Practical Threat Detection Engineering

Book description

Go on a journey through the threat detection engineering lifecycle while enriching your skill set and protecting your organization

Key Features

  • Gain a comprehensive understanding of threat validation
  • Leverage open-source tools to test security detections
  • Harness open-source content to supplement detection and testing

Book Description

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed.

The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape.

By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.

What you will learn

  • Understand the detection engineering process
  • Build a detection engineering test lab
  • Learn how to maintain detections as code
  • Understand how threat intelligence can be used to drive detection development
  • Prove the effectiveness of detection capabilities to business leadership
  • Learn how to limit attackers' ability to inflict damage by detecting any malicious activity early

Who this book is for

This book is for security analysts and engineers seeking to improve their organization’s security posture by mastering the detection engineering lifecycle. To get started with this book, you’ll need a basic understanding of cybersecurity concepts, along with some experience with detection and alert capabilities.

Table of contents

  1. Practical Threat Detection Engineering
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Share Your Thoughts
    9. Download a free PDF copy of this book
  6. Part 1: Introduction to Detection Engineering
  7. Chapter 1: Fundamentals of Detection Engineering
    1. Foundational concepts
      1. The Unified Kill Chain
      2. The MITRE ATT&CK framework
      3. The Pyramid of Pain
      4. Types of cyberattacks
      5. The motivation for detection engineering
      6. Defining detection engineering
      7. Important distinctions
    2. The value of a detection engineering program
      1. The need for better detection
      2. The qualities of good detection
      3. The benefits of a detection engineering program
    3. A guide to using this book
      1. The book's structure
      2. Practical exercises
    4. Summary
  8. Chapter 2: The Detection Engineering Life Cycle
    1. Phase 1 – Requirements Discovery
      1. Characteristics of a complete detection requirement
      2. Detection requirement sources
    2. Exercise – understanding your organization’s detection requirement sources
    3. Phase 2 – Triage
      1. Threat severity
      2. Organizational alignment
      3. Detection coverage
      4. Active exploits
    4. Phase 3 – Investigate
      1. Identify the data source
      2. Determine detection indicator types
      3. Research
      4. Establish validation criteria
    5. Phase 4 – Develop
    6. Phase 5 – Test
      1. Types of test data
    7. Phase 6 – Deploy
    8. Summary
  9. Chapter 3: Building a Detection Engineering Test Lab
    1. Technical requirements
    2. The Elastic Stack
      1. Deploying the Elastic Stack with Docker
      2. Configuring the Elastic Stack
    3. Setting up Fleet Server
      1. Installing and configuring Fleet Server
      2. Additional configurations for Fleet Server
      3. Adding a host to the lab
      4. Elastic Agent policies
    4. Building your first detection
    5. Additional resources
    6. Summary
  10. Part 2: Detection Creation
  11. Chapter 4: Detection Data Sources
    1. Technical requirements
    2. Understanding data sources and telemetry
      1. Raw telemetry
      2. Security tooling
      3. MITRE ATT&CK data sources
      4. Identifying your data sources
    3. Looking at data source issues and challenges
      1. Completeness
      2. Quality
      3. Timeliness
      4. Coverage
      5. Exercise – understanding your data sources
    4. Adding data sources
      1. Lab – adding a web server data source
    5. Summary
    6. Further reading
  12. Chapter 5: Investigating Detection Requirements
    1. Revisiting the phases of detection requirements
    2. Discovering detection requirements
      1. Tools and processes
      2. Exercise – requirements discovery for your organization
    3. Triaging detection requirements
      1. Threat severity
      2. Organizational alignment
      3. Detection coverage
      4. Active exploits
      5. Calculating priority
    4. Investigating detection requirements
    5. Summary
  13. Chapter 6: Developing Detections Using Indicators of Compromise
    1. Technical requirements
    2. Leveraging indicators of compromise for detection
      1. Example scenario – identifying an IcedID campaign using indicators
    3. Scenario 1 lab
      1. Installing and configuring Sysmon as a data source
      2. Detecting hashes
      3. Detecting network-based indicators
      4. Lab summary
    4. Summary
    5. Further reading
  14. Chapter 7: Developing Detections Using Behavioral Indicators
    1. Technical requirements
    2. Detecting adversary tools
      1. Example scenario – PsExec usage
    3. Detecting tactice, techniques, and procedures (TTPs)
      1. Example scenario – mark of the web bypass technique
    4. Summary
  15. Chapter 8: Documentation and Detection Pipelines
    1. Documenting a detection
      1. Lab – documenting a detection
    2. Exploring the detection repository
      1. Detection-as-code
      2. Challenges creating a detection pipeline
      3. Lab – Publishing a rule using Elastic’s detection-rules project
    3. Summary
  16. Part 3: Detection Validation
  17. Chapter 9: Detection Validation
    1. Technical requirements
    2. Understanding the validation process
    3. Understanding purple team exercises
    4. Simulating adversary activity
      1. Atomic Red Team
      2. CALDERA
      3. Exercise – validating detections for a single technique using Atomic Red Team
      4. Exercise – validating detections for multiple techniques via CALDERA
    5. Using validation results
      1. Measuring detection coverage
    6. Summary
    7. Further reading
  18. Chapter 10: Leveraging Threat Intelligence
    1. Technical requirements
    2. Threat intelligence overview
      1. Open source intelligence
      2. Internal threat intelligence
      3. Gathering threat intelligence
    3. Threat intelligence in the detection engineering life cycle
      1. Requirements Discovery
      2. Triage
      3. Investigate
    4. Threat intelligence for detection engineering in practice
      1. Example – leveraging threat intel blog posts for detection engineering
      2. Example – leveraging VirusTotal for detection engineering
    5. Threat assessments
      1. Example – leveraging threat assessments for detection engineering
    6. Resources and further reading
      1. Threat intelligence sources and concepts
      2. Online scanners and sandboxes
      3. MITRE ATT&CK
    7. Summary
  19. Part 4: Metrics and Management
  20. Chapter 11: Performance Management
    1. Introduction to performance management
    2. Assessing the maturity of your detection program
    3. Measuring the efficiency of a detection engineering program
    4. Measuring the effectiveness of a detection engineering program
      1. Prioritizing detection efforts
      2. Precision, noisiness, and recall
    5. Calculating a detection’s efficacy
      1. Low-fidelity coverage metrics
      2. Automated validation
      3. High-fidelity coverage metrics
    6. Summary
    7. Further reading
  21. Part 5: Detection Engineering as a Career
  22. Chapter 12: Career Guidance for Detection Engineers
    1. Getting a job in detection engineering
      1. Job postings
      2. Developing skills
    2. Detection engineering as a job
      1. Detection engineering roles and responsibilities
    3. The future of detection engineering
      1. Attack surfaces
      2. Visibility
      3. Security device capabilities
      4. Machine learning
      5. Sharing of attack methodology
      6. The adversary
      7. The human
    4. Summary
  23. Index
    1. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Practical Threat Detection Engineering
  • Author(s): Megan Roddie, Jason Deyalsingh, Gary J. Katz
  • Release date: July 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781801076715