Book Image

Incident Response with Threat Intelligence

By : Roberto Martinez

Book Image

Incident Response with Threat Intelligence

By: Roberto Martinez

Overview of this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Conventions used

Share Your Thoughts

Section 1: The Fundamentals of Incident Response

Section 1: The Fundamentals of Incident Response

Free Chapter

Chapter 1: Threat Landscape and Cybersecurity Incidents

Chapter 1: Threat Landscape and Cybersecurity Incidents

Knowing the threat landscape

Understanding the motivation behind cyber attacks

Emerging and future cyber threats

Further reading

Chapter 2: Concepts of Digital Forensics and Incident Response

Chapter 2: Concepts of Digital Forensics and Incident Response

Concepts of digital forensics and incident response (DFIR)

Digital evidence and forensics artifacts

Incident response standards and frameworks

Defining an incident response posture

Further reading

Chapter 3: Basics of the Incident Response and Triage Procedures

Chapter 3: Basics of the Incident Response and Triage Procedures

Technical requirements

Principles of first response

Triage – concept and procedures

First response procedures in different scenarios

First response toolkit

Further reading

Chapter 4: Applying First Response Procedures

Chapter 4: Applying First Response Procedures

Technical requirements

Case study – a data breach incident

Following first-response procedures

Further reading

Section 2: Getting to Know the Adversaries

Section 2: Getting to Know the Adversaries

Chapter 5: Identifying and Profiling Threat Actors

Chapter 5: Identifying and Profiling Threat Actors

Technical requirements

Exploring the different types of threat actors

Researching adversaries and threat actors

Creating threat actor and campaign profiles

Further reading

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework

Technical requirements

Introducing the Cyber Kill Chain framework

Understanding the MITRE ATT&CK framework

Discovering and containing malicious behaviors

Further reading

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Chapter 7: Using Cyber Threat Intelligence in Incident Response

Technical requirements

The Diamond Model of Intrusion Analysis

Mapping ATT&CK TTPs from CTI reports

Integrating CTI into IR reports

Further reading

Section 3: Designing and Implementing Incident Response in Organizations

Section 3: Designing and Implementing Incident Response in Organizations

Chapter 8: Building an Incident Response Capability

Chapter 8: Building an Incident Response Capability

Technical requirements

Taking a proactive approach to incident response

Building an incident response program

Aligning the incident response plan, the business continuity plan, and the disaster recovery plan

Further reading

Chapter 9: Creating Incident Response Plans and Playbooks

Chapter 9: Creating Incident Response Plans and Playbooks

Technical requirements

Creating IR playbooks

Testing IRPs and playbooks

Further reading

Chapter 10: Implementing an Incident Management System

Chapter 10: Implementing an Incident Management System

Technical requirements

Understanding the TheHive architecture

Setting up TheHive and creating cases

Creating and managing cases

Integrating intelligence with Cortex

Further reading

Chapter 11: Integrating SOAR Capabilities into Incident Response

Chapter 11: Integrating SOAR Capabilities into Incident Response

Technical requirements

Understanding the principles and capabilities of SOAR

A SOAR use case – identifying malicious communications

Escalating incidents from detection

Automating the IR and investigation processes

Further reading

Section 4: Improving Threat Detection in Incident Response

Section 4: Improving Threat Detection in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Chapter 12: Working with Analytics and Detection Engineering in Incident Response

Technical requirements

Configuring the detection lab

Identifying and containing threats

Implementing principles of detection engineering in incident response

Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics

Chapter 13: Creating and Deploying Detection Rules

Chapter 13: Creating and Deploying Detection Rules

Technical requirements

Introduction to detection rules

Detecting malicious files using YARA rules

Analyzing and identifying patterns in files

Detecting potential threats using YARA rules

Detecting malicious behavior using Sigma rules

Further reading

Chapter 14:  Hunting and Investigating Security Incidents

Chapter 14:  Hunting and Investigating Security Incidents

Technical requirements

Responding to a data breach incident

Opening a new IR case

Investigating the security incident

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Integrating CTI into IR reports

You can incorporate TI information into IR reports regarding threat actors and campaigns and correlate it with the Cyber Kill Chain framework and the Diamond Model of Intrusion Analysis.

There is no doubt that TI and the knowledge of threat actors' behaviors are critical in IR processes, especially in the Identification and Containment phases, but how can we make it actionable?

Lenny Zeltser (Twitter handle @lennyzeltser) created a handy template for the documentation of TI to trigger that information and use it in IR. The Report Template for Threat Intelligence and Incident Response is free for use and distributed according to the Creative Commons Attribution license (CC BY 4.0). You can download it from this URL: https://zeltser.com/cyber-threat-intel-and-ir-report-template/.

To learn how to use this template, we will use the same hypothetical IR case described in this chapter, whereby we will need to identify critical pieces of information...