Book Image

Practical Threat Detection Engineering

By : Megan Roddie, Jason Deyalsingh, Gary J. Katz
5 (2)
Book Image

Practical Threat Detection Engineering

5 (2)
By: Megan Roddie, Jason Deyalsingh, Gary J. Katz

Overview of this book

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed. The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape. By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.

Related Content you might be interested in

Current Title:

Small book image
Practical Threat Detection Engineering
Megan Roddie | Jason Deyalsingh | Gary J. Katz
Jul, 2023 | 328 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina CostaGazcoacuten
Feb, 2021 | 398 pages
Small book image
Purple Team Strategies
Samuel Rossier | David Routin | Simon Thoores
Jun, 2022 | 450 pages
Table of Contents (20 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Introduction to Detection Engineering
Part 1: Introduction to Detection Engineering
Free Chapter
2
Chapter 1: Fundamentals of Detection Engineering
Chapter 1: Fundamentals of Detection Engineering
Foundational concepts
The value of a detection engineering program
A guide to using this book
Summary
3
Chapter 2: The Detection Engineering Life Cycle
Chapter 2: The Detection Engineering Life Cycle
Phase 1 – Requirements Discovery
Exercise – understanding your organization’s detection requirement sources
Phase 2 – Triage
Phase 3 – Investigate
Phase 4 – Develop
Phase 5 – Test
Phase 6 – Deploy
Summary
4
Chapter 3: Building a Detection Engineering Test Lab
Chapter 3: Building a Detection Engineering Test Lab
Technical requirements
The Elastic Stack
Setting up Fleet Server
Building your first detection
Additional resources
Summary
5
Part 2: Detection Creation
Part 2: Detection Creation
6
Chapter 4: Detection Data Sources
Chapter 4: Detection Data Sources
Technical requirements
Understanding data sources and telemetry
Looking at data source issues and challenges
Adding data sources
Summary
Further reading
7
Chapter 5: Investigating Detection Requirements
Chapter 5: Investigating Detection Requirements
Revisiting the phases of detection requirements
Discovering detection requirements
Triaging detection requirements
Investigating detection requirements
Summary
8
Chapter 6: Developing Detections Using Indicators of Compromise
Chapter 6: Developing Detections Using Indicators of Compromise
Technical requirements
Leveraging indicators of compromise for detection
Scenario 1 lab
Summary
Further reading
9
Chapter 7: Developing Detections Using Behavioral Indicators
Chapter 7: Developing Detections Using Behavioral Indicators
Technical requirements
Detecting adversary tools
Detecting tactice, techniques, and procedures (TTPs)
Summary
10
Chapter 8: Documentation and Detection Pipelines
Chapter 8: Documentation and Detection Pipelines
Documenting a detection
Exploring the detection repository
Summary
11
Part 3: Detection Validation
Part 3: Detection Validation
12
Chapter 9: Detection Validation
Chapter 9: Detection Validation
Technical requirements
Understanding the validation process
Understanding purple team exercises
Simulating adversary activity
Using validation results
Summary
Further reading
13
Chapter 10: Leveraging Threat Intelligence
Chapter 10: Leveraging Threat Intelligence
Technical requirements
Threat intelligence overview
Threat intelligence in the detection engineering life cycle
Threat intelligence for detection engineering in practice
Threat assessments
Resources and further reading
Summary
14
Part 4: Metrics and Management
Part 4: Metrics and Management
15
Chapter 11: Performance Management
Chapter 11: Performance Management
Introduction to performance management
Assessing the maturity of your detection program
Measuring the efficiency of a detection engineering program
Measuring the effectiveness of a detection engineering program
Calculating a detection’s efficacy
Summary
Further reading
16
Part 5: Detection Engineering as a Career
Part 5: Detection Engineering as a Career
17
Chapter 12: Career Guidance for Detection Engineers
Chapter 12: Career Guidance for Detection Engineers
Getting a job in detection engineering
Detection engineering as a job
The future of detection engineering
Summary
18
Index
Index
Why subscribe?
19
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

A guide to using this book

The previous sections in this chapter provided the foundational knowledge you will need to fully grasp the contents of this book. In this final section, we’ll provide a brief overview of the rest of this book and the topics covered in each chapter.

The book's structure

This book aims to provide you with a thorough walk-through of building a detection engineering program. Along with in-depth knowledge of various aspects of the detection engineering life cycle, this book provides hands-on labs to allow you to learn the tools and skills discussed throughout this book practically. This book is broken into four parts, each providing insight into a different aspect of detection engineering.

Part 1 establishes the foundational knowledge required for the rest of this book. The previous sections of this chapter provided key concepts and terminology that will be referenced throughout this book. We also covered the justification for establishing a detection engineering program and the benefits it brings an organization. In Chapter 2, we will dive into each phase of the detection engineering life cycle and provide a high-level overview of the actions that occur at each phase. Finally, Chapter 3 will guide you through building a detection engineering lab. This lab will be used throughout the rest of this book for hands-on exercises.

Part 2 focuses on the creation side of the detection engineering life cycle. It starts with Chapter 4, which focuses on identifying and evaluating the data sources available to detection engineers. This chapter includes a lab that will show you how to add detection sources to the lab you will have built in Chapter 3. Chapter 5 will help you understand your detection requirements and establish the procedure and method for storing detection code. Part 2 ends with Chapter 6, where you will be provided with a hands-on walk-through of turning the detection requirements you established previously into detection code that can be tested within the lab.

Part 3 moves on to the concept of testing and validating detections. First, Chapter 7 provides practical guidance on validating detection by using existing data and generating simulated data. Additionally, it provides an introduction to proving TTP coverage via the results of the validation. Chapter 8 introduces the idea of leveraging threat intelligence in your detection engineering program, as a detection source, detection requirement, and method of understanding coverage. Chapter 9 closes off Part 3 with a discussion on performance management. This includes methods of measuring the effectiveness of your detections, as well as your detection engineering program as a whole. Furthermore, you will learn how to implement continuous improvement into your detection engineering program.

Part 4 ends this book with Chapter 10. This chapter is for those who want to learn more about detection engineering as a career. It will dive into the skill sets that will be required for a career in detection engineering and the day-to-day role of a detection engineer. Here, you will see where the future of detection engineering is going and how you can get involved in the detection engineering community.

Practical exercises

One of the authors’ goals with this book is to provide not just text-based knowledge but also practical hands-on exercises that will allow you to experience the detection engineering process. These labs begin in Chapter 3, where we’ll build out a test environment that will contain all the infrastructure and tooling required for the rest of the labs in this book.

With this test environment in place, most chapters will include exercises that will allow you to write and evaluate detections. These labs will include both those that relate to specific detection technologies and those that look at the environment’s coverage as a whole.

All code related to these labs is hosted publicly on GitHub at https://github.com/PacktPublishing/Practical-Threat-Detection-Engineering.

The hope is that the practical knowledge provided by this book will enable detection engineers to take actionable lessons learned and implement such strategies and techniques in their environments.

Previous Section
End of Section 4
Next Section