So, if you are here, you are either planning to purchase the IHRP course or just about ready to attempt the exam. Before my exam, I had searched for IHRP course reviews, and this review helped me out a lot. If you’ve bought the course or if you’re planning to attempt the exam, I highly recommend checking out his review. I won’t talk about the course as such, but I’ll focus on how to prepare for the exam.
whoami
I’m a Senior Analyst for an MSSP. I don’t have any Incident Handling/Response experience, which would likely explain my interesting experience with the IHRP course. I’ve played around with HackTheBox & I have participated in Blue Team CTFs specifically SANS HolidayHack and Recon Infosec’s OpenSOC CTF events. I love the OpenSOC event, and I’m planning to take their NDR Core course in the near future as I’ve only heard awesome things about it. From their website:
“Fighter Pilots Need Simulators. So Do Security Operations Teams.”
After coming in around 60ish out of approx. one thousand players during their Black Hat CTF event, I was pretty confident about the eCIR exam. What I hadn’t realised was CTFs are primarily about flags and the challenge/questions themselves act like clues as to what to look for and where. That wasn’t the case here and failing to realise that beforehand was a mistake.
Exam format
The exam has two scenarios, with the dataset for the first scenario available on a Splunk instance and the second one on ELK. There’s also a packet capture provided which should be investigated and correlated with logs available on the SIEM. And yes, you can simply replay the packet and look at the triggered IDS signatures, but I highly recommend that you manually analyse the packet with Wireshark. You’ll have access to the exam lab for 48 hours with which you should do your IR activities, after which the lab expires. You’ll then have 48 hours to detail your IR activities and provide evidence of your findings. Ensure that you clearly document what you find, with both — screenshots of the relevant logs and a detailed description of what it is and to which critical phase of the attack lifecycle you can map it to. I had mapped a few of the events to MITRE ATT&CK techniques as this will help you answer the ‘why’ of a specific activity.
Once you submit the report, you might have to wait up to 4 weeks to get the result which is just horrible & downright cruel. So get your anxiety prescriptions refilled if you need to.
How to prepare for the exam
Thoroughly understand the course materials. Well, duh.
BOTS dataset. You need to spend a reasonable amount of time with the BOTS v2 dataset. Use this app which acts as a guide to help you through your investigation. It also teaches you some great threat hunting techniques.
Get comfortable with SPL & Lucene. In case you don’t use Splunk or ELK on a regular basis, you are going to have a hard time during the exam. You might know what to look for, but without knowing how to query for that particular event, you are not going to find what you are looking for. So, do the Splunk fundamentals 1 course which is available for free on Splunk.com.
MITRE is your friend. When you do the Splunk lab or the BOTS v2 investigation, try to map out what you find to a MITRE technique. I also recommend that you check out MITRE Cyber Analytics Repo here. What I love about MITRE CAR is that it has a list of analytics based on the ATT&CK model. For instance, CAR-2014–04–003 analytic details a detection technique that can be used to hunt for malicious PowerShell activity. Yes, sometimes it even has an actual SPL query or pseudocode which can be used to hunt for a particular event as observed from below.
To get familiar with these, go check out this micro-course from AttackIQ on Operationalizing MITRE ATT&CK. I took the course, and I refer to my cliff notes of it on occasion.
Sigma rules. If you have worked with SIEMs, then you might already be familiar with Sigma rules. Sigma rules are a generic query format for SIEMs. Review the Sigma rules available on their GitHub page. For instance, if you want to hunt for PowerShell process that opens a network connection, there’s a corresponding Sigma rule for that here. How’d you convert that to say a Splunk or Lucene query? Use Uncoder! I love Uncoder, and I use it for my work as well. You simply paste a Sigma rule and select which language you want it converted into; albeit you might have to correct the names of the different fields. Yep, it’s that easy! Who said threat hunting has to be hard, eh?
Learn to extract files from PCAP. There’s an easy to follow guide on how to do this with Wireshark and Network miner here.
SPL queries & cheat sheets. Finally, I also recommend translating detection techniques learned, to an SPL query. It’ll save you a lot of time during the exam. For instance, here’s a query I had saved to hunt for suspicious LOLBin activity.
That’s pretty much it. If you have thoroughly reviewed the IHRP course materials & follow the guidelines detailed here, there’s a pretty good chance of passing the exam. Good luck folks.
