Cover image for Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

Release Date: 2021/02/01
ISBN: 9781838556372
Topic:
0%
24
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Get to grips with cyber threat intelligence and data-driven threat hunting while exploring expert tips and techniques

Key Features

  • Set up an environment to centralize all data in an Elasticsearch, Logstash, and Kibana (ELK) server that enables threat hunting
  • Carry out atomic hunts to start the threat hunting process and understand the environment
  • Perform advanced hunting using MITRE ATT&CK Evals emulations and Mordor datasets

Book Description

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business.

This book is not only an introduction for those who don't know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch.

You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you'll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.

By the end of this book, you'll have the skills you need to be able to carry out effective hunts in your own environment.

What you will learn

  • Understand what CTI is, its key concepts, and how it is useful for preventing threats and protecting your organization
  • Explore the different stages of the TH process
  • Model the data collected and understand how to document the findings
  • Simulate threat actor activity in a lab environment
  • Use the information collected to detect breaches and validate the results of your queries
  • Use documentation and strategies to communicate processes to senior management and the wider business

Who this book is for

If you are looking to start out in the cyber intelligence and threat hunting domains and want to know more about how to implement a threat hunting division with open-source tools, then this cyber threat intelligence book is for you.

Table of Contents

  1. Practical Threat Intelligence and Data-Driven Threat Hunting
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Reviews
  8. Section 1: Cyber Threat Intelligence
  9. Chapter 1: What Is Cyber Threat Intelligence?
    1. Cyber threat intelligence
    2. Strategic level
    3. Operational level
    4. Tactical level
    5. The intelligence cycle
    6. Planning and targeting
    7. Preparation and collection
    8. Processing and exploitation
    9. Analysis and production
    10. Dissemination and integration
    11. Evaluation and feedback
    12. Defining your IR
    13. The collection process
    14. Indicators of compromise
    15. Understanding malware
    16. Using public sources for collection – OSINT
    17. Honeypots
    18. Malware analysis and sandboxing
    19. Processing and exploitation
    20. The Cyber Kill Chain®
    21. Bias and analysis
    22. Summary
  10. Chapter 2: What Is Threat Hunting?
    1. Technical requirements
    2. What is threat hunting?
    3. Types of threat hunts
    4. The threat hunter skill set
    5. The Pyramid of Pain
    6. The Threat Hunting Maturity Model
    7. Determining our maturity model
    8. The threat hunting process
    9. The Threat Hunting Loop
    10. Threat hunting model
    11. The data-driven methodology
    12. TaHiTI – Targeted Hunting Integrating Threat Intelligence
    13. Building a hypothesis
    14. Summary
  11. Chapter 3: Where Does the Data Come From?
    1. Technical requirements
    2. Understanding the data that's been collected
    3. Operating systems basics
    4. Networking basics
    5. Windows-native tools
    6. Windows Event Viewer
    7. Windows Management Instrumentation (WMI)
    8. Event Tracing for Windows (ETW)
    9. Data sources
    10. Endpoint data
    11. Network data
    12. Security data
    13. Summary
  12. Section 2: Understanding the Adversary
  13. Chapter 4: Mapping the Adversary
    1. Technical requirements
    2. The ATT&CK Framework
    3. Tactics, techniques, sub-techniques, and procedures
    4. The ATT&CK Matrix
    5. The ATT&CK Navigator
    6. Mapping with ATT&CK
    7. Testing yourself
    8. Answers
    9. Summary
  14. Chapter 5: Working with Data
    1. Technical requirements
    2. Using data dictionaries
    3. Open Source Security Events Metadata
    4. Using MITRE CAR
    5. CARET – The CAR Exploitation Tool
    6. Using Sigma
    7. Summary
  15. Chapter 6: Emulating the Adversary
    1. Creating an adversary emulation plan
    2. What is adversary emulation?
    3. MITRE ATT&CK emulation plan
    4. Atomic Red Team
    5. Mordor
    6. Caldera
    7. Other tools
    8. Test yourself
    9. Answers
    10. Summary
  16. Section 3: Working with a Research Environment
  17. Chapter 7: Creating a Research Environment
    1. Technical requirements
    2. Setting up a research environment
    3. Installing VMware ESXI
    4. Creating our VLAN
    5. Configuring the firewall
    6. Installing Windows Server
    7. Configuring Windows Server as a domain controller
    8. Understanding the structure of Active Directory
    9. Giving the server's domain controller a status
    10. Configuring the DHCP server
    11. Creating organizational units
    12. Creating users
    13. Creating groups
    14. Group Policy Objects
    15. Setting up our audit policy
    16. Adding new clients
    17. Setting up ELK
    18. Configuring Sysmon
    19. Retrieving the certificate
    20. Configuring Winlogbeat
    21. Looking for our data in the ELK instance
    22. Bonus – adding Mordor datasets to our ELK instance
    23. The HELK – an open source tool by Roberto Rodriguez
    24. Getting started with the HELK
  18. Chapter 8: How to Query the Data
    1. Technical requirements
    2. Atomic hunting with Atomic Red Team
    3. The Atomic Red Team testing cycle
    4. Testing for Initial Access
    5. Testing for Execution
    6. Testing for Persistence
    7. Testing for Privilege Escalation
    8. Testing for Defense Evasion
    9. Testing for Discovery
    10. Testing for Command and Control
    11. Invoke-AtomicRedTeam
    12. Quasar RAT
    13. Quasar RAT real-world use cases
    14. Executing and detecting Quasar RAT
    15. Testing for persistence
    16. Testing for credential access
    17. Testing for lateral movement
    18. Summary
  19. Chapter 9: Hunting for the Adversary
    1. Technical requirements
    2. MITRE evaluations
    3. Importing APT29 datasets into HELK
    4. Hunting for APT29
    5. Using MITRE CALDERA
    6. Setting up CALDERA
    7. Executing an emulation plan with CALDERA
    8. Sigma rules
    9. Summary
  20. Chapter 10: Importance of Documenting and Automating the Process
    1. The importance of documentation
    2. The key to writing good documentation
    3. Documenting your hunts
    4. The Threat Hunter Playbook
    5. The Jupyter Notebook
    6. Updating the hunting process
    7. The importance of automation
    8. Summary
  21. Section 4: Communicating to Succeed
  22. Chapter 11: Assessing Data Quality
    1. Technical requirements
    2. Distinguishing good-quality data from bad-quality data
    3. Data dimensions
    4. Improving data quality
    5. OSSEM Power-up
    6. DeTT&CT
    7. Sysmon-Modular
    8. Summary
  23. Chapter 12: Understanding the Output
    1. Understanding the hunt results
    2. The importance of choosing good analytics
    3. Testing yourself
    4. Answers
    5. Summary
  24. Chapter 13: Defining Good Metrics to Track Success
    1. Technical requirements
    2. The importance of defining good metrics
    3. How to determine the success of a hunting program
    4. Using MaGMa for Threat Hunting
    5. Summary
  25. Chapter 14: Engaging the Response Team and Communicating the Result to Executives
    1. Getting the incident response team involved
    2. The impact of communication on the success of the threat hunting program
    3. Testing yourself
    4. Answers
    5. Summary
  26. Appendix – The State of the Hunt
  27. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think
18.217.67.16