book

Practical Threat Detection Engineering

Name: Practical Threat Detection Engineering
ISBN: 9781801076715

by Megan Roddie, Jason Deyalsingh, Gary J. Katz

July 2023

Intermediate to advanced

328 pages

9h 10m

English

Packt Publishing

Read now

Unlock full access

Practical Threat Detection Engineering
ContributorsAbout the authorsAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: Introduction to Detection Engineering
Chapter 1: Fundamentals of Detection Engineering
Foundational conceptsThe Unified Kill ChainThe MITRE ATT&CK frameworkThe Pyramid of PainTypes of cyberattacksThe motivation for detection engineeringDefining detection engineeringImportant distinctionsThe value of a detection engineering programThe need for better detectionThe qualities of good detectionThe benefits of a detection engineering programA guide to using this bookThe book's structurePractical exercisesSummary
Chapter 2: The Detection Engineering Life Cycle
Phase 1 – Requirements DiscoveryCharacteristics of a complete detection requirementDetection requirement sourcesExercise – understanding your organization’s detection requirement sourcesPhase 2 – TriageThreat severityOrganizational alignmentDetection coverageActive exploitsPhase 3 – InvestigateIdentify the data sourceDetermine detection indicator typesResearchEstablish validation criteriaPhase 4 – DevelopPhase 5 – TestTypes of test dataPhase 6 – DeploySummary
Chapter 3: Building a Detection Engineering Test Lab
Technical requirementsThe Elastic StackDeploying the Elastic Stack with DockerConfiguring the Elastic StackSetting up Fleet ServerInstalling and configuring Fleet ServerAdditional configurations for Fleet ServerAdding a host to the labElastic Agent policiesBuilding your first detectionAdditional resourcesSummary
Part 2: Detection Creation
Chapter 4: Detection Data Sources
Technical requirementsUnderstanding data sources and telemetryRaw telemetrySecurity toolingMITRE ATT&CK data sourcesIdentifying your data sourcesLooking at data source issues and challengesCompletenessQualityTimelinessCoverageExercise – understanding your data sourcesAdding data sourcesLab – adding a web server data sourceSummaryFurther reading
Chapter 5: Investigating Detection Requirements
Revisiting the phases of detection requirementsDiscovering detection requirementsTools and processesExercise – requirements discovery for your organizationTriaging detection requirementsThreat severityOrganizational alignmentDetection coverageActive exploitsCalculating priorityInvestigating detection requirementsSummary
Chapter 6: Developing Detections Using Indicators of Compromise
Technical requirementsLeveraging indicators of compromise for detectionExample scenario – identifying an IcedID campaign using indicatorsScenario 1 labInstalling and configuring Sysmon as a data sourceDetecting hashesDetecting network-based indicatorsLab summarySummaryFurther reading

Chapter 7: Developing Detections Using Behavioral Indicators
Technical requirementsDetecting adversary toolsExample scenario – PsExec usageDetecting tactice, techniques, and procedures (TTPs)Example scenario – mark of the web bypass techniqueSummary
Chapter 8: Documentation and Detection Pipelines
Documenting a detectionLab – documenting a detectionExploring the detection repositoryDetection-as-codeChallenges creating a detection pipelineLab – Publishing a rule using Elastic’s detection-rules projectSummary
Part 3: Detection Validation
Chapter 9: Detection Validation
Technical requirementsUnderstanding the validation processUnderstanding purple team exercisesSimulating adversary activityAtomic Red TeamCALDERAExercise – validating detections for a single technique using Atomic Red TeamExercise – validating detections for multiple techniques via CALDERAUsing validation resultsMeasuring detection coverageSummaryFurther reading
Chapter 10: Leveraging Threat Intelligence
Technical requirementsThreat intelligence overviewOpen source intelligenceInternal threat intelligenceGathering threat intelligenceThreat intelligence in the detection engineering life cycleRequirements DiscoveryTriageInvestigateThreat intelligence for detection engineering in practiceExample – leveraging threat intel blog posts for detection engineeringExample – leveraging VirusTotal for detection engineeringThreat assessmentsExample – leveraging threat assessments for detection engineeringResources and further readingThreat intelligence sources and conceptsOnline scanners and sandboxesMITRE ATT&CKSummary
Part 4: Metrics and Management
Chapter 11: Performance Management
Introduction to performance managementAssessing the maturity of your detection programMeasuring the efficiency of a detection engineering programMeasuring the effectiveness of a detection engineering programPrioritizing detection effortsPrecision, noisiness, and recallCalculating a detection’s efficacyLow-fidelity coverage metricsAutomated validationHigh-fidelity coverage metricsSummaryFurther reading
Part 5: Detection Engineering as a Career
Chapter 12: Career Guidance for Detection Engineers
Getting a job in detection engineeringJob postingsDeveloping skillsDetection engineering as a jobDetection engineering roles and responsibilitiesThe future of detection engineeringAttack surfacesVisibilitySecurity device capabilitiesMachine learningSharing of attack methodologyThe adversaryThe humanSummary
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Overview

In "Practical Threat Detection Engineering," you will master the essentials of detection engineering from planning and development to validation. By following hands-on labs and practical examples, you will be able to design and test high-quality detections suited for real-world threats, enhancing your professional skills and organizational security posture.

What this Book will help me do

Plan and build detection engineering pipelines tailored to specific security objectives.
Utilize comprehensive hands-on labs to develop, test, and deploy high-fidelity detections.
Integrate various data sources effectively to enhance security monitoring and threat detection.
Apply frameworks such as MITRE ATT&CK to identify and understand threats systematically.
Develop a deep understanding of detection validation strategies for continuous improvement.

Author(s)

Megan Roddie, Jason Deyalsingh, and Gary J. Katz are seasoned cybersecurity professionals with extensive experience in detection engineering and SOC operations. They are passionate educators who have delivered training and workshops to both new and experienced professionals. Bringing real-world expertise and a clear teaching style, they aim to empower the next generation of security leaders.

Who is it for?

This book is perfect for SOC analysts, threat hunters, and security engineers who are looking to advance their skills in detection engineering. It is also suited for cybersecurity professionals eager to understand the detection lifecycle and improve detection capabilities. Whether you're just starting out or have intermediate experience, this book provides actionable insights and tools to succeed in today's cyber threat landscape.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Practical Threat Intelligence and Data-Driven Threat Hunting - Second Edition

Publisher Resources

ISBN: 9781801076715

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills