Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
Section 1: Cyber Threat Intelligence
Section 2: Understanding the Adversary
Section 3: Working with a Research Environment
Section 4: Communicating to Succeed
Appendix – The State of the Hunt

The importance of automation

When talking about threat hunting, keep in mind that it cannot be fully automated. Threat hunting is a hugely creative process that requires a deep understanding of the environment and how the adversaries operate. Part of the hunter's goals is to come up with detections that can be automated, but the discipline itself is a combination of human intelligence, processes, technology, and automation itself. The hunter needs to find what the machine can't, but they don't have to repeat the same hunts over and over. That's where automation and big data processes play a crucial part.

The hardest part about threat hunting is that you can never be sure whether you have succeeded; that is, unless you go deep enough into the threat hunting rabbit hole as to prove that there actually isn't any malicious activity in your organization's environment, if you have proved that there are no false negatives. The only thing you can do is minimize...