Threat Hunting

Book description

Beyond incident response and threat intelligence operations, threat hunting can provide an extra layer of defense for your company’s network. In many organizations, security analysts initiate threat hunting when they spot something weird—network conditions or activity not easily explained—in an effort to catch subtle, more deeply embedded attackers. With this practical ebook, you’ll explore how this method works and learn how to stage an effective threat hunting program and evaluate the results.

Author Michael Collins, chief scientist for the network security and data analysis company RedJack in Washington, DC, explains why threat hunting is an ideal support for your existing security operations center. With both architecture and attacks constantly changing, proactive threat hunting will help security analysts and security managers discover how your company’s assets really work.

  • Learn about the process, goals, and benefits of threat hunting
  • Examine your organization’s readiness for threat hunting, including the resources, data, and personnel you need
  • Delve into the process using a typical threat hunting workflow
  • Get a brief encyclopedia of threat hunting techniques, including core concepts and situational awareness
  • Explore resources for additional threat hunting strategies and techniques

Table of contents

  1. An Introduction to Threat Hunting
  2. 1. Threat Hunting and Its Goals
    1. What Threat Hunting Is
    2. Why Threat Hunting Matters
    3. Who Threat Hunting Is For: The SOCS
    4. The Threat Hunting Process as a Research Process
    5. Conclusions
  3. 2. Should You Hunt?
    1. Data Requirements
      1. When You’re Not Ready: Data
    2. Operational Requirements
      1. When You’re Not Ready: Operations
    3. Personnel Requirements
      1. When You’re Not Ready: Personnel
    4. Conclusions
  4. 3. A Hunting Process
    1. Long-Term Preparation
    2. Triggers
    3. Starting the Hunt
    4. The Hunt Itself
    5. Ending the Hunt
    6. Output from the Hunt
  5. 4. A Dictionary of Threat Hunting Techniques
    1. Core Concepts
      1. The Cyber Kill Chain
      2. Ranking Versus Detection
      3. Finite Cases
    2. Basic Techniques
      1. Searching and Cross-Source Correlation
      2. Lookup
      3. Stack Counting
      4. Histograms and Barplots
    3. Watchlist Refinement: Indicators and Signatures
      1. Indicator Webwalk
    4. Techniques for Discovering Indicators
      1. Configuration Tracking and Baselining
      2. Honey
      3. Situational Awareness of Your Network: Mapping, Blindspots, Endpoint Detection
      4. Identifying Weird Port Behavior
      5. Producer/Consumer Ratio and Services
      6. Know Your Calendar
      7. Watch Invocation Sequences
      8. Be Aware of Physical Locations
    5. Data Analysis and Aggregation Techniques
      1. Approximate String Matching
      2. LRU Cache Depth Analysis
      3. Leaky Buckets
      4. Machine Learning
    6. Visualization Techniques
      1. Trellising and Sparklines
      2. Radial Plots
      3. Heat Mapping and Space Filling Curves
    7. Conclusions
  6. 5. References and Further Reading
    1. Thinking and Reasoning About Hunting
    2. Threat Hunting Techniques

Product information

  • Title: Threat Hunting
  • Author(s): Michael Collins
  • Release date: May 2018
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492028253