A Student Mentor’s TH-200 and OSTH Learning Experience

TH-200 is a course for hunting threat artifacts and is also known as OSTH, which follows the same convention as other OffSec exams. An OffSec Student Mentor shared details about the TH-200 course and the OSTH exam.

Over the past few months, including the period of its release, I have been actively studying the TH-200 materials and preparing for the upcoming OSTH Exam. For those unfamiliar, the process of engaging with a course as a Student Mentor is the same as any other student. We thoroughly review the material, complete the exercises, and then take the exam under proctored conditions, following the same standards as all other students.

This course provides an in-depth exploration of core threat hunting principles, focusing on methodologies employed by enterprises to identify and counter adversarial activities. It emphasizes analyzing the evolving threat landscape, with particular attention to ransomware and Advanced Persistent Threats (APTs), while teaching the effective use of network and endpoint Indicators of Compromise (IoCs) to detect and prevent potential threats proactively.

Although there are no formal prerequisites, it is highly recommended that you have:

– A solid understanding of TCP/IP networking

– Familiarity with both Linux and Windows operating systems

– A basic knowledge of cybersecurity principles and concepts

– A foundational knowledge of SIEM (i.e. Splunk) and its components.

This is the bare minimum knowledge, otherwise, you’ll probably have a much harder time with the materials than necessary.

The most important thing to bring is a willingness to learn and put in the time to understand the ideas and topics presented.

I want to preface the rest of this discussion by stating that this course is heavily based on reviewing the logs so the more you are proficient with that the more it will be easy.

Coming from an IT and security background I wasn’t sure about the proper difference between SOC, TH, and IR. I considered them the same and a dedicated person is performing the duties for all of them, however, that can be true for small organizations with a limited budget but they are all distinct yet interrelated aspects of cybersecurity in Blue Team.

All of this is to say that I knew pretty much nothing about TH beyond the basic usage of Splunk.

Prior to jumping into this course, I had just finished WEB-200 and passed my OSWA certification and after that, my initial plan was to work through SOC-200 next. We had a new course in the works, though, and Topics were being completed and needed to be reviewed.

It sounded just as interesting as SOC-200 at the time, so I decided to volunteer to take the dive on this uncharted territory that was a new course on a subject that I knew very little about.

Everyone approaches course material differently, but I prefer starting from the beginning, following the course sequentially, and solving exercises along the way. This method helps me grasp the core concepts thoroughly. The course itself adopts a comprehensive, ground-up approach to explaining everything.

It begins with foundational concepts of Threat Hunting for Enterprises, including structured and unstructured hunting methodologies. It then transitions into the threat hunting landscape, featuring case studies on ransomware and insights into Advanced Persistent Threat (APT) groups.

Next, it delves into hunting communication and reporting, a critical skill for effectively collaborating with different departments or organizations. The course also covers hunting with network and endpoint data, a section I particularly enjoyed for its depth and focus on practical applications.

One of the standout modules for me was Threat Hunting Without IoCs, which dives deeper into methodologies inspired by CrowdStrike’s expertise. This module provided fascinating insights and advanced techniques that made the learning experience even more rewarding.

At the time of writing this blog, the course includes a challenge lab that provides a practical implementation of the topics covered. I strongly recommend dedicating ample time to this lab to gain familiarity with the Splunk tool and effectively identify artifacts to solve the questions. It offers an excellent opportunity to apply the concepts in a real-world context.

**To summarize:** This course was concise, well-structured, and highly focused. I dedicated approximately 22 hours to covering the course topics and completing the challenge lab. Additionally, I spent 12 hours revisiting the challenge lab multiple times to reinforce my understanding of the concepts and gain proficiency in reading logs within Splunk. Altogether, I invested around 34 hours in the course material before attempting the exam.

As mentioned earlier, I focused entirely on the modules and challenge labs to prepare for the exam. I didn’t have any prior experience with tools like Splunk or CrowdStrike, but I must say that having prior knowledge of these tools is not expected but can be incredibly beneficial.

One of the best ways to prepare is to follow the course structure closely and take detailed notes on anything you find important. These notes will serve as a quick reference to refresh your knowledge and can be invaluable as you practice. Along the way, make sure to revisit your notes and apply the concepts through exercises to solidify your understanding.

The reason for emphasizing note-taking is that during the exam, with its limited time frame, these notes can be incredibly helpful and save valuable time if you forget a concept or query structure.

Once you’ve completed the modules, dedicate significant time to the challenge lab. Even though the challenge consists of only seven questions, your learning doesn’t stop there. Spend extra time analyzing the network activity and understanding what happened. For me, this meant gathering as many logs as possible, organizing them sequentially, and summarizing the events to piece together a clear narrative of what occurred on the network. This approach greatly helped me during the exam.

Although CrowdStrike is not part of the exam at the time of writing this blog, learning to correlate data from different tools and logs to identify patterns and detect anomalies is highly beneficial. This investigative process closely mirrors real-world scenarios and helps develop the analytical skills necessary for success. Lastly, remember to stay patient and persistent—take the time to understand the “why” behind each event, as this deeper insight will prove invaluable during the test.

For the exam we also use the same structure as other learners:

– The exam is 8 hours long, with an additional 24 hours to submit the exam report.

– The exam has a maximum of 70 points and requires 50 points to pass.

– Similar to the challenge machine, the exam also consists of 7 questions, each worth 10 points.

– You can use a universal VPN, KiB, or WiB to connect to the exam machines including Splunk and Dev.

– You will be provided with a breached network topology and the Sysmon configuration applied to all machines.

– A threat intelligence report will also be available, containing general information, tools used, and IOCs associated with the APT group.

I began my exam at 7:00 GMT on 12th October and managed to complete all the questions within the allotted time, even while taking short breaks to refresh my mind. Analyzing logs within a limited timeframe can be overwhelming, so these breaks helped me stay focused and maintain clarity.

My initial approach was to utilize the sample threat report to hunt for artifacts. This not only allowed me to trace the attacker’s activities but also helped me address the questions as I progressed through the exam.

To stay organized, I created a document to compile all critical information from my queries, including timestamps. This approach ensured that I could easily revisit and correlate activities when needed. It proved invaluable, both during the exam and later for writing the report as well.

Overall, the exam tested not just technical knowledge but also the ability to think critically (The attacker might have conducted additional activities after a particular event, even if there is a time gap before the next logged activity. This gap could be an intentional effort to remain stealthy, avoiding detection by spreading actions over time. Alternatively, the attacker could have been performing other actions on the same machine, such as data exfiltration, privilege escalation, or reconnaissance, or shifted focus to another machine in the network to expand their foothold or execute lateral movement.) and manage time effectively. It reinforced the importance of staying methodical and adaptable, skills that are crucial not only for the exam but also in real-world incident investigations.

**Important note:**

Ensure to use the Dev machine with the correct artifact to answer the question in the MD5 hash format. Comparing the generated hash with the provided hashes will confirm the format is correct, and one of the hashes will contain the correct answer.

I completed my exam ahead of the allotted time and decided to take a short break to recharge before promptly starting work on the report. As mentioned earlier, there are an additional 24 hours provided for writing and submitting the report, which I found to be a very generous allowance. It gave me ample time to take a break after the exam and approach the report with a fresh perspective. I managed to complete and submit it ahead of the deadline. Once submitted I began the wait for my results, which are typically delivered within 10 business days. However, efforts are often made to expedite the process, and results are usually received much sooner. I still remember the excitement of receiving the email with my passing result and it was a truly unforgettable moment.

I thoroughly enjoyed this course. I love the excitement of diving into subjects that are completely somehow new to me, and this experience was no exception. The course was thoughtfully structured, making it easy to understand each topic without requiring extensive prior knowledge.

Overall, this course exceeded my expectations, and I’m looking forward to exploring similar advanced topics. The knowledge and skills I gained here have significantly boosted my confidence and curiosity to learn more.

I’m truly glad I chose this course, as it has taught me valuable, industry-relevant techniques. Splunk and CrowdStrike serve as the core pillars of the course and are also industry standards. I would like to appreciate the content team for their excellent work in designing both the course and the exam.