Incident Response with Threat Intelligence

Incident Response with Threat Intelligence

by Roberto Martínez
Released June 2022
Publisher(s): Packt Publishing
ISBN: 9781801072953

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn everything you need to know to respond to advanced cybersecurity incidents through threat hunting using threat intelligence

Key Features

  • Understand best practices for detecting, containing, and recovering from modern cyber threats
  • Get practical experience embracing incident response using intelligence-based threat hunting techniques
  • Implement and orchestrate different incident response, monitoring, intelligence, and investigation platforms

Book Description

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization.

Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules.

By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.

What you will learn

  • Explore the fundamentals of incident response and incident management
  • Find out how to develop incident response capabilities
  • Understand the development of incident response plans and playbooks
  • Align incident response procedures with business continuity
  • Identify incident response requirements and orchestrate people, processes, and technologies
  • Discover methodologies and tools to integrate cyber threat intelligence and threat hunting into incident response

Who this book is for

If you are an information security professional or anyone who wants to learn the principles of incident management, first response, threat hunting, and threat intelligence using a variety of platforms and tools, this book is for you. Although not necessary, basic knowledge of Linux, Windows internals, and network protocols will be helpful.

Table of contents

  1. Incident Response with Threat Intelligence
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
  6. Section 1: The Fundamentals of Incident Response
  7. Chapter 1: Threat Landscape and Cybersecurity Incidents
    1. Knowing the threat landscape
      1. Is COVID-19 also a cyber-pandemic?
      2. Supply chain attacks
    2. Understanding the motivation behind cyber attacks
      1. The ransomware that was not
      2. Trick-or-treat
      3. Nothing is what it seems
    3. Emerging and future cyber threats
      1. Cyber attacks targeting IOT devices
      2. Autonomous vehicles
      3. Drones
      4. Electronic voting machines
      5. Cyber attacks on robots
      6. The challenge of new technologies for DFIR professionals
    4. Summary
    5. Further reading
  8. Chapter 2: Concepts of Digital Forensics and Incident Response
    1. Concepts of digital forensics and incident response (DFIR)
      1. Digital forensics
      2. What is incident response?
      3. Difference between events and incidents
    2. Digital evidence and forensics artifacts
      1. Looking for artifacts and IoCs
      2. IoCs versus IoAs
    3. Incident response standards and frameworks
      1. NIST Computer Security Incident Handling Guide
      2. SANS incident response process
      3. NIST Guide to Integrating Forensic Techniques into Incident Response
    4. Defining an incident response posture
    5. Summary
    6. Further reading
  9. Chapter 3: Basics of the Incident Response and Triage Procedures
    1. Technical requirements
    2. Principles of first response
      1. First response guidelines
    3. Triage – concept and procedures
    4. First response procedures in different scenarios
    5. First response toolkit
      1. Forensic image acquisition tools
      2. Artifact collectors
    6. Summary
    7. Further reading
  10. Chapter 4: Applying First Response Procedures
    1. Technical requirements
    2. Case study – a data breach incident
      1. Analyzing the cybersecurity incident
      2. Selecting the best strategy
      3. Next steps
    3. Following first-response procedures
      1. Memory acquisition
      2. Memory capture and artifacts acquisition using KAPE
      3. Disk drive acquisition procedures
      4. Hard drive acquisition using a hardware duplicator
    4. Summary
    5. Further reading
  11. Section 2: Getting to Know the Adversaries
  12. Chapter 5: Identifying and Profiling Threat Actors
    1. Technical requirements
    2. Exploring the different types of threat actors
      1. Hacktivists
      2. Script kiddies
      3. Insiders
      4. Cybercriminals
      5. Ransomware gangs
      6. Advanced Persistent Threats (APT) groups
      7. Cyber-mercenaries
    3. Researching adversaries and threat actors
      1. STIX and TAXII standards
      2. Working with STIX objects
    4. Creating threat actor and campaign profiles
      1. Creating threat actors' profiles using Visual Studio Code
    5. Summary
    6. Further reading
  13. Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework
    1. Technical requirements
    2. Introducing the Cyber Kill Chain framework
    3. Understanding the MITRE ATT&CK framework
      1. Use cases for ATT&CK
      2. Using the ATT&CK Navigator
    4. Discovering and containing malicious behaviors
    5. Summary
    6. Further reading
  14. Chapter 7: Using Cyber Threat Intelligence in Incident Response
    1. Technical requirements
      1. Configuring the lab environment
    2. The Diamond Model of Intrusion Analysis
    3. Mapping ATT&CK TTPs from CTI reports
      1. Case study – a weaponized document
      2. Responding to the incident
      3. Using TRAM to map ATT&CK TTPs
      4. Using Visual Studio Code to research ATT&CK techniques and create reports
    4. Integrating CTI into IR reports
    5. Summary
    6. Further reading
  15. Section 3: Designing and Implementing Incident Response in Organizations
  16. Chapter 8: Building an Incident Response Capability
    1. Technical requirements
    2. Taking a proactive approach to incident response
      1. The incident response hierarchy of needs
      2. Developing organizational incident response capabilities
      3. Identifying business requirements to create an incident response program
      4. Evaluating the incident response maturity level
    3. Building an incident response program
      1. Incident response procedures and guidelines
      2. Integrating people, processes, and technology into the incident response process
      3. People
      4. Process
      5. Technology
    4. Aligning the incident response plan, the business continuity plan, and the disaster recovery plan
      1. Incident response plans
      2. Business continuity plan
      3. Disaster recovery plans
    5. Summary
    6. Further reading
  17. Chapter 9: Creating Incident Response Plans and Playbooks
    1. Technical requirements
    2. Creating IRPs
    3. Creating IR playbooks
      1. Incident Playbook
      2. Public Playbooks
      3. Scenario – An ounce of prevention is worth a pound of cure
    4. Testing IRPs and playbooks
      1. Simulation of attacks to measure response programs
    5. Summary
    6. Further reading
  18. Chapter 10: Implementing an Incident Management System
    1. Technical requirements
    2. Understanding the TheHive architecture
    3. Setting up TheHive and creating cases
    4. Creating and managing cases
      1. Adding and assigning tasks
      2. Documenting MITRE ATT&CK TTPs in TheHive
    5. Integrating intelligence with Cortex
      1. Configuring the analyzers
    6. Summary
    7. Further reading 
  19. Chapter 11: Integrating SOAR Capabilities into Incident Response
    1. Technical requirements
    2. Understanding the principles and capabilities of SOAR
      1. Benefits of SOAR-based IR 
      2. Implementing a SOAR model 
    3. A SOAR use case – identifying malicious communications
      1. Preparing for the detection lab
      2. Security orchestration between TheHive and Velociraptor using n8n 
      3. Configuring the connection permissions for the client collection tools
      4. Client collection tools
    4. Escalating incidents from detection
      1. Emulating suspicious behavior
      2. Escalating an alert
    5. Automating the IR and investigation processes
      1. Emulating the attack
      2. Creating a hashes database
      3. Setting TheHive parameters in Velociraptor 
      4. Creating workflows using n8n 
    6. Summary
    7. Further reading
  20. Section 4: Improving Threat Detection in Incident Response
  21. Chapter 12: Working with Analytics and Detection Engineering in Incident Response
    1. Technical requirements
    2. Configuring the detection lab
      1. Implementing a threat hunting platform
      2. Installing ELK
    3. Identifying and containing threats
      1. Hunting for threats in incident response
    4. Implementing principles of detection engineering in incident response
    5. Using MITRE CAR, Invoke-AtomicRedTeam, and testing analytics
      1. MITRE CAR
      2. Installing Invoke-AtomicRedTeam
      3. Testing detections and hunting
    6. Summary
  22. Chapter 13: Creating and Deploying Detection Rules
    1. Technical requirements
      1. Configuring the detection lab
    2. Introduction to detection rules
    3. Detecting malicious files using YARA rules
      1. Structure of a YARA rule
      2. Creating YARA rules
    4. Analyzing and identifying patterns in files
      1. Downloading PeStudio
      2. Using PeStudio
    5. Detecting potential threats using YARA rules
      1. Testing the YARA rule
      2. Modifying a YARA rule to improve detection
    6. Detecting malicious behavior using Sigma rules
      1. Cloning the repository
      2. Creating Sigma rules
      3. Creating or analyzing detection engineering
      4. Converting Sigma rules
      5. Using additional tools that use rules to scan for threats
    7. Summary
    8. Further reading  
  23. Chapter 14: 
Hunting and Investigating Security Incidents
    1. Technical requirements
    2. Responding to a data breach incident 
      1. Analyzing the cybersecurity incident 
      2. Selecting the best strategy
      3. Preparing for the lab
      4. Copying and importing evidence files
      5. Starting the investigation
    3. Opening a new IR case
    4. Investigating the security incident
      1. Using Sigma rules to find a user creation event
      2. Searching by the activity of devices involved
    5. Summary
    6. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Incident Response with Threat Intelligence
  • Author(s): Roberto Martínez
  • Release date: June 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781801072953