5-Day Training Class:

Operationalizing the MITRE Att&ck framework for Security Operations, Threat Hunting and DFIR
with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Volatility and more . . .

This class is about Incident Response in a post-compromised environment.


If you give an attacker 100 days of time to move freely in your compromised environment, the evidence is fairly strong that you are pretty bad at Security Operations. On the contrary, if your Security Operations is constantly sending breach confirmations to the forensic team which turn out to be false positives, then again, the evidence is fairly strong that you are pretty bad at Security Operations. This is what is constantly happening in a lot of large organizations, banks and government institutions around the world.

In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.

The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems.

By integrating Resilient with IBM QRadar, QRadar Network Insights and QRadar Advisor with Watson for detection, Carbon Black Response for Threat Hunting, a robust and actionable CTI from Recorded Future along with MITRE Att&ck for identifying the adversary's applied TTPs we will further demonstrate how the local relevance is expressed in STIX objects.

Integral parts of this class will be to demonstrate how security analysts will stay focused by using efficient playbooks as well as drastically reduce the time to respond by automation and orchestration techniques. The security analysts will be able to watch the movements of the intruder and limit their capabilities while the L2/L3 teams would be working on a strategy to completely remove the intruder's foothold (fully-fledged remediation, eradication and recovery) from the compromised environment.

This class includes a lot of hands-on labs that require to analyze and defend an organization's networked computer environment.

Training class dates:

11th-15th November 2019

13th-17th January 2020

Operationalizing the MITRE Att&ck framework for Security Operations, Threat Hunting and DFIR


  1. Current Security Operations and DFIR problems
    • Major Secops problems and the reasons we have found
    • Major DFIR problems and the reasons we have found
    • Intelligence based DFIR - Threat Hunting
  2. Solution draft - IBM Resilient as a central hub for Investigation and IR
    • Intro of the MITRE Att&ck framework
    • Overview of a robust and actionable Cyber Threat Intelligence
    • Intro of STIX
      1. STIX Domain Objects
      2. STIX Relationship Objects
    • STIX Patterning
    • TAXII
    • Other non-STIX formats
    • Cyber Observable Objects
    • Workflow and Playbook definition
  3. Core implementation in IBM Resilient SOAR
  4. Stage 1 Analysis - Security Operations (L1)
    • Integration with a robust and actionable CTI
    • Integration with IBM QRadar SIEM - Wincollect - Sysmon (endpoint sensing)
    • Integration with QRadar QNI (for creating flows)
    • Integration with A10 SSL interception proxy
  5. Stage 2 Analysis - Threat Hunting (L2)
    • Integration with CB Response EDR
  6. Stage 3 Analysis - DFIR (L3)
    • Integration with Volatility
    • Integration with other open source forensic tools like Plaso, Log2timeline, etc.
  7. Stage 1 Analysis details - Security Operations
    • Find CTI matched destination IPs and load corresponding CTI
    • Map out CTI to "MITRE Att&ck for Enterprise" matrix for identifying relevant TTPs
    • Populate incident data table with IOC and local relevance details
    • Verify CTI related entities
    • Create STIX bundles
    • Create and analyze STIX knowledge and relevance graphs
  8. Stage 2 Analysis details - Threat Hunting
    • Load the Att&ck Navigator and activate the noted Intrusion-Set name (Threat Actor) in order to see all the relevant TTPs.
    • Open the two file attachments regading the knowledge and the relevance graph in the STIX visualization tool in seperate browser tabs (file:///C:/cti-stix-visualization-master/index.html)
    • Work with the knowledge graph and gather as much knowledge as possible about the Threat Actor/Group, their motivations, their used TTPs, malware and tools.
    • Based on the MITRE Att&ck website learn more about the indentified TTP details.
    • Read analyst reports provided by the CTI and MITRE Att&ck.
    • Work with the relevance graph and understand the local findings, their context and based on the acquired knowledge try to identify suspicious relationships. Document suspicious source-destination relationships, domain names and hashes from the relevance graph.
    • Trigger the Artifact level action "CB RESPONSE: Threat Hunting" in order to populate the table TTP findings in the "MITRE TTP staging table" tab.
    • Switch to the Carbon Black Response UI and begin to search for corresponding processes to the findings under 6. E.g. work with a search filter "ipaddr: AND hostname:lenovo_an AND domain:rapidssl.com" AND alliance_score_attackframework:[1 TO *].
    • While conducting Threat Hunting as part of 8, follow the instructions specified in the individual TTP tasks.
    • Gather as much intelligence as possible by working through the MITRE TTP staging table.
    • When conducting the specific TTP analysis answer the key investigative questions provided in the TTP tasks. Please also answer the question "Which additional TTPs have been identified".
  9. Stage 3 Analysis details - deep dive forensic analysis
    • Trigger automated action for collecting specific TTP data from memory image
    • Load collected data in incident data table and update STIX relevance graph
    • Forensically analyse collected data
  10. Remediation and lesson learned
  11. Conclusion

Target audience

Cyber Security Practitioners, Security Analysts, Threat Hunters, Forensicators and Consultants.

Price in USD (VAT-free)

$ 2.300,00 (Regular price)

$ 989,00 (Discounted price for IBM employees and registered IBM Business Partners)


5 Days


Technical skills and a general understanding of Cyber Security. Basic programming or scripting knowledge is beneficial, but not necessarily required.

Read through the following three blog articles in order to prepare for this training class:




Signup for 5-Day Training Class