Book Image

Practical Threat Detection Engineering

By : Megan Roddie, Jason Deyalsingh, Gary J. Katz

5 (2)

Book Image

Practical Threat Detection Engineering

5 (2)

By: Megan Roddie, Jason Deyalsingh, Gary J. Katz

Overview of this book

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed. The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape. By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Share Your Thoughts

Download a free PDF copy of this book

Part 1: Introduction to Detection Engineering

Part 1: Introduction to Detection Engineering

Free Chapter

Chapter 1: Fundamentals of Detection Engineering

Chapter 1: Fundamentals of Detection Engineering

Foundational concepts

The value of a detection engineering program

A guide to using this book

Chapter 2: The Detection Engineering Life Cycle

Chapter 2: The Detection Engineering Life Cycle

Phase 1 – Requirements Discovery

Exercise – understanding your organization’s detection requirement sources

Phase 2 – Triage

Phase 3 – Investigate

Phase 4 – Develop

Phase 5 – Test

Phase 6 – Deploy

Chapter 3: Building a Detection Engineering Test Lab

Chapter 3: Building a Detection Engineering Test Lab

Technical requirements

The Elastic Stack

Setting up Fleet Server

Building your first detection

Additional resources

Part 2: Detection Creation

Part 2: Detection Creation

Chapter 4: Detection Data Sources

Chapter 4: Detection Data Sources

Technical requirements

Understanding data sources and telemetry

Looking at data source issues and challenges

Adding data sources

Further reading

Chapter 5: Investigating Detection Requirements

Chapter 5: Investigating Detection Requirements

Revisiting the phases of detection requirements

Discovering detection requirements

Triaging detection requirements

Investigating detection requirements

Chapter 6: Developing Detections Using Indicators of Compromise

Chapter 6: Developing Detections Using Indicators of Compromise

Technical requirements

Leveraging indicators of compromise for detection

Further reading

Chapter 7: Developing Detections Using Behavioral Indicators

Chapter 7: Developing Detections Using Behavioral Indicators

Technical requirements

Detecting adversary tools

Detecting tactice, techniques, and procedures (TTPs)

Chapter 8: Documentation and Detection Pipelines

Chapter 8: Documentation and Detection Pipelines

Documenting a detection

Exploring the detection repository

Part 3: Detection Validation

Part 3: Detection Validation

Chapter 9: Detection Validation

Chapter 9: Detection Validation

Technical requirements

Understanding the validation process

Understanding purple team exercises

Simulating adversary activity

Using validation results

Further reading

Chapter 10: Leveraging Threat Intelligence

Chapter 10: Leveraging Threat Intelligence

Technical requirements

Threat intelligence overview

Threat intelligence in the detection engineering life cycle

Threat intelligence for detection engineering in practice

Threat assessments

Resources and further reading

Part 4: Metrics and Management

Part 4: Metrics and Management

Chapter 11: Performance Management

Chapter 11: Performance Management

Introduction to performance management

Assessing the maturity of your detection program

Measuring the efficiency of a detection engineering program

Measuring the effectiveness of a detection engineering program

Calculating a detection’s efficacy

Further reading

Part 5: Detection Engineering as a Career

Part 5: Detection Engineering as a Career

Chapter 12: Career Guidance for Detection Engineers

Chapter 12: Career Guidance for Detection Engineers

Getting a job in detection engineering

Detection engineering as a job

The future of detection engineering

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 (2)

5 star

100%

4 star

0

3 star

0

2 star

0

1 star

0

Developing Detections Using Indicators of Compromise

In this chapter, we will apply the detection engineering life cycle to investigate and develop detections in our lab. In Chapter 2, we identified four sub-steps to the Investigate phase and three sub-steps to the Develop phase, which we will follow in our exercises in this chapter.

Investigate:

Research context
Data source identification
Detection indicator types
Establish validation criteria

Develop:

Design
Develop
Unit test

At the beginning of the book, we introduced the Pyramid of Pain, which can be used to evaluate how easily the adversary can evade our detections. In addition to signifying the difficulty for the adversary to evade detection, the pyramid levels also (mostly) align with how easily a detection can be created. For this reason, we will start with implementing simpler static indicator detections that align to lower levels of the pyramid, and in the next chapter...