Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.

Related Content you might be interested in

Current Title:

Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina Costa-Gazcón
Feb, 2021 | 398 pages
Small book image
Purple Team Strategies
Simon Thoores | David Routin | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Incident Response with Threat Intelligence
Roberto Martinez
Jun, 2022 | 468 pages
Small book image
Practical Threat Detection Engineering
Gary J Katz | Megan Roddie | Jason Deyalsingh
Jul, 2023 | 328 pages
Table of Contents (21 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Cyber Threat Intelligence
Section 1: Cyber Threat Intelligence
Free Chapter
2
Chapter 1: What Is Cyber Threat Intelligence?
Chapter 1: What Is Cyber Threat Intelligence?
Cyber threat intelligence
The intelligence cycle
Defining your IR
The collection process
Processing and exploitation
Bias and analysis
Summary
3
Chapter 2: What Is Threat Hunting?
Chapter 2: What Is Threat Hunting?
Technical requirements
What is threat hunting?
The Threat Hunting Maturity Model
The threat hunting process
Building a hypothesis
Summary
4
Chapter 3: Where Does the Data Come From?
Chapter 3: Where Does the Data Come From?
Technical requirements
Understanding the data that's been collected
Windows-native tools
Data sources
Summary
5
Section 2: Understanding the Adversary
Section 2: Understanding the Adversary
6
Chapter 4: Mapping the Adversary
Chapter 4: Mapping the Adversary
Technical requirements
The ATT&CK Framework
Mapping with ATT&CK
Testing yourself
Summary
7
Chapter 5: Working with Data
Chapter 5: Working with Data
Technical requirements
Using data dictionaries
Using MITRE CAR
Using Sigma
Summary
8
Chapter 6: Emulating the Adversary
Chapter 6: Emulating the Adversary
Creating an adversary emulation plan
Test yourself
Summary
9
Section 3: Working with a Research Environment
Section 3: Working with a Research Environment
10
Chapter 7: Creating a Research Environment
Chapter 7: Creating a Research Environment
Technical requirements
Setting up a research environment
Installing VMware ESXI
Installing Windows Server
Configuring Windows Server as a domain controller
Setting up ELK
Configuring Winlogbeat
Bonus – adding Mordor datasets to our ELK instance
The HELK – an open source tool by Roberto Rodriguez
11
Chapter 8: How to Query the Data
Chapter 8: How to Query the Data
Technical requirements
Atomic hunting with Atomic Red Team
The Atomic Red Team testing cycle
Quasar RAT
Summary
12
Chapter 9: Hunting for the Adversary
Chapter 9: Hunting for the Adversary
Technical requirements
MITRE evaluations
Using MITRE CALDERA
Sigma rules
Summary
13
Chapter 10: Importance of Documenting and Automating the Process
Chapter 10: Importance of Documenting and Automating the Process
The importance of documentation
The Threat Hunter Playbook
The Jupyter Notebook
Updating the hunting process
The importance of automation
Summary
14
Section 4: Communicating to Succeed
Section 4: Communicating to Succeed
15
Chapter 11: Assessing Data Quality
Chapter 11: Assessing Data Quality
Technical requirements
Distinguishing good-quality data from bad-quality data
Improving data quality
Summary
16
Chapter 12: Understanding the Output
Chapter 12: Understanding the Output
Understanding the hunt results
The importance of choosing good analytics
Testing yourself
Summary
17
Chapter 13: Defining Good Metrics to Track Success
Chapter 13: Defining Good Metrics to Track Success
Technical requirements
The importance of defining good metrics
How to determine the success of a hunting program
Summary
18
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Getting the incident response team involved
The impact of communication on the success of the threat hunting program
Testing yourself
Summary
19
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Appendix – The State of the Hunt
Appendix – The State of the Hunt

The ATT&CK Framework

The ATT&CK Framework is a descriptive model used to label and study the activities that a threat actor is capable of carrying out in order to get a foothold and operate inside an enterprise environment, a cloud environment, smartphones, or even industrial control systems.

The magic behind the ATT&CK Framework is that it provides a common taxonomy for the cybersecurity community to describe adversary behaviors. It works as a common language that both offensive and defensive researchers can use to better understand each other and to better communicate with people not specialized in the field.

And on top of that, you can not only use it as you see fit, but you can also build on top of it, creating your own set of tactics, techniques, and procedures (TTPs). Later on, you can share them with the ATT&CK team by following their guidelines: https://attack.mitre.org/resources/contribute/.

Now, let's take a closer look at the framework by understanding...

Previous Section
End of Section 3
Next Section