Sign In Start Free Trial
Account

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Incident Response with Threat Intelligence
  • Table Of Contents Toc
  • Feedback & Rating feedback
Incident Response with Threat Intelligence

Incident Response with Threat Intelligence

By : Martinez
4.7 (9)
close
close
Incident Response with Threat Intelligence

Incident Response with Threat Intelligence

4.7 (9)
By: Martinez

Overview of this book

With constantly evolving cyber threats, developing a cybersecurity incident response capability to identify and contain threats is indispensable for any organization regardless of its size. This book covers theoretical concepts and a variety of real-life scenarios that will help you to apply these concepts within your organization. Starting with the basics of incident response, the book introduces you to professional practices and advanced concepts for integrating threat hunting and threat intelligence procedures in the identification, contention, and eradication stages of the incident response cycle. As you progress through the chapters, you'll cover the different aspects of developing an incident response program. You'll learn the implementation and use of platforms such as TheHive and ELK and tools for evidence collection such as Velociraptor and KAPE before getting to grips with the integration of frameworks such as Cyber Kill Chain and MITRE ATT&CK for analysis and investigation. You'll also explore methodologies and tools for cyber threat hunting with Sigma and YARA rules. By the end of this book, you'll have learned everything you need to respond to cybersecurity incidents using threat intelligence.
Table of Contents (20 chapters)
close
close
1
Section 1: The Fundamentals of Incident Response
6
Section 2: Getting to Know the Adversaries
10
Section 3: Designing and Implementing Incident Response in Organizations
15
Section 4: Improving Threat Detection in Incident Response

Escalating incidents from detection

An important feature when we are talking about SOAR is the capacity to escalate or automate processes between systems.

We can do this in several ways. We can either automate alerts to receive notifications under certain conditions and take some specific actions according to an IR playbook or we can trigger a new case from a SOC alert.

Emulating suspicious behavior

To emulate suspicious behavior, we are going to create a new Windows user to trigger an alert, and then we will escalate this alert to open an incident case.

First, let's generate a security event related to the creation of a local Windows user from the command line:

  1. To create the new user, write the following command on the Windows Terminal/PowerShell console:
    New-LocalUSer -Name "PamB" -NoPassword

The new user is now created and enabled, as you can see in the following screenshot:

Figure 11.26 – Creation of new...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected

Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY