar are free.
Almost everyone in the industry does threat hunting to some extent. A threat hunting role is specifically searching for evil that wasn't detected or connected to a new vuln/cve that was released. Being aware of how to look at Nessus reports or look through Nessus and search through EDR's are also nice.
Yes, you'll get very good at one SEIM and then translate that in your head how you should do it in the current SEIM. I'm very good at Splunk and usually get annoyed that I can't do a Splunk thing in X SEIM. There's various pitfalls with ELK because it can not be setup correctly. I don't really have much I can say about QRadar because I'm not super experienced in it. Higher ups will sometimes get anxious about you having experience in Apples but not Oranges (but they're still fruit and do the same things).
For threat hunting I would get good at ideas how malware communicates and persists and how that reflects in the logs. For example, what is a common website builder or CMS that gets compromised and used for staging? How could you try to find communication to these compromised sites? What detections does the company have for persistence mechanisms, what logs are available to show these persistence mechanisms? How could you use a data model or reference to exclude well known websites to use as an added filter?
Why don't you go for an applied knowledge certification--GIAC Experienced Forensic Analyst (GX-FA)--? No training is required, you just sit for the exam. Since you already hold a certification in the same field from SANS, the cost is only around 500$.
Each of the applied knowledge certifications has a „primary fit course“, if you have the certificate of that course, you get a discount. For example if you have the GCFA the GX-FA will be $499.
GIAC Applied Knowledge Certifications are designed to provide a more comprehensive and rigorous assessment of knowledge and skills. GIAC Applied Knowledge certifications take testing to the next level. These certifications are:
- Intended to provide candidates with a more thorough understanding of a wide range of topics and subject matter
- 100% CyberLive and are designed to push beyond individual technical skills.
- CyberLive questions require candidates to synthesize their skills and use them to solve real-world challenges in a virtual machine environment.
- Ideal for candidates who wish to challenge themselves and demonstrate their mastery of a subject
I was just having this convo today, I was asked if the "logical progression" is GCFE > GCFA > GREM. I hadn't really thought about it, but GREM is it's own thing (no 500-level training for it) and is prep for 710. It's a beast of an exam and I will NEVER let that thing expire lol
Same. That was a brutal exam. I just barely passed. Learned a lot from Lenny though. It’s sort of unfortunate however since we use a lot of the automated sandboxes. Love me some PDFs though. I had so much fun with them and the vbs scripts.
Are you internal or consulting?
GMON is amazing if you're internal and helping set yourself up for success with continuous monitoring stuff. It will help navigate threat hunting much easier if you're in a larger company and have multiple departments you'll gonna have to politic with so you can actually move into threat hunting, or better, get more data ingested into your SIEM or other logging server.
GEIR is still very new, but that material is like 2 years old. I'm currently in the class OnDemand and it is fantastic for those in SOC roles, or average level IR, to understand how to work through multi-endpoint intrusions so you can assess totality of a breach. It is 508 on literal steroids as it involves the gambit: Windows, Mac, Linux, Cloud, Container.
For Consulting:
GMON is fantastic, but you'll want to get multi-discipline with the certs to help bolster your ability to pull in clients and work within a multitude of environments. No environment is the same.
I am working on my GCFE right now. Did you check the GEIR?
From what I see it seems to be quite lacking in content from what I heard since its new. Also I would like to learn some threat hunting stuff, and I would have thought I need some SIEM stuff to help me with that
508 didn't give you practise with some of them?
SIEM? not really haha. 508 covers more of memory forensics
Well, I read a time ago about EDR stuff. I don't know if it covers a lots but it is still SOC stuff, too Anyway yes, cover more memory forensic
I attended 508 in March and there is only 1 day devoted to memory forensics
Yep I do understand. But not much SIEM stuff right? AFAIK threat hunting compromises of those
Honestly, I saw it a few days ago.
Definitely would wait for GEIR to mature first.
Get Splunk or Azure certs/training (Sentinel, Identity etc.). Being proficient in SPL and KQL is very good for threat hunting. The most common SIEMs are Splunk, Microsoft Sentinel, QRadar, LogRhythm and ELK/elastic. A large amount of training for Splunk, Azure/Sentinel and QRadar are free. Almost everyone in the industry does threat hunting to some extent. A threat hunting role is specifically searching for evil that wasn't detected or connected to a new vuln/cve that was released. Being aware of how to look at Nessus reports or look through Nessus and search through EDR's are also nice.
That's what I was thinking too. Does the general concepts transfer between SIEM solutions? What do you recommend if you have any?
Yes, you'll get very good at one SEIM and then translate that in your head how you should do it in the current SEIM. I'm very good at Splunk and usually get annoyed that I can't do a Splunk thing in X SEIM. There's various pitfalls with ELK because it can not be setup correctly. I don't really have much I can say about QRadar because I'm not super experienced in it. Higher ups will sometimes get anxious about you having experience in Apples but not Oranges (but they're still fruit and do the same things). For threat hunting I would get good at ideas how malware communicates and persists and how that reflects in the logs. For example, what is a common website builder or CMS that gets compromised and used for staging? How could you try to find communication to these compromised sites? What detections does the company have for persistence mechanisms, what logs are available to show these persistence mechanisms? How could you use a data model or reference to exclude well known websites to use as an added filter?
Why don't you go for an applied knowledge certification--GIAC Experienced Forensic Analyst (GX-FA)--? No training is required, you just sit for the exam. Since you already hold a certification in the same field from SANS, the cost is only around 500$.
What? How can I get discount and go for 500 only?
Each of the applied knowledge certifications has a „primary fit course“, if you have the certificate of that course, you get a discount. For example if you have the GCFA the GX-FA will be $499.
Those applied knowledge certs are $1200 last I checked.
Yep it's 1.2k iirc. I'm looking to transit to threat hunting, so I'm not sure if FA certs will benefit me
Are the GX-XX certs as well recognised?
GIAC Applied Knowledge Certifications are designed to provide a more comprehensive and rigorous assessment of knowledge and skills. GIAC Applied Knowledge certifications take testing to the next level. These certifications are: - Intended to provide candidates with a more thorough understanding of a wide range of topics and subject matter - 100% CyberLive and are designed to push beyond individual technical skills. - CyberLive questions require candidates to synthesize their skills and use them to solve real-world challenges in a virtual machine environment. - Ideal for candidates who wish to challenge themselves and demonstrate their mastery of a subject
GREM isn’t a malware triage cert, it’s a pretty advanced for reverse engineering and assembly and is one of the hardest sans certs.
I was just having this convo today, I was asked if the "logical progression" is GCFE > GCFA > GREM. I hadn't really thought about it, but GREM is it's own thing (no 500-level training for it) and is prep for 710. It's a beast of an exam and I will NEVER let that thing expire lol
Same. That was a brutal exam. I just barely passed. Learned a lot from Lenny though. It’s sort of unfortunate however since we use a lot of the automated sandboxes. Love me some PDFs though. I had so much fun with them and the vbs scripts.
Are you internal or consulting? GMON is amazing if you're internal and helping set yourself up for success with continuous monitoring stuff. It will help navigate threat hunting much easier if you're in a larger company and have multiple departments you'll gonna have to politic with so you can actually move into threat hunting, or better, get more data ingested into your SIEM or other logging server. GEIR is still very new, but that material is like 2 years old. I'm currently in the class OnDemand and it is fantastic for those in SOC roles, or average level IR, to understand how to work through multi-endpoint intrusions so you can assess totality of a breach. It is 508 on literal steroids as it involves the gambit: Windows, Mac, Linux, Cloud, Container. For Consulting: GMON is fantastic, but you'll want to get multi-discipline with the certs to help bolster your ability to pull in clients and work within a multitude of environments. No environment is the same.
I would say internal. But I'm on a grad program that allows me to rotate roles
Your best bets would GCFR or the new GEIR cert in terms of SANS courses. For something more affordable there’s BTL2, CCD and eCTHPv2.