Practical Threat Intelligence and Data-Driven Threat Hunting

Book description

Get to grips with cyber threat intelligence and data-driven threat hunting while exploring expert tips and techniques

Key Features

  • Set up an environment to centralize all data in an Elasticsearch, Logstash, and Kibana (ELK) server that enables threat hunting
  • Carry out atomic hunts to start the threat hunting process and understand the environment
  • Perform advanced hunting using MITRE ATT&CK Evals emulations and Mordor datasets

Book Description

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business.

This book is not only an introduction for those who don't know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch.

You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you'll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.

By the end of this book, you'll have the skills you need to be able to carry out effective hunts in your own environment.

What you will learn

  • Understand what CTI is, its key concepts, and how it is useful for preventing threats and protecting your organization
  • Explore the different stages of the TH process
  • Model the data collected and understand how to document the findings
  • Simulate threat actor activity in a lab environment
  • Use the information collected to detect breaches and validate the results of your queries
  • Use documentation and strategies to communicate processes to senior management and the wider business

Who this book is for

If you are looking to start out in the cyber intelligence and threat hunting domains and want to know more about how to implement a threat hunting division with open-source tools, then this cyber threat intelligence book is for you.

Table of contents

  1. Practical Threat Intelligence and Data-Driven Threat Hunting
  2. Why subscribe?
  3. Contributors
  4. About the author
  5. About the reviewers
  6. Packt is searching for authors like you
  7. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Reviews
  8. Section 1: Cyber Threat Intelligence
  9. Chapter 1: What Is Cyber Threat Intelligence?
    1. Cyber threat intelligence
      1. Strategic level
      2. Operational level
      3. Tactical level
    2. The intelligence cycle
      1. Planning and targeting
      2. Preparation and collection
      3. Processing and exploitation
      4. Analysis and production
      5. Dissemination and integration
      6. Evaluation and feedback
    3. Defining your IR
    4. The collection process
      1. Indicators of compromise
      2. Understanding malware
      3. Using public sources for collection – OSINT
      4. Honeypots
      5. Malware analysis and sandboxing
    5. Processing and exploitation
      1. The Cyber Kill Chain®
    6. Bias and analysis
    7. Summary
  10. Chapter 2: What Is Threat Hunting?
    1. Technical requirements
    2. What is threat hunting?
      1. Types of threat hunts
      2. The threat hunter skill set
      3. The Pyramid of Pain
    3. The Threat Hunting Maturity Model
      1. Determining our maturity model
    4. The threat hunting process
      1. The Threat Hunting Loop
      2. Threat hunting model
      3. The data-driven methodology
      4. TaHiTI – Targeted Hunting Integrating Threat Intelligence
    5. Building a hypothesis
    6. Summary
  11. Chapter 3: Where Does the Data Come From?
    1. Technical requirements
    2. Understanding the data that's been collected
      1. Operating systems basics
      2. Networking basics
    3. Windows-native tools
      1. Windows Event Viewer
      2. Windows Management Instrumentation (WMI)
      3. Event Tracing for Windows (ETW)
    4. Data sources
      1. Endpoint data
      2. Network data
      3. Security data
    5. Summary
  12. Section 2: Understanding the Adversary
  13. Chapter 4: Mapping the Adversary
    1. Technical requirements
    2. The ATT&CK Framework
      1. Tactics, techniques, sub-techniques, and procedures
      2. The ATT&CK Matrix
      3. The ATT&CK Navigator
    3. Mapping with ATT&CK
    4. Testing yourself
      1. Answers
    5. Summary
  14. Chapter 5: Working with Data
    1. Technical requirements
    2. Using data dictionaries
      1. Open Source Security Events Metadata
    3. Using MITRE CAR
      1. CARET – The CAR Exploitation Tool
    4. Using Sigma
    5. Summary
  15. Chapter 6: Emulating the Adversary
    1. Creating an adversary emulation plan
      1. What is adversary emulation?
      2. MITRE ATT&CK emulation plan
      3. Atomic Red Team
      4. Mordor
      5. Caldera
      6. Other tools
    2. Test yourself
      1. Answers
    3. Summary
  16. Section 3: Working with a Research Environment
  17. Chapter 7: Creating a Research Environment
    1. Technical requirements
    2. Setting up a research environment
    3. Installing VMware ESXI
      1. Creating our VLAN
      2. Configuring the firewall
    4. Installing Windows Server
    5. Configuring Windows Server as a domain controller
      1. Understanding the structure of Active Directory
      2. Giving the server's domain controller a status
      3. Configuring the DHCP server
      4. Creating organizational units
      5. Creating users
      6. Creating groups
      7. Group Policy Objects
      8. Setting up our audit policy
      9. Adding new clients
    6. Setting up ELK
      1. Configuring Sysmon
      2. Retrieving the certificate
    7. Configuring Winlogbeat
      1. Looking for our data in the ELK instance
    8. Bonus – adding Mordor datasets to our ELK instance
    9. The HELK – an open source tool by Roberto Rodriguez
      1. Getting started with the HELK
  18. Chapter 8: How to Query the Data
    1. Technical requirements
    2. Atomic hunting with Atomic Red Team
    3. The Atomic Red Team testing cycle
      1. Testing for Initial Access
      2. Testing for Execution
      3. Testing for Persistence
      4. Testing for Privilege Escalation
      5. Testing for Defense Evasion
      6. Testing for Discovery
      7. Testing for Command and Control
      8. Invoke-AtomicRedTeam
    4. Quasar RAT
      1. Quasar RAT real-world use cases
      2. Executing and detecting Quasar RAT
      3. Testing for persistence
      4. Testing for credential access
      5. Testing for lateral movement
    5. Summary
  19. Chapter 9: Hunting for the Adversary
    1. Technical requirements
    2. MITRE evaluations
      1. Importing APT29 datasets into HELK
      2. Hunting for APT29
    3. Using MITRE CALDERA
      1. Setting up CALDERA
      2. Executing an emulation plan with CALDERA
    4. Sigma rules
    5. Summary
  20. Chapter 10: Importance of Documenting and Automating the Process
    1. The importance of documentation
      1. The key to writing good documentation
      2. Documenting your hunts
    2. The Threat Hunter Playbook
    3. The Jupyter Notebook
    4. Updating the hunting process
    5. The importance of automation
    6. Summary
  21. Section 4: Communicating to Succeed
  22. Chapter 11: Assessing Data Quality
    1. Technical requirements
    2. Distinguishing good-quality data from bad-quality data
      1. Data dimensions
    3. Improving data quality
      1. OSSEM Power-up
      2. DeTT&CT
      3. Sysmon-Modular
    4. Summary
  23. Chapter 12: Understanding the Output
    1. Understanding the hunt results
    2. The importance of choosing good analytics
    3. Testing yourself
      1. Answers
    4. Summary
  24. Chapter 13: Defining Good Metrics to Track Success
    1. Technical requirements
    2. The importance of defining good metrics
    3. How to determine the success of a hunting program
      1. Using MaGMa for Threat Hunting
    4. Summary
  25. Chapter 14: Engaging the Response Team and Communicating the Result to Executives
    1. Getting the incident response team involved
    2. The impact of communication on the success of the threat hunting program
    3. Testing yourself
      1. Answers
    4. Summary
  26. Appendix – The State of the Hunt
  27. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Practical Threat Intelligence and Data-Driven Threat Hunting
  • Author(s): Valentina Costa-Gazcón
  • Release date: February 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781838556372