Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
Section 1: Cyber Threat Intelligence
Section 2: Understanding the Adversary
Section 3: Working with a Research Environment
Section 4: Communicating to Succeed
Appendix – The State of the Hunt

Testing yourself

In this section, you are going to repeat the exercise we did previously, but you are going to complete it all by yourself. First, you are going to use a paragraph with the behavior you should identify highlighted by me. Then, you are going to repeat the exercise without any guided help.

To complete this exercise, you will need to have access to the ATT&CK website:


Look for keywords in the text such as persistence, execute, gather, and send that could help you identify the type of behavior the author is talking about. You can also use the ATT&CK web search box to find other keywords, such as DLL, Windows API, Registry Key, and so on.

Take a look at the ATT&CK Matrix to identify the corresponding tactics, techniques, and sub-techniques.

A formgrabber injects a DLL (Dynamic Link Library) into a browser and monitors for calls to the HttpSendRequest API within WININET.DLL in order to intercept the data before encryption...