Practical Threat Intelligence and Data-Driven Threat Hunting
eBook - ePub

Practical Threat Intelligence and Data-Driven Threat Hunting

  1. 398 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Practical Threat Intelligence and Data-Driven Threat Hunting

Book details
Book preview
Table of contents
Citations

About This Book

Get to grips with cyber threat intelligence and data-driven threat hunting while exploring expert tips and techniques

Key Features

  • Set up an environment to centralize all data in an Elasticsearch, Logstash, and Kibana (ELK) server that enables threat hunting
  • Carry out atomic hunts to start the threat hunting process and understand the environment
  • Perform advanced hunting using MITRE ATT&CK Evals emulations and Mordor datasets

Book Description

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business.This book is not only an introduction for those who don't know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch.You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you'll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.By the end of this book, you'll have the skills you need to be able to carry out effective hunts in your own environment.

What you will learn

  • Understand what CTI is, its key concepts, and how it is useful for preventing threats and protecting your organization
  • Explore the different stages of the TH process
  • Model the data collected and understand how to document the findings
  • Simulate threat actor activity in a lab environment
  • Use the information collected to detect breaches and validate the results of your queries
  • Use documentation and strategies to communicate processes to senior management and the wider business

Who this book is for

If you are looking to start out in the cyber intelligence and threat hunting domains and want to know more about how to implement a threat hunting division with open-source tools, then this cyber threat intelligence book is for you.

]]>

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2021
ISBN
9781838551636
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Section 1: Cyber Threat Intelligence

In this section, you will learn about the basis of cyber threat intelligence. We will go through the different types of threats, the different stages of a cyberattack, and the process of collecting Indicators of Compromise (IoCs) and how to analyze the collected information. Afterward, we will present threat hunting as a discipline, including the different approaches that have been proposed for the threat hunting process.
The section comprises the following chapters:
  • Chapter 1, What is Cyber Threat Intelligence?
  • Chapter 2, What is Threat Hunting?
  • Chapter 3, Where Does the Data Come From?

Chapter 1: What Is Cyber Threat Intelligence?

In order to perform threat hunting, it is especially important to have at least a basic understanding of the main cyber threat intelligence concepts. The objective of this chapter is to help you become familiar with the concepts and terminology that are going to be used throughout this book.
In this chapter, we are going to cover the following topics:
  • Cyber threat intelligence
  • The intelligence cycle
  • Defining your IR
  • The collection process
  • Processing and exploitation
  • Bias and analysis
Let's get started!

Cyber threat intelligence

It is not the goal of this book to deep dive into complex issues surrounding the different definitions of intelligence and the multiple aspects of intelligence theory. This chapter is meant to be an introduction to the intelligence process so that you understand what cyber threat intelligence (CTI) is and how it is done, before we cover CTI-driven and data-driven threat hunting. If you think you are well-versed in this matter, you can proceed straight to the next chapter.
If we want to discuss the roots of intelligence discipline, we could probably go back as far as the 19th century, when the first military intelligence departments were founded. We could even argue that the practice of intelligence is as old as warfare itself, and that the history of humanity is full of espionage stories as a result of needing to have the upper hand over the enemy.
It has been stated over and over that in order to have a military advantage, we must be capable not only of understanding ourselves, but also the enemy: how do they think? How many resources do they have? What forces do they have? What is their ultimate goal?
This military need, especially during the two World Wars, led to the growth and evolution of the intelligence field as we know it. Several books and papers have been written about the craft of intelligence, and I sincerely encourage anyone interested in the matter to visit the Intelligence Literature section of the CIA Library (https://www.cia.gov/library/intelligence-literature) where you can find several interesting lectures on the subject.
The definition of intelligence has been under academic discussion among people better-versed in the matter than me for more than two decades. Unfortunately, there is no consensus over the definition of the intelligence practice. In fact, there are those who defend the craft of intelligence as something that can be described, but not defined. In this book, we are going to detach ourselves from such pessimistic views and offer the definition proposed by Alan Breakspear in his paper A New Definition of Intelligence (2012) as a reference:
"Intelligence is a corporate capability to forecast change in time to do something about it. The capability involves foresight and insight, and is intended to identify impending change, which may be positive, representing opportunity, or negative, representing threat."
Based on this, we are going to define CTI as a cybersecurity discipline that attempts to be a proactive measure of computer and network security, which nourishes itself from the traditional intelligence theory.
CTI focuses on data collection and information analysis so that we can gain a better understanding of the threats facing an organization. This helps us protect its assets. The objective of any CTI analyst is to produce and deliver relevant, accurate, and timely curated information – that is, intelligence – so that the recipient organization can learn how to protect itself from a potential threat.
The sum of related data generates information that, through analysis, is transformed into intelligence. However, as we stated previously, intelligence only has value if it is relevant, accurate, and, most importantly, if it is delivered on time. The purpose of intelligence is to serve those responsible for making decisions so they can do so in an informed way. There is no use for this if it is not delivered before the decision must be made.
This means that when we talk about intelligence, we are not only referring to the product itself, but also to all the processes that make the product possible. We will cover this in great detail in this chapter.
Finally, we can classify intelligence according to the time that's been dedicated to studying a specific subject, either by distinguishing between long-term and short-term intelligence, or according to its form; that is, strategic, tactical, or operational intelligence. In this case, the intelligence that's delivered will vary, depending on which recipients are going to receive it.

Strategic level

Strategic intelligence informs the top decision makers – usually called the C-suite: CEO, CFO, COO, CIO, CSO, CISO – and any other chief executive to whom the information could be relevant. The intelligence that's delivered at this level must help the decision makers understand the threat they are up against. The decision makers should get a proper sense of what the main threat capabilities and motivations are (disruption, theft of proprietary information, financial gain, and so on), their probability of being a target, and the possible consequences of this.

Operational level

Operational intelligence is given to those making day-to-day decisions; that is, those who are in charge of defining priorities and allocating resources. To complete these tasks more efficiently, the intelligence team should provide them with information regarding which groups may target the organization and which ones have been the most recently active.
The deliverable might include CVEs and information regardin...

Table of contents

  1. Practical Threat Intelligence and Data-Driven Threat Hunting
  2. Why subscribe?
  3. Preface
  4. Section 1: Cyber Threat Intelligence
  5. Chapter 1: What Is Cyber Threat Intelligence?
  6. Chapter 2: What Is Threat Hunting?
  7. Chapter 3: Where Does the Data Come From?
  8. Section 2: Understanding the Adversary
  9. Chapter 4: Mapping the Adversary
  10. Chapter 5: Working with Data
  11. Chapter 6: Emulating the Adversary
  12. Section 3: Working with a Research Environment
  13. Chapter 7: Creating a Research Environment
  14. Chapter 8: How to Query the Data
  15. Chapter 9: Hunting for the Adversary
  16. Chapter 10: Importance of Documenting and Automating the Process
  17. Section 4: Communicating to Succeed
  18. Chapter 11: Assessing Data Quality
  19. Chapter 12: Understanding the Output
  20. Chapter 13: Defining Good Metrics to Track Success
  21. Chapter 14: Engaging the Response Team and Communicating the Result to Executives
  22. Appendix – The State of the Hunt
  23. Other Books You May Enjoy