Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.

Related Content you might be interested in

Current Title:

Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina Costa-Gazcón
Feb, 2021 | 398 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Incident Response with Threat Intelligence
Roberto Martinez
Jun, 2022 | 468 pages
Small book image
Practical Threat Detection Engineering
Gary J Katz | Megan Roddie | Jason Deyalsingh
Jul, 2023 | 328 pages
Table of Contents (21 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Cyber Threat Intelligence
Section 1: Cyber Threat Intelligence
Free Chapter
2
Chapter 1: What Is Cyber Threat Intelligence?
Chapter 1: What Is Cyber Threat Intelligence?
Cyber threat intelligence
The intelligence cycle
Defining your IR
The collection process
Processing and exploitation
Bias and analysis
Summary
3
Chapter 2: What Is Threat Hunting?
Chapter 2: What Is Threat Hunting?
Technical requirements
What is threat hunting?
The Threat Hunting Maturity Model
The threat hunting process
Building a hypothesis
Summary
4
Chapter 3: Where Does the Data Come From?
Chapter 3: Where Does the Data Come From?
Technical requirements
Understanding the data that's been collected
Windows-native tools
Data sources
Summary
5
Section 2: Understanding the Adversary
Section 2: Understanding the Adversary
6
Chapter 4: Mapping the Adversary
Chapter 4: Mapping the Adversary
Technical requirements
The ATT&CK Framework
Mapping with ATT&CK
Testing yourself
Summary
7
Chapter 5: Working with Data
Chapter 5: Working with Data
Technical requirements
Using data dictionaries
Using MITRE CAR
Using Sigma
Summary
8
Chapter 6: Emulating the Adversary
Chapter 6: Emulating the Adversary
Creating an adversary emulation plan
Test yourself
Summary
9
Section 3: Working with a Research Environment
Section 3: Working with a Research Environment
10
Chapter 7: Creating a Research Environment
Chapter 7: Creating a Research Environment
Technical requirements
Setting up a research environment
Installing VMware ESXI
Installing Windows Server
Configuring Windows Server as a domain controller
Setting up ELK
Configuring Winlogbeat
Bonus – adding Mordor datasets to our ELK instance
The HELK – an open source tool by Roberto Rodriguez
11
Chapter 8: How to Query the Data
Chapter 8: How to Query the Data
Technical requirements
Atomic hunting with Atomic Red Team
The Atomic Red Team testing cycle
Quasar RAT
Summary
12
Chapter 9: Hunting for the Adversary
Chapter 9: Hunting for the Adversary
Technical requirements
MITRE evaluations
Using MITRE CALDERA
Sigma rules
Summary
13
Chapter 10: Importance of Documenting and Automating the Process
Chapter 10: Importance of Documenting and Automating the Process
The importance of documentation
The Threat Hunter Playbook
The Jupyter Notebook
Updating the hunting process
The importance of automation
Summary
14
Section 4: Communicating to Succeed
Section 4: Communicating to Succeed
15
Chapter 11: Assessing Data Quality
Chapter 11: Assessing Data Quality
Technical requirements
Distinguishing good-quality data from bad-quality data
Improving data quality
Summary
16
Chapter 12: Understanding the Output
Chapter 12: Understanding the Output
Understanding the hunt results
The importance of choosing good analytics
Testing yourself
Summary
17
Chapter 13: Defining Good Metrics to Track Success
Chapter 13: Defining Good Metrics to Track Success
Technical requirements
The importance of defining good metrics
How to determine the success of a hunting program
Summary
18
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Getting the incident response team involved
The impact of communication on the success of the threat hunting program
Testing yourself
Summary
19
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Appendix – The State of the Hunt
Appendix – The State of the Hunt

Bias and analysis

Once all the necessary information has been processed, it is time to make sense of it; that is, search for the security issues and deliver this intelligence to the different strategic levels meeting the IR that were identified during the planning step.

A lot has been written about how intelligence analysis should be done, especially in excellent books such as Structured Analytic Techniques for Intelligence Analysis (Heuer and Pherson, 2014), Critical Thinking for Strategic Intelligence (Pherson and Pherson, 2016), and Psychology of Intelligence Analysis (Heuer, 1999), among many others. These books employ many metaphors to describe the process of intelligence analysis.

My personal favorite is the one that compares the art of intelligence analysis with the art of mosaics: intelligence analysis is like trying to put the pieces of a mosaic together in which the pattern is not clear and the pieces continue to change in size, shape, and color.

One thing that an intelligence analyst cannot forget is that part of the practice is to challenge their own preconceptions and prejudices ceaselessly. Avoid confirmation bias, not to merely transmit the collected data, but to not fall for mirror imaging, clientelism, layering, and linear thinking. You should never influence the analysis so that it suits your needs or views. There are many techniques that can be used to mitigate analyst bias.

Some common traits are used to define a good intelligence analyst: he or she must have specific knowledge in more than one field; he or she must have a good spoken and written expression; and, most important of all, he or she must have the ability to synthesize the background of a situation almost intuitively.

In conclusion, we can close this chapter with the asseveration that in order to generate effective and relevant intelligence, there has to be a continuous intelligence process in place, with information from both internal and external sources being continually collected, processed, and analyzed.

This analysis must be tackled from different angles and by people with different perspectives and backgrounds in order to minimize the risk of falling into our own cognitive biases.

In addition, establishing good mechanisms for both disseminating quality and relevant intelligence reports, as well as getting feedback from the recipients, is key to enriching and improving this process.

Previous Section
End of Section 7
Next Section