Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.

Related Content you might be interested in

Current Title:

Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina Costa-Gazcón
Feb, 2021 | 398 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Incident Response with Threat Intelligence
Roberto Martinez
Jun, 2022 | 468 pages
Small book image
Practical Threat Detection Engineering
Gary J Katz | Megan Roddie | Jason Deyalsingh
Jul, 2023 | 328 pages
Table of Contents (21 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Cyber Threat Intelligence
Section 1: Cyber Threat Intelligence
Free Chapter
2
Chapter 1: What Is Cyber Threat Intelligence?
Chapter 1: What Is Cyber Threat Intelligence?
Cyber threat intelligence
The intelligence cycle
Defining your IR
The collection process
Processing and exploitation
Bias and analysis
Summary
3
Chapter 2: What Is Threat Hunting?
Chapter 2: What Is Threat Hunting?
Technical requirements
What is threat hunting?
The Threat Hunting Maturity Model
The threat hunting process
Building a hypothesis
Summary
4
Chapter 3: Where Does the Data Come From?
Chapter 3: Where Does the Data Come From?
Technical requirements
Understanding the data that's been collected
Windows-native tools
Data sources
Summary
5
Section 2: Understanding the Adversary
Section 2: Understanding the Adversary
6
Chapter 4: Mapping the Adversary
Chapter 4: Mapping the Adversary
Technical requirements
The ATT&CK Framework
Mapping with ATT&CK
Testing yourself
Summary
7
Chapter 5: Working with Data
Chapter 5: Working with Data
Technical requirements
Using data dictionaries
Using MITRE CAR
Using Sigma
Summary
8
Chapter 6: Emulating the Adversary
Chapter 6: Emulating the Adversary
Creating an adversary emulation plan
Test yourself
Summary
9
Section 3: Working with a Research Environment
Section 3: Working with a Research Environment
10
Chapter 7: Creating a Research Environment
Chapter 7: Creating a Research Environment
Technical requirements
Setting up a research environment
Installing VMware ESXI
Installing Windows Server
Configuring Windows Server as a domain controller
Setting up ELK
Configuring Winlogbeat
Bonus – adding Mordor datasets to our ELK instance
The HELK – an open source tool by Roberto Rodriguez
11
Chapter 8: How to Query the Data
Chapter 8: How to Query the Data
Technical requirements
Atomic hunting with Atomic Red Team
The Atomic Red Team testing cycle
Quasar RAT
Summary
12
Chapter 9: Hunting for the Adversary
Chapter 9: Hunting for the Adversary
Technical requirements
MITRE evaluations
Using MITRE CALDERA
Sigma rules
Summary
13
Chapter 10: Importance of Documenting and Automating the Process
Chapter 10: Importance of Documenting and Automating the Process
The importance of documentation
The Threat Hunter Playbook
The Jupyter Notebook
Updating the hunting process
The importance of automation
Summary
14
Section 4: Communicating to Succeed
Section 4: Communicating to Succeed
15
Chapter 11: Assessing Data Quality
Chapter 11: Assessing Data Quality
Technical requirements
Distinguishing good-quality data from bad-quality data
Improving data quality
Summary
16
Chapter 12: Understanding the Output
Chapter 12: Understanding the Output
Understanding the hunt results
The importance of choosing good analytics
Testing yourself
Summary
17
Chapter 13: Defining Good Metrics to Track Success
Chapter 13: Defining Good Metrics to Track Success
Technical requirements
The importance of defining good metrics
How to determine the success of a hunting program
Summary
18
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Getting the incident response team involved
The impact of communication on the success of the threat hunting program
Testing yourself
Summary
19
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Appendix – The State of the Hunt
Appendix – The State of the Hunt

Summary

In this chapter, we learned how to carry out atomic tests and atomic hunts, thinking about the underlying processes that are going on in the operating system when preparing the search for traces of suspicious activity in our dataset. We also learned how to carry out our first queries using our Kibana instance. We then reviewed a few real-world scenarios where threat actors leverage publicly available tools to carry out their attacks. We deployed and executed one of those tools, Quasar RAT, in our environment and hunted for it in our research lab.

In the following chapter, we are going to execute and emulate an adversary following the last example of the APT29 MITRE ATT&CK Evaluations.

Previous Section
End of Chapter 11
Next Chapter