Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Practical Threat Detection Engineering
  • Table Of Contents Toc
  • Feedback & Rating feedback
Practical Threat Detection Engineering

Practical Threat Detection Engineering

By : Megan Roddie, Jason Deyalsingh, Gary J. Katz
4.7 (21)
Buy this Book
close
close
Practical Threat Detection Engineering

Practical Threat Detection Engineering

4.7 (21)
By: Megan Roddie, Jason Deyalsingh, Gary J. Katz
Buy this Book

Overview of this book

Threat validation is an indispensable component of every security detection program, ensuring a healthy detection pipeline. This comprehensive detection engineering guide will serve as an introduction for those who are new to detection validation, providing valuable guidelines to swiftly bring you up to speed. The book will show you how to apply the supplied frameworks to assess, test, and validate your detection program. It covers the entire life cycle of a detection, from creation to validation, with the help of real-world examples. Featuring hands-on tutorials and projects, this guide will enable you to confidently validate the detections in your security program. This book serves as your guide to building a career in detection engineering, highlighting the essential skills and knowledge vital for detection engineers in today's landscape. By the end of this book, you’ll have developed the skills necessary to test your security detection program and strengthen your organization’s security measures.
Table of Contents (20 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Introduction to Detection Engineering
Part 1: Introduction to Detection Engineering
Free Chapter
2
Chapter 1: Fundamentals of Detection Engineering
Chapter 1: Fundamentals of Detection Engineering
Foundational concepts
The value of a detection engineering program
A guide to using this book
Summary
3
Chapter 2: The Detection Engineering Life Cycle
Chapter 2: The Detection Engineering Life Cycle
Phase 1 – Requirements Discovery
Exercise – understanding your organization’s detection requirement sources
Phase 2 – Triage
Phase 3 – Investigate
Phase 4 – Develop
Phase 5 – Test
Phase 6 – Deploy
Summary
4
Chapter 3: Building a Detection Engineering Test Lab
Chapter 3: Building a Detection Engineering Test Lab
Technical requirements
The Elastic Stack
Setting up Fleet Server
Building your first detection
Additional resources
Summary
5
Part 2: Detection Creation
Part 2: Detection Creation
6
Chapter 4: Detection Data Sources
Chapter 4: Detection Data Sources
Technical requirements
Understanding data sources and telemetry
Looking at data source issues and challenges
Adding data sources
Summary
Further reading
7
Chapter 5: Investigating Detection Requirements
Chapter 5: Investigating Detection Requirements
Revisiting the phases of detection requirements
Discovering detection requirements
Triaging detection requirements
Investigating detection requirements
Summary
8
Chapter 6: Developing Detections Using Indicators of Compromise
Chapter 6: Developing Detections Using Indicators of Compromise
Technical requirements
Leveraging indicators of compromise for detection
Scenario 1 lab
Summary
Further reading
9
Chapter 7: Developing Detections Using Behavioral Indicators
Chapter 7: Developing Detections Using Behavioral Indicators
Technical requirements
Detecting adversary tools
Detecting tactice, techniques, and procedures (TTPs)
Summary
10
Chapter 8: Documentation and Detection Pipelines
Chapter 8: Documentation and Detection Pipelines
Documenting a detection
Exploring the detection repository
Summary
11
Part 3: Detection Validation
Part 3: Detection Validation
12
Chapter 9: Detection Validation
chevron up
Chapter 9: Detection Validation
Technical requirements
Understanding the validation process
Understanding purple team exercises
Simulating adversary activity
Using validation results
Summary
Further reading
13
Chapter 10: Leveraging Threat Intelligence
Chapter 10: Leveraging Threat Intelligence
Technical requirements
Threat intelligence overview
Threat intelligence in the detection engineering life cycle
Threat intelligence for detection engineering in practice
Threat assessments
Resources and further reading
Summary
14
Part 4: Metrics and Management
Part 4: Metrics and Management
15
Chapter 11: Performance Management
Chapter 11: Performance Management
Introduction to performance management
Assessing the maturity of your detection program
Measuring the efficiency of a detection engineering program
Measuring the effectiveness of a detection engineering program
Calculating a detection’s efficacy
Summary
Further reading
16
Part 5: Detection Engineering as a Career
Part 5: Detection Engineering as a Career
17
Chapter 12: Career Guidance for Detection Engineers
Chapter 12: Career Guidance for Detection Engineers
Getting a job in detection engineering
Detection engineering as a job
The future of detection engineering
Summary
18
Index
Index
Why subscribe?
19
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Using validation results

After performing validations, we will walk away with some understanding of coverage. In the simplest form, validation results identify whether a detection is triggered for a given behavior. If we run a command to set persistence via a Registry Run key during validation, and we expect a detection to be triggered by that activity, we can record the result as either failed or successful by reviewing our triggered detections. Validation results, however, can also operate on more of a scale. For example, maybe a detection triggered but it was not the specific rule we expected. Or maybe we have variations of Registry Run key persistence and some were detected but others weren’t, in which case we might have partial coverage. Therefore, validation results are not always black-and-white, but they will provide some level of guidance as to what happens when a chosen test is executed, which can be leveraged to improve our detection engineering program.

With the...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 6
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY