Book Image

Incident Response with Threat Intelligence

By : Roberto Martinez
Book Image

Incident Response with Threat Intelligence

By: Roberto Martinez

Overview of this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.
Table of Contents (20 chapters)
1
Section 1: The Fundamentals of Incident Response
6
Section 2: Getting to Know the Adversaries
10
Section 3: Designing and Implementing Incident Response in Organizations
15
Section 4: Improving Threat Detection in Incident Response

Discovering and containing malicious behaviors

A powerful feature of ATT&CK is making Cyber Threat Intelligence (CTI) information actionable to discover and contain malicious actions during incident response.

We are going to use as an example Kaspersky's report on Hakuna MATA, an investigation into a malicious campaign by threat actor Lazarus, published at https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, about the installation of the VHD ransomware and the chain of compromise, as shown in the following diagram:

Figure 6.16 – Hakuna MATA VHD ransomware chain of compromise

According to this report, the initial attack vector may have a compromised vulnerable VPN gateway; this allowed attackers to access the network, make lateral movements, elevate privileges, and compromise different services such as Active Directory.

Now, let's assume that your SOC team detects a connection from your network to one of the C2 described...