Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Practical Threat Intelligence and Data-Driven Threat Hunting
  • Table Of Contents Toc
Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
4.5 (21)
Buy this Book
close
close
Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

4.5 (21)
By: Valentina Costa-Gazcón
Buy this Book

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Reviews
1
Section 1: Cyber Threat Intelligence
Icon
Section 1: Cyber Threat Intelligence
Lock Free Chapter
2
Chapter 1: What Is Cyber Threat Intelligence?
Icon
Chapter 1: What Is Cyber Threat Intelligence?
Icon
Cyber threat intelligence
Icon
The intelligence cycle
Icon
Defining your IR
Icon
The collection process
Icon
Processing and exploitation
Icon
Bias and analysis
Icon
Summary
3
Chapter 2: What Is Threat Hunting?
Icon
Chapter 2: What Is Threat Hunting?
Icon
Technical requirements
Icon
What is threat hunting?
Icon
The Threat Hunting Maturity Model
Icon
The threat hunting process
Icon
Building a hypothesis
Icon
Summary
4
Chapter 3: Where Does the Data Come From?
Icon
Chapter 3: Where Does the Data Come From?
Icon
Technical requirements
Icon
Understanding the data that's been collected
Icon
Windows-native tools
Icon
Data sources
Icon
Summary
5
Section 2: Understanding the Adversary
Icon
Section 2: Understanding the Adversary
6
Chapter 4: Mapping the Adversary
Icon
Chapter 4: Mapping the Adversary
Icon
Technical requirements
Icon
The ATT&CK Framework
Icon
Mapping with ATT&CK
Icon
Testing yourself
Icon
Summary
7
Chapter 5: Working with Data
Icon
Chapter 5: Working with Data
Icon
Technical requirements
Icon
Using data dictionaries
Icon
Using MITRE CAR
Icon
Using Sigma
Icon
Summary
8
Chapter 6: Emulating the Adversary
Icon
Chapter 6: Emulating the Adversary
Icon
Creating an adversary emulation plan
Icon
Test yourself
Icon
Summary
9
Section 3: Working with a Research Environment
Icon
Section 3: Working with a Research Environment
10
Chapter 7: Creating a Research Environment
Icon
Chapter 7: Creating a Research Environment
Icon
Technical requirements
Icon
Setting up a research environment
Icon
Installing VMware ESXI
Icon
Installing Windows Server
Icon
Configuring Windows Server as a domain controller
Icon
Setting up ELK
Icon
Configuring Winlogbeat
Icon
Bonus – adding Mordor datasets to our ELK instance
Icon
The HELK – an open source tool by Roberto Rodriguez
11
Chapter 8: How to Query the Data
Icon
Chapter 8: How to Query the Data
Icon
Technical requirements
Icon
Atomic hunting with Atomic Red Team
Icon
The Atomic Red Team testing cycle
Icon
Quasar RAT
Icon
Summary
12
Chapter 9: Hunting for the Adversary
Icon
Chapter 9: Hunting for the Adversary
Icon
Technical requirements
Icon
MITRE evaluations
Icon
Using MITRE CALDERA
Icon
Sigma rules
Icon
Summary
13
Chapter 10: Importance of Documenting and Automating the Process
Icon
Chapter 10: Importance of Documenting and Automating the Process
Icon
The importance of documentation
Icon
The Threat Hunter Playbook
Icon
The Jupyter Notebook
Icon
Updating the hunting process
Icon
The importance of automation
Icon
Summary
14
Section 4: Communicating to Succeed
Icon
Section 4: Communicating to Succeed
15
Chapter 11: Assessing Data Quality
Icon
Chapter 11: Assessing Data Quality
Icon
Technical requirements
Icon
Distinguishing good-quality data from bad-quality data
Icon
Improving data quality
Icon
Summary
16
Chapter 12: Understanding the Output
chevron up
Icon
Chapter 12: Understanding the Output
Icon
Understanding the hunt results
Icon
The importance of choosing good analytics
Icon
Testing yourself
Icon
Summary
17
Chapter 13: Defining Good Metrics to Track Success
Icon
Chapter 13: Defining Good Metrics to Track Success
Icon
Technical requirements
Icon
The importance of defining good metrics
Icon
How to determine the success of a hunting program
Icon
Summary
18
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Icon
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Icon
Getting the incident response team involved
Icon
The impact of communication on the success of the threat hunting program
Icon
Testing yourself
Icon
Summary
19
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think
1
Appendix – The State of the Hunt
Icon
Appendix – The State of the Hunt

Understanding the hunt results

All the exercises done so far have had an inherent unfairness to their nature: they were all made in a lab environment. The differences between hunting in a lab environment versus hunting in production are notable. Probably, the number of devices in our lab is going to be much smaller than the number of devices available in production. The same will happen with the number of users and the "noise" they generate by user interaction with the system.

This means that when testing our detections over production, we will most likely have to refine our detection queries to reduce the number of hits we get as a result. Threat hunting is not about verifying false positive results (although you will encounter those too), but about finding the false negatives. In other words, we are not trying to verify that the detected events are not malicious but rather to build detections for malicious behaviors that have surpassed our organization's detection...

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Practical Threat Intelligence and Data-Driven Threat Hunting
End of Section 16
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon