Book Image

Incident Response with Threat Intelligence

By : Roberto Martinez

Book Image

Incident Response with Threat Intelligence

By: Roberto Martinez

Overview of this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Conventions used

Share Your Thoughts

Section 1: The Fundamentals of Incident Response

Section 1: The Fundamentals of Incident Response

Free Chapter

Chapter 1: Threat Landscape and Cybersecurity Incidents

Chapter 1: Threat Landscape and Cybersecurity Incidents

Knowing the threat landscape

Understanding the motivation behind cyber attacks

Emerging and future cyber threats

Further reading

Chapter 2: Concepts of Digital Forensics and Incident Response

Chapter 2: Concepts of Digital Forensics and Incident Response

Concepts of digital forensics and incident response (DFIR)

Digital evidence and forensics artifacts

Incident response standards and frameworks

Defining an incident response posture

Further reading

Chapter 3: Basics of the Incident Response and Triage Procedures

Chapter 3: Basics of the Incident Response and Triage Procedures

Technical requirements

Principles of first response

Triage – concept and procedures

First response procedures in different scenarios

First response toolkit

Further reading

Chapter 4: Applying First Response Procedures

Chapter 4: Applying First Response Procedures

Technical requirements

Case study – a data breach incident

Following first-response procedures

Further reading

Section 2: Getting to Know the Adversaries

Section 2: Getting to Know the Adversaries

Chapter 5: Identifying and Profiling Threat Actors

Chapter 5: Identifying and Profiling Threat Actors

Technical requirements

Exploring the different types of threat actors

Researching adversaries and threat actors

Creating threat actor and campaign profiles

Further reading

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Technical requirements

Introducing the Cyber Kill Chain framework

Understanding the MITRE ATT&CK framework

Discovering and containing malicious behaviors

Further reading

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Technical requirements

The Diamond Model of Intrusion Analysis

Mapping ATT&CK TTPs from CTI reports

Integrating CTI into IR reports

Further reading

Section 3: Designing and Implementing Incident Response in Organizations

Section 3: Designing and Implementing Incident Response in Organizations

Chapter 8: Building an Incident Response Capability

Chapter 8: Building an Incident Response Capability

Technical requirements

Taking a proactive approach to incident response

Building an incident response program

Aligning the incident response plan, the business continuity plan, and the disaster recovery plan

Further reading

Chapter 9: Creating Incident Response Plans and Playbooks

Chapter 9: Creating Incident Response Plans and Playbooks

Technical requirements

Creating IR playbooks

Testing IRPs and playbooks

Further reading

Chapter 10: Implementing an Incident Management System

Chapter 10: Implementing an Incident Management System

Technical requirements

Understanding the TheHive architecture

Setting up TheHive and creating cases

Creating and managing cases

Integrating intelligence with Cortex

Further reading

Chapter 11: Integrating SOAR Capabilities into Incident Response

Chapter 11: Integrating SOAR Capabilities into Incident Response

Technical requirements

Understanding the principles and capabilities of SOAR

A SOAR use case – identifying malicious communications

Escalating incidents from detection

Automating the IR and investigation processes

Further reading

Section 4: Improving Threat Detection in Incident Response

Section 4: Improving Threat Detection in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Technical requirements

Configuring the detection lab

Identifying and containing threats

Implementing principles of detection engineering in incident response

Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics

Chapter 13: Creating and Deploying Detection Rules

Chapter 13: Creating and Deploying Detection Rules

Technical requirements

Introduction to detection rules

Detecting malicious files using YARA rules

Analyzing and identifying patterns in files

Detecting potential threats using YARA rules

Detecting malicious behavior using Sigma rules

Further reading

Chapter 14:  Hunting and Investigating Security Incidents

Chapter 14:  Hunting and Investigating Security Incidents

Technical requirements

Responding to a data breach incident

Opening a new IR case

Investigating the security incident

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

To get the most out of this book

Having a basic knowledge of Linux and Windows operating systems, network protocols, and the management of virtualized environments in VMware will be very useful while using this book.

All the practical exercises in the book were designed to work on virtualization environments using VMware Workstation Player (free for personal use), so I recommend you download and use the latest version available.

The minimum hardware requirements are as follows:

4 cores
16–32 GB RAM
120 GB of free storage space

There are many excellent technologies available to improve the capacity to detect threats and efficiently respond to security incidents. However, I mainly included open source or free tools in this book instead of commercial tools to make them accessible to everyone, so you can focus on applying the knowledge and concepts that I share in the different chapters.

I invite you to explore and learn about other tools and thus have a broader frame of reference when deciding on a particular one.

All the tools mentioned in the chapters can be used within virtualized environments.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.