I recently completed my eLearnSecurity Certified Threat Hunting Professional Certification (eCTHPv2). While I was preparing for the exam, I realized not many resources were available on the Internet regarding the content or about the exam. Hence, in this post, I will do an eCTHPv2 certification review and discuss how to prepare for the eCTHPv2 Certification. I hope this review will help everyone who is planning or preparing for the Certification.
Table of Contents
Introduction on eCTHPv2
Earlier in 2022, I was looking for a good threat-hunting certification that would help me improve my analytical and technical skills, and that’s when I came across the eLearnSecurity Certified Threat Hunting Professional Certification.
INE categorizes this as an expert-level certification that sharpens your threat identification and hunting capabilities. What attracted me to this Certification is that the exam is purely practical and based on real-life threat-hunting scenarios rather than the traditional multiple-choice questions. This Certification prepares you to be an expert in multiple areas like IOC-based threat hunting, network traffic analysis, log analysis, memory forensics, etc.
How to Purchase Certification
There are two ways of purchasing eCTHPv2 Certification.
- Training By INE
The first method is by purchasing a subscription by INE and then taking the threat-hunting professional learning path (course material). INE subscription can be taken monthly or annually. However, the annual premium plan is recommended as it covers access to the entire course library, hands-on labs, 50% off on the first eLearn security certification, and multiple other offers as well. This plan is currently sold for $749 annually, but occasionally they come up with really good offers during the festive season, such as Halloween, Black Friday sale, etc. I purchased the subscription during the Easter sales, where I got the annual premium membership for $499, which also included a free certification under a 50% off coupon that can be used for any eLearn security certification.
You can check out an INE subscription via this link
- Direct Purchase from eLearn Security
The second method is by purchasing the certificate directly from eLearn security. This method is only for people who are really confident in their threat-hunting skills and doesn’t require any extra training. This method is not recommended by eLearn security.
You can check out the certificate via this link.
Topics Covered in eCTHPv2 Certification
We read about how to purchase the Certification, and now let’s look into all the topics covered in the eLearn securities certified threat hunting professional course by INE. The entire course structure AKA learning part, is primarily divided into three sections which are:
- Introduction to threat hunting
- Threat hunting on the network and network analysis
- Threat hunting on endpoints.
Introduction to threat hunting: this module brushes up on the basic concepts of threat intelligence, threat hunting, hunting terminologies, basic cybersecurity frameworks, etc. From the first module itself, the course gives you a threat-hunter mindset. This module covers creating and analyzing IOCs, MITRE framework, and TTP.
Threat hunting on the network and network analysis: this module covers the TCP/IP stack and prepares a threat hunter to identify suspicious network traffic patterns from normal traffic. In addition to this, web shell hunting within the network is also covered. We also learn the use of multiple network analysis tools such as network miner, Wireshark, redline, etc., and tools like Loki and Neopi for web shell hunting.
Threat hunting on endpoints: this module is the largest and covers up to 70% of the entire course. We will be introduced to Windows operating system, and we’ll learn how to detect potentially malicious activities which are hidden in plain sight. It also covers techniques to identify malicious behavioral patterns on the endpoint and various detection techniques.
We also learn about multiple SIEM tools such as Splunk, ELK, etc. the course also explains how to hunt for advisories using SIEM. Another topic covered in this module is malware analysis, where malware classifications and different malware evasion techniques are discussed. The tool volatility is introduced for malware analysis using memory forensics.
Labs: The labs provide a practical and in-depth understanding of tools and concepts. Every module has labs that cover the tools and concepts covered in that particular module. The Labs were initially VPN based, but now most of them are browser-based, which is more convenient for the user. I personally found some of the labs a bit confusing initially, as the solution itself tells you that the provided evidences are not enough to prove the objective, but that’s how real-life hunting works!
About the Exam
While I was preparing for the exam, I didn’t know anyone personally who had written this exam. Hence as anyone in that situation will do, I checked on multiple reviews and connected with multiple people who have completed this exam over LinkedIn. I received mixed feedback on the exam. Some commented the exam was very challenging, while others said it was easy to crack.
The eCTHPv2 exam is of four days, out of which the first two days are for the practical exam and the next two days are for creating the report. We will Lose lab access after the first 48 hours, so make sure to do your research, find answers, and collect evidence during this time. We can decide the time of the exam at our convenience. There will not be any proctor for the examination, so you can make yourself comfortable while giving the exam.
One of the best parts about this Certification is that eLearn security provides one free retake if you can’t crack your exam in one go but make sure you submit the report of your first attempt with whatever evidence you have captured.
One key point to mention here is always to collect screenshots and evidence while you are at it, do not keep it for the last. Always collect extra screenshots, as it might be useful while giving your report. An additional tip is to categorize your evidence during the time of collecting, or else everything will get mixed up and create confusion. You can use different tools for capturing and highlighting the screenshot, I used the tool ‘Greenshot‘ for my examination.
About the report, make sure to follow the format as provided in the letter of engagement, make sure that all the evidence collected is presented in order, and must be readable for the examiner. Present your report from a threat hunter point of view.
I consider this exam moderately tough or challenging, but if we go through the course material thoroughly, we can crack the exam in a single go. Now do not let this comment confuse you. While I was preparing, it gave me the wrong idea that the questions in the exam would have direct context related to the labs provided, but that’s not the case. The exam will give you real-life scenarios for hunting, and you will have to research a lot on each question. I can say even though the questions are not direct, if you have prepared the labs well enough and learned all the techniques used in the course content, it will come in handy to you during the exam.
Tips To Clear eCTHPv2 Certification
Before you give your exam, make sure that:
- You have at least once covered the entire course material along with all the labs provided.
- Start a habit of preparing notes while you study. If you are a person who hand writes your notes, it’s high time to change that. Please prepare digital notes, which will be highly useful even after the examination. There are multiple platforms where you can write digital notes. I personally used OneNote for that. You can use anything as per your convenience.
- Make sure you have created a self-note with all the queries used in the labs separately, which will come in handy during the exam.
- Please go through all the external links provided during the entire course content, which will give you in-depth knowledge on the topic. This will also help you in the exam.
- You can also use other platforms like CyberDefenders, blue team labs challenge to make yourself more familiar with the tools used.
- Make sure to collect and arrange evidence on the go during the exam, do not wait till the last moment to do that.
- Last but not least, make sure you are good at researching things on google.
It was tough and challenging, but definitely worth it! I would seriously recommend this Certification to both red and blue teamers.
As a blue teamer, I can say that practical courses available for defensive security are much lesser compared to the offensive side. Also, It’s not easy to create a blue team environment at home. This course provided a lot of practical exposure. I can assure you that the Certification has given 100% justice to it, as mentioned.
The Exam results took around 30 days which was excruciating since there were no exact answers or a flag to the questions to be 100% sure. This is because, as previously mentioned, all questions were real-life threat-hunting scenarios.
From a return-on-investment point of view, it is not very famous like some of the offensive security certificates and may not give you that brand value, but the knowledge is totally worth it, and I got to play with a lot of interesting tools which I didn’t know existed before this course. This Certification definitely helped me improve in my day-to-day task as a cyber defender.
I hope this article gave you a good idea of how to prepare for the eCTHPv2 Certification exam. In case of any queries, please feel free to contact me over LinkedIn. (Note: Please do not ask me about sensitive details on the exam). After completing your eCTHPv2 Certification, you can start looking for your dream jobs at trusted professional job-hunting services like Jooble.
Thanks for reading my success story. I hope this post inspires those who want to take the eCTHPv2 Certification. Please share this post if you find it interesting and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.