Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
Section 1: Cyber Threat Intelligence
Section 2: Understanding the Adversary
Section 3: Working with a Research Environment
Section 4: Communicating to Succeed
Appendix – The State of the Hunt

Setting up ELK

At this point, you have two options. If you want to start small, you can follow these steps to deploy a raw ELK instance so that you can start querying plain Elasticsearch; alternatively, you can deploy the HELK, Roberto Rodriguez' open source hunting tool, which has more advanced capabilities. If you choose to do the latter, please jump to the The HELK – an open source tool by Roberto Rodriguez section.

In any case, you will need to download a Linux distro. I'm going to use Ubuntu 18.04 (, but you can use any other you may like. Keep in mind that if you plan to install the HELK or move to it later, Roberto's tool is optimized for Ubuntu 18.04, Ubuntu 16, CentOS 7, and CentOS 8.

Once again, upload the distro's ISO to the ESXI databrowser and use it to create a new virtual machine. You will need to keep two things in mind:

  • The ELK will receive a large amount of data, so give it a good amount of disk...