Slots Open

Introduction to Threat Hunting in ICS

This one day class is an introduction to threat hunting and incident response for ICS environments. We will overview the business and security use cases of when and why threat hunting is valuable to organizations. We will progress by applying these concepts to corporate environments and industrial environments such as transmission or distribution control facilities, or plant distributed control systems (DCS).

This class will serve as an introduction to key concepts and provide a framework to develop active defenses for analysts and leadership. For existing active defense practitioners we will also include demonstrations of tools and tactics that can be immediately applied.


  • Definition of threat hunting
  • NSM, data pivoting
  • Tools (tshark, bro, snort, cyberlens, elk)
  • Lab 1: Hunting the Red Team
  • Technique: Hypotheses
  • Technique: Zone to zone analysis
  • Technique: Timeline analysis
  • Lab 2: Operational Impact
  • Strategy: SMASH
  • Strategy: Collection Management Framework
  • Threat modeling of intelligence reports
  • Lab 3: Applying SMASH & CMF
  • Lab 4 and 5: Capstone hunt


Attendee should have a solid foundation of industrial control systems and a desire to apply active defense concepts such as hunting within their organization.

Hardware Requirements

  • Windows 7 or Windows 10 laptop with at least 8GB of ram and at least 100GB of free disk space
  • VMware Player or Workstation
  • Administrator privilege on your hardware
  • Computer that possesses a Ethernet port or supporting dongle
  • Computer that possesses USB ports or supporting dongles