Book Image

Incident Response with Threat Intelligence

By : Roberto Martinez

Book Image

Incident Response with Threat Intelligence

By: Roberto Martinez

Overview of this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Conventions used

Share Your Thoughts

Section 1: The Fundamentals of Incident Response

Section 1: The Fundamentals of Incident Response

Free Chapter

Chapter 1: Threat Landscape and Cybersecurity Incidents

Chapter 1: Threat Landscape and Cybersecurity Incidents

Knowing the threat landscape

Understanding the motivation behind cyber attacks

Emerging and future cyber threats

Further reading

Chapter 2: Concepts of Digital Forensics and Incident Response

Chapter 2: Concepts of Digital Forensics and Incident Response

Concepts of digital forensics and incident response (DFIR)

Digital evidence and forensics artifacts

Incident response standards and frameworks

Defining an incident response posture

Further reading

Chapter 3: Basics of the Incident Response and Triage Procedures

Chapter 3: Basics of the Incident Response and Triage Procedures

Technical requirements

Principles of first response

Triage – concept and procedures

First response procedures in different scenarios

First response toolkit

Further reading

Chapter 4: Applying First Response Procedures

Chapter 4: Applying First Response Procedures

Technical requirements

Case study – a data breach incident

Following first-response procedures

Further reading

Section 2: Getting to Know the Adversaries

Section 2: Getting to Know the Adversaries

Chapter 5: Identifying and Profiling Threat Actors

Chapter 5: Identifying and Profiling Threat Actors

Technical requirements

Exploring the different types of threat actors

Researching adversaries and threat actors

Creating threat actor and campaign profiles

Further reading

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Technical requirements

Introducing the Cyber Kill Chain framework

Understanding the MITRE ATT&CK framework

Discovering and containing malicious behaviors

Further reading

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Technical requirements

The Diamond Model of Intrusion Analysis

Mapping ATT&CK TTPs from CTI reports

Integrating CTI into IR reports

Further reading

Section 3: Designing and Implementing Incident Response in Organizations

Section 3: Designing and Implementing Incident Response in Organizations

Chapter 8: Building an Incident Response Capability

Chapter 8: Building an Incident Response Capability

Technical requirements

Taking a proactive approach to incident response

Building an incident response program

Aligning the incident response plan, the business continuity plan, and the disaster recovery plan

Further reading

Chapter 9: Creating Incident Response Plans and Playbooks

Chapter 9: Creating Incident Response Plans and Playbooks

Technical requirements

Creating IR playbooks

Testing IRPs and playbooks

Further reading

Chapter 10: Implementing an Incident Management System

Chapter 10: Implementing an Incident Management System

Technical requirements

Understanding the TheHive architecture

Setting up TheHive and creating cases

Creating and managing cases

Integrating intelligence with Cortex

Further reading

Chapter 11: Integrating SOAR Capabilities into Incident Response

Chapter 11: Integrating SOAR Capabilities into Incident Response

Technical requirements

Understanding the principles and capabilities of SOAR

A SOAR use case – identifying malicious communications

Escalating incidents from detection

Automating the IR and investigation processes

Further reading

Section 4: Improving Threat Detection in Incident Response

Section 4: Improving Threat Detection in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Technical requirements

Configuring the detection lab

Identifying and containing threats

Implementing principles of detection engineering in incident response

Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics

Chapter 13: Creating and Deploying Detection Rules

Chapter 13: Creating and Deploying Detection Rules

Technical requirements

Introduction to detection rules

Detecting malicious files using YARA rules

Analyzing and identifying patterns in files

Detecting potential threats using YARA rules

Detecting malicious behavior using Sigma rules

Further reading

Chapter 14:  Hunting and Investigating Security Incidents

Chapter 14:  Hunting and Investigating Security Incidents

Technical requirements

Responding to a data breach incident

Opening a new IR case

Investigating the security incident

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Preface

Incident response is fundamental and necessary for organizations' cybersecurity, regardless of their size. This book provides helpful information to professionals who work in large companies with a certain level of maturity in incident response and those who work in small or medium-sized companies, where there are no areas dedicated to this field.

I wrote this book with a broad approach that converges diverse disciplines, such as threat intelligence, threat hunting, and detection engineering. The different chapters show how the orchestration of these activities using the appropriate technologies can improve the capacity to respond to security incidents that can impact organizations.

There are four sections in this book. The first section covers the basic concepts of incident response, the first response procedures, and the tools to collect the artifacts from different devices.

In the second section, we will analyze the distinct types of threat actors from a broad perspective, considering their motivations and capabilities, under the principle that the best form of defense strategy is taking advantage of the knowledge of adversaries.

The third section covers the main aspects of implementing an incident response program, including the incident response plan and actionable playbooks based on different scenarios. This section also covers the technologies that support incident management and the integration of monitoring, detection, and investigation systems.

Finally, the fourth section covers critical aspects related to a proactive detection posture in the search and detection of attack indicators that speed up a threat's response and containment times to minimize its impact and thus prevent adversaries from achieving their objective.