6

Developing Detections Using Indicators of Compromise

In this chapter, we will apply the detection engineering life cycle to investigate and develop detections in our lab. In Chapter 2, we identified four sub-steps to the Investigate phase and three sub-steps to the Develop phase, which we will follow in our exercises in this chapter.

Investigate:

  1. Research context
  2. Data source identification
  3. Detection indicator types
  4. Establish validation criteria

Develop:

  1. Design
  2. Develop
  3. Unit test

At the beginning of the book, we introduced the Pyramid of Pain, which can be used to evaluate how easily the adversary can evade our detections. In addition to signifying the difficulty for the adversary to evade detection, the pyramid levels also (mostly) align ...

Get Practical Threat Detection Engineering now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.