A Laboratory for Hands-on Cyber Threat Hunting Education


  • Jinpeng Wei University of North Carolina at Charlotte
  • Bei-Tseng “Bill” Chu billchu@uncc.edu
  • Deanne Cranford-Wesley Forsyth Technical Community College
  • James Brown jbrown@forsythtech.edu


cyber hunting, hands-on labs, malware analysis, security data analytics, virtualization, Nice Framework, Nice categories, cyber defense


Cyber threat hunting has emerged as a critical part of cyber security practice. However, there is a severe shortage of cybersecurity professionals with advanced analysis skills for cyber threat hunting. Sponsored by NSA, the University of North Carolina at Charlotte (UNC Charlotte) and Forsyth Technical Community College (Forsyth Tech) have been developing freely-available, hands-on teaching materials for cyber threat hunting suitable for use in two-year community college curriculum, 4-year universities curriculum, as well as for collegiate threat hunting competitions. Our hands-on labs focus on exercising a set of essential technical skills (called the threat hunting skill set) in an enterprise environment and they are modeled after real-world scenarios. Our lab environment contains real threats (e.g., malware) against real software (e.g., Operating Systems and applications), and real security datasets. These labs are designed to help a student learn how to detect active and dormant malware, analyze its activities, and assess its impact. These labs also teach a student how to search and probe for anomalies in a variety of datasets using multiple analytical skills, such as statistical analysis. In this paper, we present the design and implementation of our hands-on labs.