Book Image

The Foundations of Threat Hunting

By : Chad Maurice, Jeremy Thompson, William Copeland
Book Image

The Foundations of Threat Hunting

By: Chad Maurice, Jeremy Thompson, William Copeland

Overview of this book

Threat hunting is a concept that takes traditional cyber defense and spins it onto its head. It moves the bar for network defenses beyond looking at the known threats and allows a team to pursue adversaries that are attacking in novel ways that have not previously been seen. To successfully track down and remove these advanced attackers, a solid understanding of the foundational concepts and requirements of the threat hunting framework is needed. Moreover, to confidently employ threat hunting in a business landscape, the same team will need to be able to customize that framework to fit a customer’s particular use case. This book breaks down the fundamental pieces of a threat hunting team, the stages of a hunt, and the process that needs to be followed through planning, execution, and recovery. It will take you through the process of threat hunting, starting from understanding cybersecurity basics through to the in-depth requirements of building a mature hunting capability. This is provided through written instructions as well as multiple story-driven scenarios that show the correct (and incorrect) way to effectively conduct a threat hunt. By the end of this cyber threat hunting book, you’ll be able to identify the processes of handicapping an immature cyber threat hunt team and systematically progress the hunting capabilities to maturity.

Related Content you might be interested in

Current Title:

Small book image
The Foundations of Threat Hunting
Chad Maurice | Jeremy Thompson | William Copeland
Jun, 2022 | 246 pages
Small book image
Operationalizing Threat Intelligence
Joseph Opacki | Kyle Wilhoit
Jun, 2022 | 460 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina CostaGazcoacuten
Feb, 2021 | 398 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1: Preparation – Why and How to Start the Hunting Process
Part 1: Preparation – Why and How to Start the Hunting Process
Free Chapter
2
Chapter 1: An Introduction to Threat Hunting
Chapter 1: An Introduction to Threat Hunting
Incident response life cycle (hunting as proactive detection)
Why is threat hunting important?
Application of detection levels
Book layout
Summary
Review questions
Review answers
3
Chapter 2: Requirements and Motivations
Chapter 2: Requirements and Motivations
Regulatory requirements, legalities, and best practices – where to start…
Why do you want to conduct threat hunts?
Internal versus external teams
What is needed to conduct a successful threat hunt?
Types of threat hunts
Scopes of threat hunts
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
4
Chapter 3: Team Construct
Chapter 3: Team Construct
Roles performed within a team
Training requirements
Ways to organize a team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
5
Chapter 4: Communication Breakdown
Chapter 4: Communication Breakdown
Internal team communication
Communicating with stakeholders
Communicating with other administrators
Communicating with the adversary
Positive and negative non-verbal language
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
6
Chapter 5: Methodologies
Chapter 5: Methodologies
The hunting cycle
The adversary methodology
The MITRE ATT&CK Matrix
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
7
Chapter 6: Threat Intelligence
Chapter 6: Threat Intelligence
Types of intelligence
Why intel matters
Visualization model
Threat intelligence feeds
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
8
Chapter 7: Planning
Chapter 7: Planning
Restraints and constraints
Defining the scope
Defining "bad"
Assumptions
Success factors
Planned triggers
Identifying the resources required
Communication contracts
Reviewing and stress testing the plan
Approving the plan
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
9
Part 2: Execution – Conducting a Hunt
Part 2: Execution – Conducting a Hunt
10
Chapter 8: Defending the Defenders
Chapter 8: Defending the Defenders
Protecting the data
Protecting the team's equipment
Protecting the team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
11
Chapter 9: Hardware and Toolsets
Chapter 9: Hardware and Toolsets
Hunting on IT networks versus OT networks versus cloud networks
Questions that drive requirements
In-band versus out-of-band
Hardware
Software tools
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
12
Chapter 10: Data Analysis
Chapter 10: Data Analysis
Data collection mindsets
Direct analysis versus secondary correlation
Host logs versus network logs
Automating everything
Getting everyone on the same page
Finding everything or nothing
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
13
Chapter 11: Documentation
Chapter 11: Documentation
Processes and procedures
MOA
SOW
Authorities
Pre-approved actions
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
14
Part 3: Recovery – Post-Hunt Activity
Part 3: Recovery – Post-Hunt Activity
15
Chapter 12: Deliverables
Chapter 12: Deliverables
What to say and what not to say
Confidence levels
Know your audience
Products for local defenders
Types of reports
Reporting timelines
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
16
Chapter 13: Post-Hunt Activity and Maturing a Team
Chapter 13: Post-Hunt Activity and Maturing a Team
Setting the stage for feedback
Feedback rules of engagement
Timeline reconstruction and where to concentrate
Feedback on the good and the bad
Fixing and updating documentation
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Appendix
Acronyms
Definitions
Why subscribe?

Book layout

This book is laid out in a manner intended to help you better prepare for and understand the contents of each chapter. Each chapter will have five sections:

  • Introduction and learning outcomes: This area will introduce you to the main focus of the chapter, as well as outlining the expected high-level areas that you should remember as you review the material. Each learning objective will start with one of the following three words:
    • If the objective starts with Identify, then the intention is just for you to have a higher-level understanding of the topic. You do not need to worry about having an expert-level understanding of that material.
    • If the objective starts with Comprehend, then the intention is for you to be able to apply the topic and extrapolate how it would fit into a given scenario.
    • If the objective starts with Discuss, then the intention is for you to be able to have an educated discussion with another knowledgeable person on the topic. Not only would you fully understand the concept, but you would also be able to apply it in real time to various scenarios.
  • Topic focus: This area is the main focus of the chapter and will provide all of the details needed for you to understand the topic.
  • Scenarios: This area is broken up into two fictional subscenarios, one focused on an internal hunt team and one focused on an external hunt team. The internal hunt team is one that exists full time within the scenario's organization. The external hunt team is a team that was contracted out by the scenario's organization to perform a specific threat hunt. These scenarios will build upon the previous chapter's scenario.
  • Summary: This area will provide you with a summary of the chapter and any higher-level takeaways that you should continue to focus on.
  • Review questions: This area will provide you with a chance to test your understanding of the material through a few questions or scenarios aimed at reinforcing the learning objectives stated at the beginning of the chapter.

This structure should help you go through and understand the content of each chapter, and the book at large, in the most efficient manner.

Previous Section
End of Section 5
Next Section