Sign up for our free Threat Hunting Summit June 17 Register Here

Threat Hunting on the Edge

Course Authored by .

Threat Hunting on the Edge

“Threat Hunting on the Edge” is an intensive, one-day technical course designed for network defenders, security analysts, and threat hunters who need to identify, detect, and investigate adversary activity at the network perimeter.

Course Length: 8 Hours

Includes a Certificate of Completion



Description

“Threat Hunting on the Edge” is an intensive, one-day technical course designed for network defenders, security analysts, and threat hunters who need to identify, detect, and investigate adversary activity at the network perimeter. Students will explore the unique challenges of monitoring Internet-facing infrastructure. This includes edge devices, DMZ systems, and ISP hand-off points, all through the lens of real-world attack scenarios.

Students will learn how to tune sensor deployments at the perimeter, interpret telemetry from edge devices under high-volume, encrypted, or evasive traffic conditions, and build hunt hypotheses grounded in adversary tradecraft. Concepts are reinforced through hands-on lab exercises derived from actual threat campaigns targeting perimeter infrastructure.

  • System Requirements - Option 1
    • Using the MetaCTF instance of the course’s VM (recommended if a local VM use is not possible and/or preferred).
    • A web browser and solid internet connection.
    • MetaCTF account (registration is free)
  • System Requirements - Option 2
    • Download and use local VM
    • VMWare Workstation/Fusion 25H2
    • A computer with a minimum of 8GB RAM, 100GB of free disk space.
    • System must be able to run an Ubuntu 22.04 LTS 64-bit VM with the following minimum specs: 4GB RAM, 60GB disk space, two virtual processors.

Syllabus

Syllabus

Module 1: Threat at the Perimeter

  • Attack surface at the network edge

  • Anatomy of perimeter-targeted attacks

  • Common edge device categories & exposure

  • DMZ architecture and trust zones

  • ISP hand-off: where traffic enters

  • Threat hunting vs. reactive detection

Module 2: Sensor Deployment Strategies

  • TAP vs. SPAN port placement at the edge

  • ISP hand-off visibility gaps

  • High-volume traffic and storage tradeoffs

  • Asymmetric routing challenges

  • Out-of-band vs. inline sensor models

  • Sensor health & coverage validation

Module 3: Full-Packet Capture and Deep-Packet Inspection

  • FPC architecture and tooling (Zeek, Suricata, Arkime)

  • DPI techniques and protocol decoding

  • TLS/SSL interception and certificate analysis

  • HTTP/S, DNS, and SMB over the edge

  • Storage tiering and retention policies

  • Carving artifacts from packet captures

Module 4: Network Flow Analysis for Perimeter Hunting

  • NetFlow, IPFIX, and sFlow fundamentals

  • Flow collector and analyzer deployment

  • Baselining normal perimeter traffic patterns

  • Beaconing, long connections & C2 detection

  • Data exfiltration via flow anomalies

  • Enriching flows with threat intelligence

Module 5: Adversary Tradecraft Targeting Edge Devices

  • Edge device exploitation techniques (VPN, firewall, proxy)

  • Living-off-the-land at the network boundary

  • Covert tunneling: DNS, ICMP, HTTP/S

  • Firewall/NAT log analysis

  • Lateral movement inbound from the edge

  • Nation-state TTPs on perimeter devices

Module 6: Building a Perimeter Hunt Program

  • Hunt hypothesis development

  • Structuring a hunt cycle

  • Detection engineering from hunt findings

  • Integrating threat intel at the perimeter

  • Metrics and hunt program maturity

  • Documentation and escalation workflows

FAQ

What You’ll Learn:

  • Practice hands-on detection of adversary activity at edge devices, VPN appliances, and DMZ systems–based on actual threat campaigns.

  • Learn sensor deployments, telemetry collection tuning, and application of JA3 fingerprinting and DNS tunnel detection to find threats missed by common monitoring.

  • Development of a structured hunt cycle, detection engineering outputs (signatures, analytics, alerts) and an immediately applicable hunting program.

Who Should Take This Course:

  • Network security analysts

  • SOC engineers

  • Incident responders

  • Threat hunters

Audience Skill Level:

Intermediate

Prerequisites:

Familiarity with network protocols (TCP/IP, DNS, HTTP/S, TLS), basic Linux command line, and general security monitoring concepts.

Key Takeaways

  • Learn about edge devices and DMZ systems that are disproportionately targeted by adversaries and how Internet-facing exposure creates unique security monitoring challenges at the network perimeter.

  • How visibility gaps at the ISP hand-off and asymmetric routing paths undermine hunt effectiveness, and how proper TAP/SPAN placement and coverage validation address those gaps.

  • How to architect sensor deployments at the perimeter, including smart collection strategies, protocol decoding, and tiered retention policies.

  • Leverage network flow data (NetFlow/IPFIX) to detect beaconing, long-duration C2 sessions, and data exfiltration anomalies when full packet retention is not feasible.

  • Apply deep-packet inspection techniques to uncover malicious use of legitimate protocols, including DNS tunneling, HTTP/S-based C2, and ICMP covert channels.

  • Maintain hunting visibility across encrypted sessions using certificate analysis, JA3/JA3S fingerprinting, SNI inspection, and encrypted traffic profiling techniques.

  • How adversaries exploit, persist on, and abuse perimeter devices such as VPN appliances, firewalls, and proxies, and how to incorporate device-native telemetry into hunt operations.

  • Establish traffic baselines across volume, protocols, geo-distribution, and connected ASNs as a foundation for anomaly-based perimeter hunting.

  • Develop intelligence-driven hunt hypotheses to ensure operations are targeted, structured, and repeatable.

  • Convert successful hunt findings into detection engineering outputs (including signatures, analytics, and alerts) to operationalize hunt results and prevent recurrence.

  • Document and communicate hunt findings through structured hunt reports that drive organizational awareness and measurable improvements to the detection stack.

About the Instructor

Pixel splash background
"purveyor of digital truths"
Bio

Troy Wojewoda is a Security Analyst at Black Hills Information Security (BHIS). Prior to joining BHIS, Troy has held roles in application and system administration, host and network intrusion detection, wireless security, penetration testing, digital forensics, malware analysis, threat hunting, and incident response. In addition to earning several professional certifications, Troy has a BS in Computer Engineering and Computer Science.

Related products

Shopping Cart

No products in the cart.