Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Threat Hunting with Elastic Stack

You're reading from   Threat Hunting with Elastic Stack Solve complex security challenges with integrated prevention, detection, and response

Arrow left icon
Product type Paperback
Published in Jul 2021
Publisher Packt
ISBN-13 9781801073783
Length 392 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Andrew Pease Andrew Pease
Author Profile Icon Andrew Pease
Andrew Pease
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Section 1: Introduction to Threat Hunting, Analytical Models, and Hunting Methodologies
2. Chapter 1: Introduction to Cyber Threat Intelligence, Analytical Models, and Frameworks FREE CHAPTER 3. Chapter 2: Hunting Concepts, Methodologies, and Techniques 4. Section 2: Leveraging the Elastic Stack for Collection and Analysis
5. Chapter 3: Introduction to the Elastic Stack 6. Chapter 4: Building Your Hunting Lab – Part 1 7. Chapter 5: Building Your Hunting Lab – Part 2 8. Chapter 6: Data Collection with Beats and Elastic Agent 9. Chapter 7: Using Kibana to Explore and Visualize Data 10. Chapter 8: The Elastic Security App 11. Section 3: Operationalizing Threat Hunting
12. Chapter 9: Using Kibana to Pivot Through Data to Find Adversaries 13. Chapter 10: Leveraging Hunting to Inform Operations 14. Chapter 11: Enriching Data to Make Intelligence 15. Chapter 12: Sharing Information and Analysis 16. Assessments 17. Other Books You May Enjoy

What is cyber threat intelligence?

My experiences have led me to the opinion that CTI and threat hunting are processes and methodologies tightly coupled with, and in support of, traditional security operations (SecOps).

When we talk about traditional SecOps, we're referring to the deployment and management of various types of infrastructure and defensive tools – think firewalls, intrusion detection systems, vulnerability scanners, and antiviruses. Additionally, this includes some of the less exciting elements, such as policy, and processes such as privacy and incident response (not to say that incident response isn't an absolute blast). There are copious amounts of publications that describe traditional SecOps and I'm certainly not going to try and re-write them. However, to grow and mature as a threat hunter, you need to understand where CTI and threat hunting fit into the big picture.

When we talk about CTI, we mean the processes of collection, analysis, and production to transition data into information, and lastly, into intelligence (we'll discuss technologies and methodologies to do that later) and support operations to detect observations that can evade automated detections. Threat hunting searches for adversary activity that cannot be detected through the use of traditional signature-based defensive tools. These mainly include profiling and detecting patterns using endpoint and network activity. CTI and threat hunting combined are the processes of identifying adversary techniques and their relevance to the network being defended. They then generate profiles and patterns within data to identify when someone may be using these identified techniques and – this is the often overlooked part – lead to data-driven decisions.

A great example would be identifying that abusing authorized binaries, such as PowerShell or GCC, is a technique used by adversaries. In this example, both PowerShell and GCC are expected to be on the system, so their existence or usage wouldn't cause a host-based detection system to generate an alert. So CTI processes would identify that this is a tactic used by adversaries, threat hunting would profile how these binaries are used in a defended network, and finally, this information would be used to inform active response operations or recommendations to improve the enduring defensive posture.

Of particular note is that while threat hunting is an evolution from traditional SecOps, that isn't to say that it is inherently better. They are two sides of the same coin. Understanding traditional SecOps and where intelligence analysis and threat hunting should be folded into it is paramount to being successful as a technician, responder, analyst, or leader. In this chapter, we'll discuss the different parts of traditional security operations and how threat hunting and analysis can support SecOps, as well as how SecOps can support threat hunting and incident response operations:

Figure 1.1 – The relationship between IT and cyber security

In the following chapters, we'll discuss several models, both industry-standard ones as well as my own, along with my thoughts on them, what their individual strengths and weaknesses are, and their applicability. It is important to remember that models and frameworks are just guides to help identify research and defensive prioritizations, incident response processes, and tools to describe campaigns, incidents, and events. Analysts and operators get into trouble when they try to use models as one-size-fits-all solutions that, in reality, are purely linear and inflexibly rigid.

The models and frameworks that we'll discuss are as follows:

  • The Intelligence Pipeline
  • The Lockheed Martin Kill Chain
  • The MITRE ATT&CK Matrix
  • The Diamond Model

Finally, we'll discuss how the models and frameworks are most impactful when they are chained together instead of being used independently.

You have been reading a chapter from
Threat Hunting with Elastic Stack
Published in: Jul 2021
Publisher: Packt
ISBN-13: 9781801073783
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image