Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Practical Threat Intelligence and Data-Driven Threat Hunting
  • Table Of Contents Toc
  • Feedback & Rating feedback
Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
4.5 (21)
Buy this Book
close
close
Practical Threat Intelligence and Data-Driven Threat Hunting

Practical Threat Intelligence and Data-Driven Threat Hunting

4.5 (21)
By: Valentina Costa-Gazcón
Buy this Book

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Reviews
1
Section 1: Cyber Threat Intelligence
Icon
Section 1: Cyber Threat Intelligence
Free Chapter
2
Chapter 1: What Is Cyber Threat Intelligence?
Icon
Chapter 1: What Is Cyber Threat Intelligence?
Icon
Cyber threat intelligence
Icon
The intelligence cycle
Icon
Defining your IR
Icon
The collection process
Icon
Processing and exploitation
Icon
Bias and analysis
Icon
Summary
3
Chapter 2: What Is Threat Hunting?
Icon
Chapter 2: What Is Threat Hunting?
Icon
Technical requirements
Icon
What is threat hunting?
Icon
The Threat Hunting Maturity Model
Icon
The threat hunting process
Icon
Building a hypothesis
Icon
Summary
4
Chapter 3: Where Does the Data Come From?
Icon
Chapter 3: Where Does the Data Come From?
Icon
Technical requirements
Icon
Understanding the data that's been collected
Icon
Windows-native tools
Icon
Data sources
Icon
Summary
5
Section 2: Understanding the Adversary
Icon
Section 2: Understanding the Adversary
6
Chapter 4: Mapping the Adversary
chevron up
Icon
Chapter 4: Mapping the Adversary
Icon
Technical requirements
Icon
The ATT&CK Framework
Icon
Mapping with ATT&CK
Icon
Testing yourself
Icon
Summary
7
Chapter 5: Working with Data
Icon
Chapter 5: Working with Data
Icon
Technical requirements
Icon
Using data dictionaries
Icon
Using MITRE CAR
Icon
Using Sigma
Icon
Summary
8
Chapter 6: Emulating the Adversary
Icon
Chapter 6: Emulating the Adversary
Icon
Creating an adversary emulation plan
Icon
Test yourself
Icon
Summary
9
Section 3: Working with a Research Environment
Icon
Section 3: Working with a Research Environment
10
Chapter 7: Creating a Research Environment
Icon
Chapter 7: Creating a Research Environment
Icon
Technical requirements
Icon
Setting up a research environment
Icon
Installing VMware ESXI
Icon
Installing Windows Server
Icon
Configuring Windows Server as a domain controller
Icon
Setting up ELK
Icon
Configuring Winlogbeat
Icon
Bonus – adding Mordor datasets to our ELK instance
Icon
The HELK – an open source tool by Roberto Rodriguez
11
Chapter 8: How to Query the Data
Icon
Chapter 8: How to Query the Data
Icon
Technical requirements
Icon
Atomic hunting with Atomic Red Team
Icon
The Atomic Red Team testing cycle
Icon
Quasar RAT
Icon
Summary
12
Chapter 9: Hunting for the Adversary
Icon
Chapter 9: Hunting for the Adversary
Icon
Technical requirements
Icon
MITRE evaluations
Icon
Using MITRE CALDERA
Icon
Sigma rules
Icon
Summary
13
Chapter 10: Importance of Documenting and Automating the Process
Icon
Chapter 10: Importance of Documenting and Automating the Process
Icon
The importance of documentation
Icon
The Threat Hunter Playbook
Icon
The Jupyter Notebook
Icon
Updating the hunting process
Icon
The importance of automation
Icon
Summary
14
Section 4: Communicating to Succeed
Icon
Section 4: Communicating to Succeed
15
Chapter 11: Assessing Data Quality
Icon
Chapter 11: Assessing Data Quality
Icon
Technical requirements
Icon
Distinguishing good-quality data from bad-quality data
Icon
Improving data quality
Icon
Summary
16
Chapter 12: Understanding the Output
Icon
Chapter 12: Understanding the Output
Icon
Understanding the hunt results
Icon
The importance of choosing good analytics
Icon
Testing yourself
Icon
Summary
17
Chapter 13: Defining Good Metrics to Track Success
Icon
Chapter 13: Defining Good Metrics to Track Success
Icon
Technical requirements
Icon
The importance of defining good metrics
Icon
How to determine the success of a hunting program
Icon
Summary
18
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Icon
Chapter 14: Engaging the Response Team and Communicating the Result to Executives
Icon
Getting the incident response team involved
Icon
The impact of communication on the success of the threat hunting program
Icon
Testing yourself
Icon
Summary
19
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think
Appendix – The State of the Hunt
Icon
Appendix – The State of the Hunt

Mapping with ATT&CK

In the following exercise, we are going to use a paper that was presented at Virus Bulletin 2018: Inside Formbook Infostealer by the malware researcher Gabriela Nicolao: https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Nicolao.pdf.

Formbook is an infostealer that has been around since at least 2016 and has been advertised in hacking forums by the user ng-Coder. Its code is written in assembler inline instruction within C code (ASM C). It has been used in several campaigns that have impacted both the US and South Korea, and is also related to some threat actors, such as SWEED and Cobalt.

In this section, we are going to learn how to map Formbook's infostealer behavior with ATT&CK.

Important Note

Gabriela Nicolao is a systems engineer from Argentina's Universidad Tecnológica Nacional (UTN), where she also teaches. In addition, she has a postgraduate degree in cryptography and teleinformatics security from Escuela Superior...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 4
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY