Book Image

The Foundations of Threat Hunting

By : Chad Maurice, Jeremy Thompson, William Copeland
Book Image

The Foundations of Threat Hunting

By: Chad Maurice, Jeremy Thompson, William Copeland

Overview of this book

Threat hunting is a concept that takes traditional cyber defense and spins it onto its head. It moves the bar for network defenses beyond looking at the known threats and allows a team to pursue adversaries that are attacking in novel ways that have not previously been seen. To successfully track down and remove these advanced attackers, a solid understanding of the foundational concepts and requirements of the threat hunting framework is needed. Moreover, to confidently employ threat hunting in a business landscape, the same team will need to be able to customize that framework to fit a customer’s particular use case. This book breaks down the fundamental pieces of a threat hunting team, the stages of a hunt, and the process that needs to be followed through planning, execution, and recovery. It will take you through the process of threat hunting, starting from understanding cybersecurity basics through to the in-depth requirements of building a mature hunting capability. This is provided through written instructions as well as multiple story-driven scenarios that show the correct (and incorrect) way to effectively conduct a threat hunt. By the end of this cyber threat hunting book, you’ll be able to identify the processes of handicapping an immature cyber threat hunt team and systematically progress the hunting capabilities to maturity.

Related Content you might be interested in

Current Title:

Small book image
The Foundations of Threat Hunting
Chad Maurice | Jeremy Thompson | William Copeland
Jun, 2022 | 246 pages
Small book image
Operationalizing Threat Intelligence
Joseph Opacki | Kyle Wilhoit
Jun, 2022 | 460 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina CostaGazcoacuten
Feb, 2021 | 398 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1: Preparation – Why and How to Start the Hunting Process
Part 1: Preparation – Why and How to Start the Hunting Process
Free Chapter
2
Chapter 1: An Introduction to Threat Hunting
Chapter 1: An Introduction to Threat Hunting
Incident response life cycle (hunting as proactive detection)
Why is threat hunting important?
Application of detection levels
Book layout
Summary
Review questions
Review answers
3
Chapter 2: Requirements and Motivations
Chapter 2: Requirements and Motivations
Regulatory requirements, legalities, and best practices – where to start…
Why do you want to conduct threat hunts?
Internal versus external teams
What is needed to conduct a successful threat hunt?
Types of threat hunts
Scopes of threat hunts
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
4
Chapter 3: Team Construct
Chapter 3: Team Construct
Roles performed within a team
Training requirements
Ways to organize a team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
5
Chapter 4: Communication Breakdown
Chapter 4: Communication Breakdown
Internal team communication
Communicating with stakeholders
Communicating with other administrators
Communicating with the adversary
Positive and negative non-verbal language
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
6
Chapter 5: Methodologies
Chapter 5: Methodologies
The hunting cycle
The adversary methodology
The MITRE ATT&CK Matrix
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
7
Chapter 6: Threat Intelligence
Chapter 6: Threat Intelligence
Types of intelligence
Why intel matters
Visualization model
Threat intelligence feeds
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
8
Chapter 7: Planning
Chapter 7: Planning
Restraints and constraints
Defining the scope
Defining "bad"
Assumptions
Success factors
Planned triggers
Identifying the resources required
Communication contracts
Reviewing and stress testing the plan
Approving the plan
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
9
Part 2: Execution – Conducting a Hunt
Part 2: Execution – Conducting a Hunt
10
Chapter 8: Defending the Defenders
Chapter 8: Defending the Defenders
Protecting the data
Protecting the team's equipment
Protecting the team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
11
Chapter 9: Hardware and Toolsets
Chapter 9: Hardware and Toolsets
Hunting on IT networks versus OT networks versus cloud networks
Questions that drive requirements
In-band versus out-of-band
Hardware
Software tools
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
12
Chapter 10: Data Analysis
Chapter 10: Data Analysis
Data collection mindsets
Direct analysis versus secondary correlation
Host logs versus network logs
Automating everything
Getting everyone on the same page
Finding everything or nothing
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
13
Chapter 11: Documentation
Chapter 11: Documentation
Processes and procedures
MOA
SOW
Authorities
Pre-approved actions
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
14
Part 3: Recovery – Post-Hunt Activity
Part 3: Recovery – Post-Hunt Activity
15
Chapter 12: Deliverables
Chapter 12: Deliverables
What to say and what not to say
Confidence levels
Know your audience
Products for local defenders
Types of reports
Reporting timelines
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
16
Chapter 13: Post-Hunt Activity and Maturing a Team
Chapter 13: Post-Hunt Activity and Maturing a Team
Setting the stage for feedback
Feedback rules of engagement
Timeline reconstruction and where to concentrate
Feedback on the good and the bad
Fixing and updating documentation
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Appendix
Acronyms
Definitions
Why subscribe?

Chapter 1: An Introduction to Threat Hunting

Threat hunting is a concept that can bring to mind a myriad of different images and ideas. It is a concept that is shrouded in mystery for some, while others might have been able to hone it down to a science, perhaps going as far as applying their findings in new ways. The line that separates these two groups is an understanding that this idea of hunting is, in reality, a loosely based concept that is molded for each unique situation, environment, and the personnel involved.

In the event that you have not heard of this concept of threat hunting before, it is very helpful to understand that there is not a single cookie-cutter cybersecurity solution for any network, enterprise, or incident. A single solution simply does not and cannot exist. There are millions of variables and conditions, both technical and organizational, that will differentiate one organization's network from another. The simple appearance of security might be a deterrent for some adversaries against a target and a challenge to others.

Even if an organization does all of the correct steps, such as ensuring that the network is architected with proper layered defenses, vulnerabilities are thoroughly analyzed, and risks are minimized, there are still important protections to enforce. A continual improvement process must be in place to review all the previous findings to see how the environment has changed. Threat hunting is a critical part of that process for organizations looking to mature their cybersecurity posture and improve their resilience in the digital world.

Of the countless threat hunting events we have had the pleasure of taking part in or observing, no two were ever the same. Each hunt was tailored to the particular technical resources available, enterprise in question, perceived threat, personnel assigned, and business requirements of the client. The aim of this book is to provide you with foundational concepts and requirements needed to take a generic threat hunting framework and mold it into something that will fit a particular use case that a customer would be willing to accept based upon what they are experiencing. This framework will allow you to understand how to build a threat hunting team and define and respond in future hunts to meet business needs while minimizing resource waste and non-value-added efforts.

In this chapter, we will be covering the following topics

  • Incident response life cycle
  • Why is threat hunting important?
  • Application of detection levels
  • Book layout

By the end of this chapter, you will be able to do the following:

  • Comprehend the difference between cyber threat hunting and other types of cyber defense functions.
  • Discuss how threat hunting fits into the NIST incident response life cycle.
  • Comprehend the importance of conducting effective threat hunting missions.
Previous Section
End of Section 1
Next Section